Technology
Microfine™ Granularity
Adaptive Threshold Estimation
Virtual Identifiers
Scan Prevention
Source Tracking
Protocol Anomaly
Custom ASICs
White Papers
FAQs
Overview Presentation
DoS Articles
 

Frequently Asked Questions About the IntruGuard IG200 and IG2000

IDS, IPS and NBA


Q: What is the difference between an Intrusion Prevention System (IPS) and A Network Behavior Analysis (NBA) System?
A: Network behavior analysis (NBA) provides network-wide visibility and can be used to detect behaviors that may be missed by methods, such as intrusion prevention systems. This visibility can be used to identify worms, unauthorized protocols and suspicious behavior. Intrusion Prevention Systems work based on a known set of attack signatures. If the attacks have legitimate content but illegitimate intent, IPS fails.

DOS, DDOS Attacks

Q: What is a DoS or DDoS attack?
A: Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks send large volumes of traffic towards a target site in an attempt to consume all available network or system resources, thereby denying access to legitimate users. Infamous examples include the Blaster Worm, Code Red, Code Red II, SQL Slammer, and MyDoom. DDoS attacks enlist the help of dozens to thousands of unsuspecting ‘zombie’ servers, who unwittingly participate in the attack. Because such attacks have multiple source addresses, pinpointing a single culprit is not possible.

The IG200/IG2000 use constant learning to recognize changes in network behavior and block such attacks before they reach the target system.

Q: Do DoS attacks always come from outside my network?
A: No, DoS attacks can originate from inside your network. In many cases it can be much more damaging and difficult to respond to an inside DoS attack. In a typical data center, the bandwidth available inside is much more than external bandwidth, which is why you need true, bidirectional network behavior analysis.

Q: Does the IG200/IG2000 prevent SYN attacks?
A: Yes. Through Legitimate IP Address matching, and SYN-cookie matching, the IG200/2000 will allow valid connection requests to pass while blocking connections from zombies or spoofed IP addresses.

Q: What are the recent DoS/DDoS attack trends and how IG 200/2000 protect against the evolving threats?

In earlier days (a few years back), most attacks used to be spoofed and we do a great job in preventing spoofed floods through SYN, ICMP, UDP flood prevention etc. through SYN cookies and other mechanisms.

These days we are seeing a lot of attacks which come from Botnets and limited IPs. We do an excellent job of stopping these attacks through our patent pending source tracking mechanisms which punish attackers and limit number of packets/source, connections/source, etc. When we identify the sources, we block them for a longer time and inform the administrator of the IP addresses.

Here is the trendline of attacks:

SYN Flood: Spoofed IP addresses fill the connection table. 3-way handshakes were not completed.
IntruGuard Solution: Legitimate IP address Table, Antispoofing Module, Dark-address prevention
Zombie Flood: Non-spoofed IP addressees fill the connection table. 3-way handshakes were completed.
IntruGuard Solution: Give preference to already established connection. Rate-limit new connection establishments.
Flood from Limited Sources: Non-spoofed IP addresses sending packets at a higher rate
IntruGuard Solution: Introduced SYN/Src/second threshold, Concurrent Connections/src threshold.
Slow Connection Build-up: Non-spoofed IP addresses slowly build connections and just stay dormant – overloading the destination server.
IntruGuard Solution: Adding Concurrent connections/destination, Concurrent connections/src thresholds along with ability to flush dead connections or old connections.

Q: How does IG200/2000 protect against Botnets and attacks from limited IP sources?

IG200/2000 can limit the packets/source/second, concurrent connections/source, concurrent connections/destination, SYN packets/source/second, SYN packets/second, connection establishment rate/source/second etc. These mechanisms ensure that the fast or slow Botnets attacks are thwarted with minimal collateral damage.

Q: How does IG 200/2000 protect against my network equipment from being overloaded when under a DoS/DDoS attack?
A: IG200/2000 is usually deployed before your critical network infrastructure and provides a clean pipe to them. It therefore ensures that subsequent network infrastructure such as routers, switches, load balancers, and firewalls etc. do not get overloaded with connections.

Q: How does IG 200/2000 handle filled pipes?

IG200/2000 can communicate with upstream service providers to null route the source or destination. We have seen filled pipes at many of our customers recently. Without our appliance, the customer had no visibility as to what was going on and what the attack was. Their network equipment including high-end firewalls would simply die under such floods. With our device in front, they were able to stop the attacks from going further and get a visibility into the attack. They were able to work with their ISPs after getting detailed reports from us. Ask us about this advanced feature.

Q: Can the IG200/IG2000 identify the originator of an intrusion or attack?
A: Yes. The Source Tracking feature captures the source address of an offending non-spoofed attacker and can block all further transmission attempts pending administrator intervention. The offending address is reported in the events log and an email can be automatically generated and sent to the offender’s domain administrator.

Q: Can the IG200/IG2000 detect single-connection (slow rise) attacks as well as floods?
A: Yes. Thresholds can be set for individual ports, addresses, connections or protocols, meaning a gradual buildup will meet a threshold and trigger blocking.

Q: What does the IG200/IG2000 do in response to an intrusion or protocol anomaly?
A: The IG200/IG2000 never generates packets into the stream it is protecting, thereby exacerbating a denial-of-service attack. Packets containing

protocol anomalies such as invalid state transitions, bad checksums, illegal addressing, etc., will be dropped. Packets from connections exceeding protocol, port, or packet thresholds will be dropped as long as the condition persists. They will be rechecked on a configurable interval between 1 and 15 seconds, and either restored or blocked. If the offending conditions persist, all traffic and future connection requests from the source address will be blocked pending administrator intervention.

Q: Does the IG200/2000 detect network scanning?
A: Yes. The Intrusion Gateways learn normal network scanning traffic patterns and can be set to limit connections from a particular source that exceed these limits. This is important in preventing future attacks at the network elements. Network scans are associated with a particular source attempting to reach each and every address on the network. Scans exceeding a particular threshold will be blocked.

Q: What about port scans?
A: Just as with network scans, port scans are stopped the same way. In a port scan, a hacker attempts to scan ports on a particular device at an accelerated rate to find open ports they can exploit. The IG200/2000 evaluates the rate of port scans and will block those exceeded specified limits or those limits learned during the initial learning period.

Q: How are dark address scans prevented by the IG200/2000?
A: Through the establishment of certain thresholds the IG200/2000 can prevent dark address scanning. Source addresses with “Bogon” prefixes are stopped.

Q: Can the IG200/2000 be deployed in a virtual format to protect multiple zones?
A: Yes, through the Virtual ID capability, one IG200/2000 device can be used to segment up to eight servers, subnets or networks at the same time. Each of the eight zones can be set with separate thresholds and learn their respective traffic flows independently. These zones can be segmented based on MAC address, VLAN tags or IP address/masks.


Q: Can the IG200/2000 protect if the entire Internet connection link is swamped with DoS traffic?

A:If the entire Internet connection link is swamped with DoS traffic, then there is little you can do from your own network perimeter to affect it. No perimeter solution will work.

In that case, you need to involve the upstream service providers and/or law-enforcement.  The best approach is to work with your upstream providers, and get them to work with their peers to identify the routes used by the DoS traffic, and attempt to narrow it down to a given area, and if it's a truly distributed attack, there may be little they can do too.  If each one of them uses an IntruGuard solution, the situation will be in control as the attacker will be caught at the source - but that will be an ideal world. In most cases, ISPs rarely co-operate to resolve such issues.

Therefore there is a need to have additional perimeter protection with IG200/IG2000 in your network which will keep your services going even under attack.

We have seen several targeted DDoS attacks, and none of them was successful in using up the entire pipe bandwidth. For these types of attacks, a perimeter attack mitigation approach can be quite effective, ensuring that legitimate transactions can complete even in the presence of DDoS/DoS attack.

Proper perimeter architecture can allow an organization to respond to an attack and maintain service.  When the attackers realize that the attack is not having an impact they give up.

 

Q: Does the IG200/2000 provide protection from LAND, Teardrop, Smurf and other attacks?
A: Yes. A LAND attack is where the source and destination of an incoming packet are identical and therefore forged malicious traffic; the IG will note the source address for future attempts and drop the material. Similarly, other protocol manipulation attacks are stopped as well.



Q: How about traffic spikes from external factors, how easy can the thresholds be adjusted?
A: With a “one click” input, the Administrator can modify a variety of increases in expected protocol traffic to increase the associated threshold. This traffic spike could result from a sales promotion, major product announcement, news event, etc. The IG200/2000 limits are all modified with one command and the length of time to allow for the spike is selectable to obviate the need to reset the thresholds after the event passes.

 

IntruGuard Technology and Performance

Q: Does the IG200/IG2000 run on a standard computing platform?
A: No, the IG200/IG2000 is a purpose-built network appliance using custom ASICs. Its patent-pending design provides maximum cost and security efficiency. This means hackers cannot take over the device and run rogue code. The IG200/IG2000 does not present an IP address or MAC address in the data path network and therefore attempts to directly target or impact its operation are inhibited.

Q: Does the IG200/IG2000 generate false positives?
A: No, the IG200/IG2000 does not suffer from this issue. False positives are indicative of signature based prevention methodologies and not network behavior analysis methodologies. If the traffic pattern data obtained has been insufficient or incorrect, some normal data may be identified as a behavioral attack, but administrators can correct this very easily by readjusting the learning session or adaptive threshold guidelines.

Q: What interfaces do the IG200 and IG2000 provide?
A: The IG200/IG2000 are designed to be deployed ‘in-line’ a Ethernet stream, typically between a server farm and a switch or router.

The IG200 is equipped with two (2) 10/100 Ethernet ports (1 input,1 output) for data.

The IG2000 is equipped with two (2) 10/100/1000 Ethernet ports (1 input,1 output) for data.

Both the IG200 and IG2000 have two (2) auxiliary 10/100 Ethernet ports for forensic packet output. A keyboard, mouse and monitor may be connected for configuration and monitoring. An additional 10/100 Ethernet port is available for remote configuration and monitoring.

Q: Does the IG200/IG2000 use signatures to recognize attacks?
A: No. The IG200/IG2000 is a Network Behavior Analysis (NBA) System, meaning that it monitors dozens of parameters within Layer 2, 3 and 4 headers to analyze subtle changes in the rate of network traffic within these parameters to recognize and prevent attacks. As such, it is not dependent on matching specific attack signatures to provide effective protection.

Q: Can the IG200/IG2000 protect against “Zero Day” attacks?
A: Yes. A new attack that has not yet been characterized is called a ‘Zero Day’ attack. Signature based systems generally defend poorly against Zero Day attacks because they have no signature against which to compare the attack pattern. The rate-based IG200/IG2000 will detect the behavior of the attack and take appropriate prevention measures, even for attacks not yet seen or characterized.

Q: What kind of granularity is offered for detection/prevention triggers on the IG200/IG2000?
A: The IG200/IG2000 offers the widest range of network behavior analysis parameters in the industry. Thresholds can be set for any protocol on Layers 2, 3 or 4, packet counts per protocol, per TCP/UDP port, or per IP address. In addition, thresholds exist for TCP SYN connections/sec, and total active connections. Multiple thresholds are continuously monitored by the system, and alarms are set when any are violated.

 

Q: Is the IG200/IG2000 stateful?
A: Yes, the IG200/IG2000 keeps track of the state and direction of connections. This allows it to detect and block illegal state transitions, illegal sequence numbers, incomplete handshakes, and TCP and UDP destination ports. The IG200/IG2000 maintains stateful awareness of 1 million sessions in each direction.

 

Q: What kind of information can I view about my traffic?
A: The IG200/IG2000 uses a web-based management interface that contains a wealth of information about the network behavior observed. Statistics can be viewed for Layer 2, 3, or 4 traffic in increments of minutes, hours, days, weeks, or months up to 1 year. Peak and average traffic loads, seasonality, trends, and attack attempts are all visible in graphical form. These can be viewed over a secure HTTPS connection. In addition, IG200/2000 can show you various attack reports such as top attacks, top attackers, top connections.


Q: How does the IG200/IG2000 deal with traffic ‘spikes’?
A: A spike can be described as an anomalous increase in traffic that exceeds one of many preset thresholds. This might be best described by example. Suppose a server performs an automatic backup on Friday at 11:00 p.m. This would create an increase in outbound TCP traffic. The TCP packet threshold will not likely be reached because only a single connection is involved. The backup application probably uses a specific TCP port number, which has an outbound packet threshold assigned. The administrator should set this threshold accordingly to accommodate the traffic pattern of the backup. This packet threshold can be determined by viewing the profile collected by the IG200/IG2000 during previous backups. If the administrator is concerned about abuse on this port, the threshold can be set low (or to zero) during non-backup days.

Continuous learning allows the IG200/IG2000 to dynamically adjust thresholds to accommodate more gradual increases in traffic rates. In this manner, adjustments are automatically made based on the continuous traffic learning behavior, ensuring that future legitimate traffic spikes are not viewed as attacks.


Q: Does the IG200/IG2000 use different responses for different intrusion conditions such as TCP packets with bad sequence numbers vs. SYN attacks?
A: Blocking is the response to any threshold violation. Traffic will be dropped for a configurable time period, and then the connection will be reevaluated to determine if behavior has been remedied. If violations persist, all traffic from the offending source will be dropped pending administrator intervention. For TCP connections, you can choose whether to drop an offending packet or drop the connection.

Q: Does the IG200/IG2000 use Honeypot technology?
A: No. Honeypots are essentially ‘dummy’ server addresses designed to set a trap for potential hackers. This is not a technology for protection, but rather ‘flypaper’ to catch hackers.

Q: What kind of forensic output does the IG200/IG2000 provide for ‘bad’ traffic?
A: The IG200/IG2000 is equipped with two Ethernet forensic ports that are able to dump blocked traffic to a forensics capture systems.

Q: Does the IG200/IG2000 fail ‘open’ or ‘closed’?
A: This is a configurable parameter. If set to fail ‘open’, a failure on the IG200/IG2000 would pass all traffic through. If set to fail ‘closed’, all traffic would be blocked.

Q: What is the performance of the IG2000?
A: The IG2000 uses custom ASICS and a patent-pending architecture to monitor thresholds on any/all L2, L3, or L4 protocol, any port, any address at Gigabit Ethernet Line Rate. Using a smartbits traffic generator, we measured a latency of 2µs to 40 µs through the IG2000 and a 0% throughput loss, with all filters turned on. Dropping packets does not affect performance, since all thresholds are being continuously monitored at all times.

Q: How many simultaneous TCP connections does IG2000 maintain at any given time?
A: The IG2000 can monitor up to 1 million connections at any given time. Similarly it can hold 1 million distinct IP addresses to facilitate source tracking. The device holds up to 1 million legitimate IP addresses to prevent SYN and zombie attacks.


Q: Does the IG200/2000 support redundancy operation?
A: The IG2000 has dual internal disk drives where the data is mirrored using RAID 1 between the two drives for fail over. A backup power supply also allows further redundancy. If either the disk drive or power supply fails, the backup is utilized to maintain on-line operation.

 

IntruGuard Configuration and Deployment

Q: How often are the threshold values updated through revised estimation?
A: The IG200/2000 can be configured by the Administrator to revise new threshold values to as often as every five minutes. This fine granularity ensures revised adaptive thresholds are based on current traffic conditions. These updates are all automatic with no user inputs required.

Q: Is administrator intervention required to reset parameters after an attack?
A: Not necessarily. Because the IG200/IG2000 is continuously learning, it can detect when an attack has ceased. It will then allow normal traffic to resume without requiring administrator attention. However, administrators may wish to change configuration options based on the event log or forensic information captured during an attack.

Q: Where should the IG200/IG2000 be placed in my network?
A: The IG200/IG2000 is ideal for protecting servers or groups of servers from DDoS and protocol attacks. We recommend the IG200/IG2000 be placed as close as possible to the systems or networks being protected, or possibly behind a switch feeding a group or cluster of servers. Entire subnets can be protected with a gateway as long as all nodes share similar traffic rates and thresholds.

Q: Does the IG200/IG2000 have a “listen-only” or “set-aside” mode, in which it does not block traffic?
A: The IG200/IG2000 is always learning about traffic patterns, but administrators can configure whether or not blocking is turned on. The product ships in “listen only” mode, in which alerts will be recorded, but no action taken. The IG appliances can work in off-line detection, in-line detection, or in-line prevention modes. These modes can be used to gracefully install the appliance into the network.

Q: How much configuration is required to initially set up the IG200/IG2000?
A: During passive learning mode, no configuration is required for the appliance to begin learning. An IP address may be assigned for the management interface, but management can also be done with a locally attached keyboard/monitor. Because no traffic will be blocked, the IG200/IG2000 will “learn” the traffic profile so appropriate thresholds can be set. After 2-10 days of attack-free learning, a sufficient baseline will exist to enable administrators to tune threshold levels for their networks. Administrators then have the option of accepting the recommended thresholds or configuring their own.

Q: How long should the IG200/IG2000 be left in non-blocking learning mode while building a baseline?
A: We recommend 2-10 days of ‘normal’ operation, meaning no attacks, no unusual events causing high traffic conditions (e.g. news releases or promotions on a web server). This may vary depending on how much traffic parameters fluctuate throughout the day.

Q: Do IntruGuard gateways have “whitelist” capability?
A: Any specific flood parameter (such as for port, protocol, connections, VLAN etc.) threshold can be set to an arbitrarily high threshold, meaning no packet floods in that parameter will ever be dropped.

Q: I have two (redundant) links to the Internet. Can IntruGuard gateways support such a configuration?
A: Yes, a single IG200/2000 has 4 ports. Two of them can be configured for bridging the first link while the other two can be used for the second/redundant link.

Alternatively, you can use two independent IG200/2000 appliances in an Asymmetric Configuration. These two appliances share states with each other and act as hot-standby pair.

More Information About Current Attacks

Ask us about the following attacks:

  • Common Attacks:
    • SYN Flood
    • ICMP Flood
    • UDP Flood
    • UDP Small Flood
    • TCP Flood
  • Web Attacks:
    • No Cache Get Flood
    • CC Attack
    • HTTP GET Nothing
  • Special Attacks:
    • CQ Game Attack
    • Route Attack
    • Smart Auto Attack
  • Combined Attacks
    • SYN + UDP Flood
    • ICMP + TCP Flood
    • UDP Small + TCP Connect Attack