DDoS Prevention and Mitigation

A FORTINET STRATEGY GUIDE

Introduction
You have only to scan news headlines to be aware that Distributed Denial of Service (DDoS) attacks arent
going away anytime soon. In fact, if anything, they are gaining momentum as a way for cybercriminals and
hacktivists to make political statements and create a wake of destruction that includes damaged reputation,
lost business and financial losses for their victims. And they are unpredictable in nature.
In their April 2012 report Entering the Next Phase of DDoS Defense, Stratecast researchers revealed that
DDoS attacks are increasing in number by 20% - 45% annually; with application-based DDoS attacks in
particular increasing by triple digits. Correspondingly, they found that attacking via DDoS is one of the most
prominent tools used by the hacker community, many times as part of a multi-technique attack strategy.
Michael Suby, vice president of research at Stratecast states:
For Website operators that have not yet given the risk and business impact of DDoS attacks serious
consideration, this is perilous ignorance. Although there is no guarantee an attack will occur, there is also no
guarantee that an attack will not occur. What can be stated with certainty is that the probability of a DDoS
attack is rising. Furthermore, when consideration is given to the use of botnets to perpetrate DDoS attacks, the
increasing number of independent Internet-connected appliances and growth in machine-to-machine Internet
interactions, this probability is marching toward a certainty.
Starting out as simple denial of service assaults launched from a single computer, DDoS attacks have emerged
with the proliferation of botnets and evolved into one of the most significant and prevalent threats on the
security landscapea trend Verizon calls in its 2012 Data Breach Investigations Report more frightening than
other threats, whether real or imagined.
DDoS attacks have gradually become very sophisticated. Beginning with targeted attacks on organizations
critical infrastructure, such as DNS, in the early 2000s, they grew to include thousands of non-spoofed botnet
machines making legitimate connections in the late 2000s. Today, they utilize powerful servers with tremendous
CPU power and bandwidth at their disposal for socially engineered attacks. As the use of such servers to
obfuscate this next generation of more targeted attacks is becoming common place, traditional mitigation
methods used by service providers are proving increasingly ineffective.

Five Steps To Protect Against A DDoS Attack

There are proactive steps organizations can take in order to bolster defenses and reduce the risk of attack. A
DDoS strategy should not be aiming for the complete removal of all DDoS traffic but instead the maintaining
of services and especially critical services with minimum disruption. However, like with any other aspect of
network security, proper execution requires forward thinking and planning.
Key steps include:
n

Assessing the network environment and implementing a defense plan

Developing a comprehensive and layered DDoS strategy

Implementing visibility and control at the infrastructure level

Protecting DNS servers and other critical infrastructure

Implementing on-premise dedicated DDoS tools

The Anatomy Of A DDoS Attack

DDoS attacks are some of the most effective attack mechanisms on the IT security threatscape, in part
because of their simplicity.
DDoS attacks are commonly known as volumetric. In that case, attacks are executed when a cybercriminal
leverages a network of compromised computers to bombard a victims computer - or network of victims
computers - with more traffic than it can process. That barrage of traffic is designed to choke connectivity,
thus forcing an automatic shutdown and rendering a denial of service for users - quite literally.

As with most attacks, the assault often originates by an attacker successfully exploiting a vulnerability to
compromise one computer, which then becomes the DDoS robot under the control of a hacker or hacking
group. Just like an army general, the master computer recruits its infantry by communicating with and
subsequently infecting other systems, building an established botnet with a formal command and control
system.
At the discretion of the bot operator, the master computer instructs its army of infected computers to launch an
attack, resulting in a massive packet assault against its intended target. Overwhelmed with service requests,
the victim computer is forced to go offline as it succumbs to the attack. Alternatively, it will experience serious
degradation in performance and subsequently service, just as if it had gone offline.
Organizations are now increasingly targeted by application-layer DDoS attacks. In that case, the attack targets
the application service itself. While it was only a few years ago that a DDoS attack primarily targeted networks
using low-level protocol attacks such as PING, Smurf and different worms, todays attacks are targeting
specific web applications in more sophisticated manners. Attackers use legitimate requests to overload
the server. More sophisticated DDoS attacks come after site reconnaissance to understand which request
creates the most CPU-intensive SQL query to the backend database. Other attacks can try to manipulate
server memory, writing to hard disks and server-specific attacks. As described in the 2012 Verizon Data
Breach Investigations Report, several high profile application-layer DDoS attacks hiding behind volumetric
attacks were used to obscure data theft efforts, proving the theory of the use of multi-vector attacks to hide
the true target of the attack.

The Evolution Of DDoS Attacks

While execution mechanisms have evolved over the years, the basic concept behind DDoS attacksdenying
Web service to a victimhas remained constant since soon after the inception of the Internet. In the late
1990s attackers launched these kinds of assaults from one host machine in order to create a denial of service
situation. Reports from 1996 were identifying potential threats from SYN floods to connection high-jacking.
Later, some of the most notorious DoS attacks of this era---WinNuke, Teardrop and Ping of Deathtook
DoS to a whole new level, changing the paradigm from hacker entertainment to powerful cybercriminal tool.
Eventually, simple DoS attacks became too easily traced to the source, compelling hackers to migrate to
a more distributed model in order to obfuscate their origins in the early 2000s. And in recent years, DDoS
attacks have grown exponentially, incorporating hundreds of thousands of zombie computers, garnered from
both corporate networks and individual home machines.
More recently, a single powerful server or just a few such servers with abundant bandwidth at their disposal
have been used to create massive socially-engineered DDoS attacks where users are asked to click on a link
via a social Website such as Twitter and the central server then forwards attack packets to the victim using
sophisticated JavaScript techniques.
While DDoS assaults are now commonplace, their size and scope can vary greatly and their attack methods
are constantly evolving. Last year, for the first time in the history of DDoS, a drop in the largest volumetric
attacks was observed, supporting the argument that attackers are adapting attack methods to circumvent
older mitigation technologies. Reports detailed a new iteration of DDoS, targeting higher levels of the network
stack and requiring much less traffic than previously needed to overwhelm the network and cause a system
crash (Denial of Service Attacks Get More Sophisticated, eSecurity Planet, Sean Michael Kerner, January
18, 2011). Attacks using multitudes of slow connections such as Slowloris exploit weaknesses in standard
protocol stacks to overwhelm victims with otherwise seemingly legitimate connections. These attack vectors
appear totally genuine to a network or security device which hasnt kept up with attack trends.

A Complete Range Of DDoS Tools

To execute these massive cyber assaults, hackers have numerous tools at their disposal, many of which
are free and easily downloadable on the Web. Some of the most rudimentary tools, such as simple flooding
mechanisms and easily understood host shell booters enable just about anyone with a computer and devious
intentions to launch an attackwith little to no technical expertise.
One of the most popular tools circulating the Web was the
tool du jour of the global hacking collective Anonymousand
also one of the easiest to use. Known as the Low Orbit Ion
Cannon (LOIC), the application was developed by hackers for
easy launches of DDoS attacks on Websites with the click of
a button.
Essentially, the app requires only a simple download for
its use, which then transforms a users computer into a fire
hose of bogus requests directed at the target. When done in
collaboration with thousands of other like-minded individuals,
the tools have enough power to take down networks of multi-national corporations. Its ease of use allows
users to participate in a DDoS attack even if they have no idea how to hack.
However, like many other threats on the security landscape, DDoS attack tools are becoming increasingly
sophisticated and complex. More technologically advanced Remote Access Trojans (RATs) and DDoS botnets
are designed to automate attacks of epic proportions, containing in their arsenal the ability to bring down the
networks of entire corporations, governments or nations.
For example, the attack code dubbed Apache Killer exploited an insidious vulnerability in the way Apache
servers handled the HTTP-based range requests. The DDoS attack, posted on the Full Disclosure mailing list,
put the power in the hands of desktop hackers to knock entire networks offline from a single PC.
In parallel with technology trends, a wide range of commercial services are also available for a fee, enabling
amateur hacker and professional cybercriminals alike to execute a myriad of DDoS attacks.

The Real Cost Of DDoS

Make no mistakeDDoS attacks hurt everyone. While news regularly report on guerrilla groups, hacktivists
and hostile governments hurl DDoS attacks at each other, often victims caught in the middle of an attack are
business organizations ranging from SMBs to enterprises.
Organizations hit with DDoS service attacksespecially those that depend on uptime for business
transactionsundeniably suffer customer attrition and financial losses. But they also face intangible
consequences, such as a diminished brand and reputation and loss of future business that might linger for
months or years, following the attack.

The costs of a DDoS attack can add up quickly. In addition to lost revenue for every minute of downtime,
organizations have to endure costs related to IT analysis and cleanup, such as increased operations expenses,
added help desk personnel to deal with inquiries and enhanced recovery efforts. Losses also include worker
output, which suffers while the systems are inaccessible and lost business and customers. Additionally, many
businesses face financial penalties from broken Service Level Agreements.
For those businesses that depend on uptime, such as banking and e-commerce sites, any amount of
disrupted service affects revenue. To that point, the April 2012 Stratecast report documents that incidents of
DDoS attacks on e-commerce companies escalate during the period when Website disruptions will cause
the greatest economic harmthe fourth quarter of the calendar year. But while financial services and online
commerce stand the most to lose, DDoS attacks can indubitably badly impact all industries.

Mitigating DDoS Attacks

In light of DDoS attacks that have taken down targets of Goliath proportions, IT administrators might think
there are few measures they can take to avoid becoming the next headline. Thats not entirely true. In fact,
there are deliberate proactive steps companies can take and have taken to significantly reduce the risk of
attack and strengthen defenses in preparation in the event one should occur.
The first step is assessing the network environment and implementing a defense plan. Among other things,
the response plan should include backup and recovery efforts, additional surveillance and ways to restore
service as quickly and efficiently as possible.

Multi-Layer Defense Strategy

Such strategy is crucial in DDoS defenses and a significant part of multi-layer defenses should include dedicated
on-premise tools that are designed to defend and mitigate threats from all angles of the network. These
tools include anti-spoofing, host authentication techniques, packet level and application-specific thresholds,
state and protocol verification, baseline enforcement, idle discovery, blacklist/whitelist and geolocation-based
access control list.
FortiDDoS Fortinets FortiDDoS appliances provide comprehensive protection from both the
network layer and application layer attacks. FortiDDoS appliances can be located in close
proximity to an organizations Web servers, where they examine trafficwhich is instrumental in
detecting application-layer attacks. In addition, FortiDDoS devices have out-of-the box policies used to identify
and block common, generic or custom DDoS attack techniques and patterns. While FortiDDoS appliances
can detect and prevent DDoS attacks immediately, the devices also contain intelligent modes that learn to
recognize both acceptable and anomalous traffic behavior patterns based on traffic flow. The traffic profiling
is then used to detect and restrict threats faster while reducing the event of false positives.

That continuous learning and retuning of policies is vital when defending against DDoS threat because
Website functionality is never static, and as such attackers target all vectors in an attempt to gain entrance
into a victims network. FortiDDoS appliances continuously update their generic set of policies to stay on top
of threats at all levels, regardless of their origination. Both learning mode and generic policy updates work in
parallel to serve as part of a comprehensive, multi-layer defensive strategy.

Complementary DDoS Solutions

Two complementary Fortinet product families - FortiGate and FortiWeb - can also assist in developing a multilayer defense strategy against DDoS attacks.
FortiGate FortiGate offers network infrastructure protection, features traffic anomaly detection
based on thresholds and blocks network-based attacks such as TCP SYN flood, UDP/ICMP
floods, TCP port scans and protocol anomalies.
The DDoS Sensor included in FortiGate detects and drops DDoS packets before requiring firewall policy lookups or engaging any content scanning, thus avoiding any effect on processing-intensive protective services.
Administrators can configure thresholds in each FortiGate DDoS sensor, along with the action to take when
the traffic volume exceeds the threshold. They can also define DDoS policies to apply to all traffic or just to
traffic to or from specific IP addresses.

FortiWeb Combining both Web Application Firewall and sophisticated DDoS protection
capabilities in a single platform, FortiWeb delivers Web and application server protection and
features a transparent challenge/response approach to identify legitimate requests.
The appliance uses both network and application layer protection mechanisms to identify requests from
legitimate users and block access to attacks originating from clients associated with botnets. FortiWeb thus
blocks threats that target apps and Web services infrastructure, such as HTTP GET/POST requests, Slowloris,
SQL injection among others. Sophisticated attacks are blocked using a multi-layered security approach.
The deployment positions for FortiGate and FortiWeb are slightly different from FortiDDoS. Most commonly,
organizations enable DDoS protection on a FortiGate that connects a private or DMZ network to the Internet.
This is a good option for protecting branch or remote offices that are outside the core DDoS security of an
organization. Centrally, FortiDDoS is typically positioned before a firewall such as FortiGate and is intended
to protect the network infrastructure as well as the security infrastructure. FortiWeb, on the other hand, is
deployed before servers and designed to protect against malicious access to the servers and spreading
malware onto the servers. The solution allows organizations to protect against application-level attacks
targeting the Web application and web services infrastructure.

Protect DNS Servers

As part of an overall defensive strategy, organizations must protect the critical assets and infrastructure. Many
organizations maintain their own DNS servers for Web availability, which are often the first systems to be
targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organizations
Web operations, creating a denial of service situation that will only require costly and extensive cleanup
afterward.
FortiDNS Fortinets FortiDNS product family offers a spate of robust DNS appliances that
provide DNS caching and contain a strong focus on security. The devices, which come in a
hardened appliance format with GUI-driven configuration, strengthen enterprise security with
technologies that include transaction ID, UDP Source Port and case randomization mechanisms.

Implementing Visibility
Organizations need a way to maintain vigilance and monitor their systems before, during and after an attack.
Its no secret that having a holistic picture into the IT environment allows administrators to detect aberrations
in network traffic and detect attacks quickly, while giving them the intelligence and analytical capabilities to
implement appropriate mitigation and prevention techniques. The best defenses will incorporate continuous and
automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic
be detected.
The FortiDDoS product line offers granular visibility and control, so IT administrators have a comprehensive view
into the entirety of the network. That visibility into network behavior helps administrators get to the root of the
attacks cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators
the ability to conduct real-time and historic attack analysis for in-depth forensics. Plus, advanced source tracking
will further propel defensive efforts by pinpointing the address of a non-spoofed attack and will even contact the
offenders domain administrator.
The FortiDDoS Network Behavior Analysis (NBA) system along with Fortinets FortiAnalyzer centralized reporting
appliances provide real-time visibility into Internet facing networks, containing capabilities that prevent network
behavior anomalieseven DDoS attacksfrom getting inside the organizations perimeter. That extended visibility
enables IT administrators to create easily customized reports garnered from security events, network traffic, Web
content and messaging data in search of any signs of DDoS threats or other suspicious traffic.

Apply Dedicated DDoS Attack Tools

Finally, it behooves organizations to adopt dedicated DDoS attack tools that can address the growing threat head
on.
FortiDDoS appliances provide comprehensive protection with a specific mission to counter DDoS threats by
detecting and blocking malicious traffic while letting legitimate data and communications flow freely. FortiDDoS
covers Layer 3 protocols (all 256), as well as Layer 4 and 7 protocols and can track up to one million source and
destination IP addresses simultaneously. Fortinets appliances rely on a multitude of technologies that scan a wide
range of threat vectors, including monitoring methods, referrers, cookies, URLs and user agents.

For an effective DDoS protection, FortiDDoS includes two key components: advanced virtualization and
geolocation technologies.
FortiDDoS provides network segregation and virtualization capabilities, which allows organizations to
seamlessly accommodate a multitude of different platforms and environments simultaneously with one
appliance. With FortiDDoSs virtualization feature, policy administrators can establish and oversee up to eight
independent policy domains in a single appliance, which prevents attacks delivered in one network segment
from impacting other network segments. The virtualization feature also helps to reduce the need for replicated
network segments. And virtual instances can also be an effective mechanism in defense escalation. Rather
than relying on a single set of policies, IT administrators can define multiple sets in advance, which create
the ability to apply a more stringent set of policies if the previous ones happened to be inadequate. In
addition, FortiDDoS appliances apply a virtual identifier (VID) concept for both powerful and cost-effective
multi-tenancy, avoiding the need for implementing multiple DDoS appliances.
The FortiDDoS geolocation technologies allow organizations to block malicious traffic coming from unknown
or suspicious foreign sources. Specifically, the appliances can block traffic based on geolocation through
efficient hardware logic, and, when used judiciously, can also be used to reduce load and energy consumption
on the backend servers by eliminating traffic from regions outside the organizations geographic footprint and
market.
The FortiDDoS appliances also put control of bandwidth right where it should bein the hands of IT
administrators. Bandwidth management capabilities allow IT administrators to stay on top of policies while
predefining usage to customers, employees or contractors. And header and state anomaly prevention
technologies ensure a clean pipe, that allows FortiDDoS to instantly block dark address scans and prevent
the outbreak of worms and other stealthy activity. In addition, line-rate granular ACLs power FortiDDoS to
protect infrastructure from unwanted traffic in the data center. The combination of these capabilities with the
heuristic and behavioral detection features provided by FortiDDoS enables a powerful defense against even
the most complex DDoS attacks.
Another key and unique element is that FortiDDoS defense mechanisms apply granular custom-built hardware
logic designed specifically for DDoS attack mitigation. That granular technology is contrasted with competing
DDoS appliance manufacturers that offer DDoS features built on top of existing IPS infrastructure.
Finally, because no one organization or network is alikeor has the same needs, Fortinets FortiDDoS product
family offers solutions that can be tailored to vertical and market segment, with various appliance models to
address the organizations size, users and bandwidth specific requirements.

FortiDDoS Product Family

FortiDDoS-100A

n
n
n
n
n
n

FortiDDoS-200A

n
n
n
n
n
n

FortiDDoS-300A

n
n
n
n
n
n

1 Gbps full-duplex anti-DDoS throughput

8 Virtualized network partitions with independent protection policies
Interoperable with your existing security and network environments
Continuous learning capability differentiates between gradual buildups in legitimate traffic and attacks
Real-time and historic attacking traffic analysis
High-performance DDoS mitigation powered by purpose-built
FortiASIC-TP processor
2 Gbps full-duplex anti-DDoS throughput
Custom FortiASIC Traffic Processors (FortiASIC-TP) delivers highperformance DDoS mitigation
8 Virtualized network partitions with independent protection policies
Automatic traffic profiling and rate limiting
Comprehensive reports including top attacks, top sources and top
attackers
Inline, transparent threat mitigation provides an easy to manage,
automated protection
3 Gbps full-duplex anti-DDoS throughput
8 Virtualized network partitions with independent protection policies
Automatic traffic profiling and rate limiting
Interoperable with your existing security and network environments
Continuous learning capability differentiates between gradual buildups in legitimate traffic and attacks
Real-time and historic attacking traffic analysis for granular threat
visibility and mitigation

Conclusion
For many organizations, large and small, the specter of DDoS attacks is daunting at best. News media
reports that detail the latest assault on governments and corporations prompt users to wonder who the next
victim will be, and when the next attack will occur.
Unfortunately, organizations can expect DDoS attackslike other security threatswill only continue to grow
and be more prolific in the future.The evolving nature of DDoS technologies will require organizations to make
a paradigm shift that entails greater foresight and more proactive defenses.
Therefore, organizations need to ramp up their response plans and assess their network infrastructure vis-vis DDoS threats today. They need to start by bolstering defenses for critical servers and prioritizing data. They
also need to implement management and monitoring capabilities to give them a comprehensive understanding
of their whole network. Finally, IT administrators should be able to implement fail-safe measures that quickly
identify the source of the threat, minimize the impact of the attack, and restore service as soon as possible.
Protection against the unknown has always been a challenge. However, with the advanced techniques utilized
within the Fortinet product range, IT administrators can be assured of the highest possible level of protection
for today and the future.

About Fortinet
Fortinet is a global provider of high-performance network security solutions that provide our customers with
the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies,
combined with our FortiGuard security intelligence services, provide the high performance and complete
content protection our customers need to stay abreast of a constantly evolving threat landscape. More
than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service
providers and governments - are utilizing Fortinets broad and deep portfolio to improve their security posture,
simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to
the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect
the constantly evolving networks in every industry and region around the world.

FortiGuard Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet
Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats.
Subscriptions include antivirus, intrusion prevention, web filtering, antispam, vulnerability and compliance management,
application control, and database security services.
FortiCare Support Services provide global support for all Fortinet products and services. FortiCare support enables
your Fortinet products to perform optimally. Support plans start with 8x5 Enhanced Support with "return and replace"
hardware replacement or 24x7 Comprehensive Support with advanced replacement. Options include Premium
Support, Premium RMA, and Professional Services. All hardware products include a 1-year limited hardware warranty
and 90-day limited software warranty.

AMERICAS HEADQUARTERS

EMEA HEADQUARTERS

APAC HEADQUARTERS

1090 Kifer Road

Sunnyvale, CA 94086
United States
Tel +1.408.235.7700
Fax +1.408.235.7737
www.fortinet.com/sales

120 rue Albert Caquot

Sophia Antipolis
France 06560
Tel +33.4.8987.0510
Fax +33.4.8987.0501

300 Beach Road 20-01

The Concourse
Singapore 199555
Tel +65.6513.3734
Fax +65.6295.0015

www.fortinet.com

Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics
contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments
and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited
to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.