Technology
Microfine™ Granularity
Adaptive Threshold Estimation
Virtual Identifiers
Scan Prevention
Source Tracking
Protocol Anomaly
Custom ASICs
White Papers
FAQs
Overview Presentation
Follow us on Twitter
 

Request Further Information

Click the icon below to:
  • Request a price quotation.
  • Request Competitive Analysis of DDoS mitigation solutions available in the market.
  • Request a Webinar.
  • Request a technical call to discuss your DDoS mitigation needs.
Request Further Information from IntruGuard

Botnet Attack Mitigation Techniques - State of the Art

Overview of Attacks

Botnet attacks are literally a pain. The main reason for the pain is the inability of current generation of security equipment and solutions to distinguish between legitimate user acceess and botnet access. Botnet attacks are not spoofed and involve actual TCP-3-way handshake. That makes existing SYN-flood mitigation equipment unable to spot the difference. Since most of these attacks are on a service port such as TCP port - 80, firewalls have to allow such packets and therefore they cannot stop these attacks. A new generation of logic is needed to identify these attacks.

Distributed Denial of Service Attacks Using Botnets
In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to dozens, hundreds, or even thousands of other computers. These computers are known as 'agents' or 'zombies', because they will act on behalf of the hackers to launch an attack against target systems. the network of such computers is called a BotNet.

Slow HTTP DDoS Attacks


To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.

Under the control of botmaster, all of these zombies attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers.


E-commerce sites, domain name servers, web servers, and email servers are all vulnerable to these types of attacks. IT managers must take steps to protect their systems - and their businesses- from irreparable damage.

A Typical Botnet Launch Pad
Botmasters launch attacks in a way that they cannot be found easily. Bots are available for rent. And when you rent, you get a control panel similar to one shown below. You can simply attack a chosen site using attack parameters available to you.


What's common among the botnet attack packets
Botnet attacks are scripted. Despite the botnet script writers' intelligence, there is a trail that is left behind in the attacks in terms of some parameters. These parameters can be observed in a massively parallel hardware logic based system such as IntruGuard's IG200/2000 appliances. These parameters are usually visible in the application layer headers.

All IG200/2000 appliances monitor up to 1 million IP clients, 1 million servers, 1 million TCP connections, and many other parameters simultaneously to find outliers who have an abnormal behavior - not normally done by humans. This is done in massively parallel hardware logic. Even the smart bots which do slow or fast attacks are easily caught using their behavioral differences from humans.

At the same time, this logic can differentiate legal bots such as search engines from illegitimate bots.

Can You Do the Same Processing in CPU Based Systems?
CPU based systems get overwhelmed under pressure of botnet attacks. They cannot handle the amount of onslaught that botnets create. A massively parallel hardware logic based system is designed from ground-up to process every packet without losing steam.

Blocking Botnet Attack Packets Using IntruGuard Appliances
IntruGuard appliances are implemented using hardware logic and therefore can process all packets at line rate. They have visibility and control at layer 7 HTTP headers and can process many parameters simultaneously without slowing down. The hardware logic can monitor millions of continuously varying parameters per VID and there can be up to 8 VIDs in a system:


The monitoring is associated with adaptive thresholds which are set based on your traffic and therefore if the thresholds exceed, the botnet is caught easily and blocked for a period of time configured by you.

Botnet Attack Mitigation Using IntruGuard Appliance Protection Stack

Conclusion
Designing a security strategy for networked assets can be a daunting task. New threats demand new types of security elements. Traditional firewalls and content filters play an essential role in any network strategy, but neither can adequately defend against rate-based attacks such as those that are created using botnets. These systems are now available and extremely affordable, putting true zero-hour prevention within the reach of all network budgets.

Request Further Information
You can click here to get further information on IntruGuard products.