Overview of Attacks

As we come to close 2010, and welcome 2011, the DDoS attack scenarios are changing day by day. While you still have legacy attacks such as SYN flood, ICMP flood, UDP flood etc., more and more hacker-brains are being organized to create new generation of attacks. Botnets can bring down your network and infrastructure with smart attack techniques.

Traditional SYN Floods

Spoofed SYN floods are the most recognized of them all and the easiest to create.

IntruGuard appliances can mitigate these attacks by using the following anti-spoofing techniques in hardware logic:

• SYN Cookie
• ACK Cookie
• SYN Retransmission
• Legitimate IP Address Caching and Matching

UDP Floods, ICMP Floods, Non-Service Floods
These floods are still the best mechanisms to flood pipes. Just as they are easy to create, they are easily mitigated by IntruGuard appliances by behavioral anomaly detection and mitigation within seconds.

Targetted Attacks from Limited IP Addresses
When a limited number of IP addresses participate in a flood, IntruGuard's patented Source Tracking mechanism can easily identify them within seconds and block them for a long duration.

You can always create exception rules to allow some IP addresses/subnets despite their behavior.

Slow Build-up of Connections
Sometimes a botnet can be used to create attacks which build connections and let them stay there. This exhausts the server resources. Your firewall and routers may also overload when this happens. These are slow and therefore cannot be easily found by simple logic. An attack from Slowloris would be somewhat in this category.

IntruGuard appliances have a way to count the number of concurrent connections per source across a million sources and then aggressively age only some of them under load by criteria such as inactivity, limited number of packets etc.

Fast Build-up of Connections
These attacks involve a quick build-up of TCP connections through a proper 3-way TCP handshake. These attacks are not spoofed and therefore even though they may appear like SYN flood, anti-spoofing techniques cannot thwart such attacks. IntruGuard appliances can monitor concurrent connections/source, or the rate of SYN packets/source/second, URLs accessed/source/second and easily identify such attacks.

Scripted HTTP Attacks On Non-Service URLs
When a scripted botnet attacks a server on non-service URLs, IntruGuard appliances can easily detect the growth of packets to the attacked URLs. At any given time, IntruGuard appliances can monitor up to 192K individual dynamic URLs and monitor the rate of packets/second to them. When the rate exceeds the preconfigured behvioral threshold, the sources that are accessing the URL can be tracked through a patented Source Tracking mechanism to isolate them from those that are not. These sources are then identified and blocked and reported.

Scripted HTTP Attacks On Service URLs
What if the attack is on a URL that's a URL in use - e.g. /index.html or /index.php? In that case, IntruGuard appliances can, in addition, look for other self-similarity in the packets. There are behavioral and heuristic approaches to isolate such accesses from human access and the hardware logic cleverly determines such attacks and blocks them.

The attacking sources are tracked, blocked and reported.

Conclusion
Unlike other equipment in the market which still survive on technology from early 2000s. IntruGuard's appliances are based on technology for attack mitigation for today's attacks.