IntruGuard Products
Products Overview
Key Capabilities
Benefits
Technical Specs
Product Datasheets
 

Seven Criteria For DDoS Mitigation

and why IntruGuard is the Leading DDoS Mitigation Solution (and not Riorey)


 1. Ability to handle highly imbalanced network conditions

2. Automatic attacker identification

3. Large attack handling capability

4. Ability to handle large number packets/second and connections/second

5. Attack isolation

6. Automated Operation

7. Independent Solution for DDoS

 

Ability to handle highly imbalanced network conditions

In Distributed Denial of Service (DDoS) attacks, hackers write a program that will covertly send itself to thousands of other computers. These computers are known as 'agents' or 'zombies', because they will act on behalf of the hackers to launch an attack against target systems. A network of such computers is called a BotNet. To circumvent detection, attackers are increasingly mimicking the behavior of a large number of clients. The resulting attacks are hard to defend against, using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. At a predetermined time, the worm will cause all of these zombies to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers. E-commerce sites, domain name servers, web servers, and E-mail servers are all vulnerable to these types of attacks.

These attacks are very different from normal traffic. The traffic pattern during normal times is very different from attack time.


The picture below shows an attack graph from a real customer deployment.  The blue areas are traffic that has been allowed by IntruGuard appliance while the magenta lines are the ingress traffic. The ability of IntruGuard's appliances to filter out the malicious traffic is clearly visible here while blocking the attack traffic.

 

Automatic Attacker Identification


Distributed DoS attacks and BotNet attacks are a prevalent form of attacks. But a few studies on attacks have found a relatively small number of attack sources account for a large percent of total attack volume. When a limited number of attackers are involved, a dynamic scheme is required which can track the sources to the attacks. IntruGuard IG2000 has a patented mechanism to attribute anomalous higher traffic volumes to a limited number of sources. Such tracked sources can be blocked for a longer duration.
IG2000 monitors up to 1 million sources at any given time and maintains a dynamic baseline of inbound and outbound independent traffic thresholds for up to 8 network segments. If a single source exceeds this baseline directly or by sending anomalous packets it is caught immediately, isolated and reported.
Source tracking is useful when there are non-spoofed attacks from limited number of sources.

Following pictures shows a typical report available during attacks from IntruGuard appliances.

Back

Large Attack Handling Capability


The Tolly Group has tested IntruGuard mitigation solution in 2006. This is an authentic third party assessment of our solution. Most of the other DDos Vendors (such as Riorey) don't have such an independent assessment.

Back

Ability to handle large number packets/second and connections/second

IntruGuard appliances have been tested by the Tolly Group to meet very stringent specifications.

Here are our performance numbers that are key to DDoS mitigation.

Feature IG200-L IG200-H IG2000

Aggregate Throughput

200 Mbps

(100 Mbps Full Duplex)

2000 Mbps

(1000 Mbps Full Duplex)

2000 Mbps

(1000 Mbps Full Duplex)

Simultaneous Connections

1,000,000

1,000,000

1,000,000

Session Setup/Teardown Rate

100,000/second

100,000/second

100,000/second

SYN Flood Handling capacity

300,000/second

3,000,000/second

3,000,000/second

Latency

Under 50 microseconds

Under 50 microseconds

Under 50 microseconds

DDoS Attack Mitigation

Response Time

Under 2 seconds

Under 2 seconds

Under 2 seconds

 

Back

 

Attack Isolation

Virtualization of network segments and customers to provide isolation

By segregating the network into multiple groups based on IP Address/mask, VLAN tag or MAC address, IG2000 can segregate your network. This helps in containing the threats to only the segment that’s under attack. All other traffic goes un-interrupted.
For example, if IG2000 determines that one of the groups under is under SYN flood, it will send the SYN-cookie-based response only for the group to perform anti-spoofing checks. All other groups will have no backward traffic. This helps in reducing the load on the network under attacks.

Attack Isolation Through Granular Visibility

IntruGuard appliances block attacks through a Multi-verification process (MVP).  IntruGuard appliances don't just do rate-limiting.

These multi-verification processes consist of:

  • Dynamic Filtering
  • Active Verification
  • Anomaly Recognition
  • Protocol Analysis
  • Rate Limiting
  • White-list, Black-list, Non-tracked sources
  • State Anomaly Recognition
  • Stealth Attack filtering
  • Dark address scan prevention
  • Source Tracking
  • Legitimate IP address Matching (for anti-spoofing)

In addition, IntruGuard appliances block floods using following techniques:

  • SYN Proxy
  • Connection Limiting
  • Agressive Aging
  • Legitimate IP Adderss Matching
  • Source Packet-rate Limiting
  • Source Connection-count Limiting
  • Granular Rate-limiting
  • Dark-address filtering

Due to the above techniques, IntruGuard appliances are able to reduce the false positive rates to minimum and block only attack traffic and pass all legitimate traffic.


Back

Auomated Operation

Centralized alerts


IntruGuard products allow administrator to flexibly specify event notification to email addresses, PDAs or pagers. The administrator can define which events should be notified and at what threshold levels.
Event notification through SNMP traps allows the administrator to view the security breach events on a centralized console for multiple systems.
In addition a web-based graphical user interface allows the user to view reports on events. Some of the reports that are available for each group of segregated networks independently include top attacks, top attackers, top sources, top connections, top destinations, top scanners, top attacked services.

Adaptive Learning and Set-it-and-forget-it Operation


IntruGuard products allow administrator to set the configuration once and then forget it. The appliances learn the traffic patterns continuously and adaptively adjust the settings over time as the business grows.

This ensures that the administrator does not have to continuously change policies as traffic trends upwards.

Indpendent Solution for DDoS

Effective DDOS defense requires a separate, dedicated platform that works cooperatively with other firewall and IDS/IPS functions. An architecture that integrates DDOS protection with traditional intrusion detection systems is unlikely to prove adequate against all combinations of attacks.

 

See also:

Frequently Asked Questions About DDoS, Botnets and IntruGuard