Fortinet white logo
Fortinet white logo

Handbook

DDoS mitigation techniques overview

DDoS mitigation techniques overview

The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors, or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.

Firewalls

Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy. But public websites and eCommerce servers cannot know in advance who will access them and cannot 'prescreen' users via an access list. Certain protocols can be blocked by firewalls, but most DoS attacks utilize authorized ports (e.g. TCP port 80 for a web server) that cannot be blocked by a firewall without effectively blocking all legitimate HTTP traffic to the site, thereby accomplishing the hacker’s objective.

Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known), but most DoS attacks today are distributed among hundreds or thousands of zombies, each of which could be sending legal packets that would pass firewall scrutiny. Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.

Router access control lists

Likewise, access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks. In a DDoS attack, thousands of innocent looking connections are used in parallel. Although router access lists can be used to eliminate offending packets once they are identified, routers lack the processing power and profiling heuristics to make such identifications on their own.

In addition, complex access lists can cause processing bottlenecks in routers, whose main function is to route IP packets. Performing packet inspections at Layers 3, 4, and 7 taxes the resources of the router and can limit network throughput.

Antivirus software

End systems cannot be considered secure without antivirus software. Such software scans all inputs to the system for known viruses and worms, which can cause damage to the end system and any others they may infect. Even after a virus is known and characterized, instances of it are still circulating on the Internet, through email, on CDs and floppy disks. A good antivirus subscription that is frequently updated for the latest protection is invaluable to any corporate or individual computer user.

But even antivirus software is not enough to catch certain attacks that have been cleverly disguised. Once a system is infected with a new strain, the damage can be done before the virus or worm is detected and the system is disinfected.

Application protection

Such packages include software that watches for email anomalies, database access queries, or other behavior that may exploit vulnerability in the application. Because it must be very specific—and very close—to the application it is protecting, application protection is typically implemented as software on the host. Dedicated servers would benefit from well-designed application security software that will maintain the integrity of the code and detect anomalous behavior that could indicate an attack. Certain malicious code can attempt to overwrite registers on the end-system and thereby hijack the hardware for destructive purposes.

Intrusion detection systems

Intrusion Detection Systems (IDS) are designed to 'listen' to traffic and behavior and set an alarm if certain conditions are met. Some IDS implementations are implemented in the host, while others are deployed in the network. The IDS sensor monitors traffic, looking for protocol violations, traffic rate changes or matches to known attack 'signatures'. When a threat is detected, an alarm is sent to notify a (human) network administrator to intervene.

Host-based intrusion detection systems are designed as software running on general purpose computing platforms. Not to be confused with application security software (mentioned above), which runs on the end system and focuses primarily on Layers 5-7, software based intrusion systems must also focus on Layers 3 and 4 of the protocol stack. These packages rely on the CPU power of the host system to analyze traffic as it comes into the server. General purpose computers often lack the performance required to monitor real-time network traffic and perform their primary functions. Creating a bottleneck in the network or on the server actually helps the hacker accomplish his goal by restricting access to valuable resources.

End-systems provide the best environment for signature recognition because packets are fully reassembled and any necessary decryption has been performed. However, signature-based intrusion detection has its limitations, as described below.

The next step in the evolution of intrusion security was content-based Intrusion Prevention Systems (IPS). Unlike IDS, which require manual intervention from an administrator to stop an attack, a content-based IPS automatically takes action to prevent an attack once it is recognized. This can cut down response time to near zero, which is the ultimate goal of intrusion security.

IPS must be intelligent, however, or the remedy might actually accomplish the hacker's goal: denying resources to legitimate users.

Prevention mechanisms can also be harmful if detection is subject to false positives, or incorrect identification of intrusion. If the prevention action is to disable a port, protocol, or address, a false positive could result in denial of service to one or more legitimate users.

Network behavior analysis

An alternative to signature recognition is network behavior analysis (NBA). Rate-based systems must provide detailed analysis and/or control of traffic flow. A baseline of traffic patterns is established, usually during a learning mode in which the device only 'listens' without acting on any alarm conditions. A good system will have default parameters set to reasonable levels, but the 'listening' period is required to learn the traffic behavior on various systems. The listening period should be 'typical,' in the sense that no attacks or unusual traffic patterns should be present. For example, Saturday and Sunday are probably not good days to build a baseline for a corporate server that is much busier during the workweek. Periods of unusually high or low traffic also make bad listening intervals, such as Christmas vacation week, unusually high traffic due to external events (press releases, sales promotions, Super Bowl halftime shows, and so on).

Once a baseline is established, rate-based systems watch for deviations from the known traffic patterns to detect anomalies. Good systems will allow an administrator to override the baseline parameters if events causing traffic surges are foreseen, for example, a server backup scheduled overnight.

While signature-based systems are scrutinized for false-negatives, or failing to identify an attack, rate-based systems should be scrutinized for false positives, or misidentifying legitimate changes in traffic patterns as attacks. Whether setting alarms or taking preventative action, rate-based systems must be well-designed to avoid unnecessary overhead.

Equally important for rate-based systems are their analysis tools. Administrators should be able to view their traffic patterns on a variety of levels, and use this information to tune their network resources.

FortiDDoS compared with firewalls

FortiDDoS’ state-aware NBA architecture for TCP, DNS and NTP detection and line-rate mitigation is significantly different and better than firewalls.

Firewalls maintain state to ensure NAT operates correctly, among other things. They also often create timer-based “virtual” state machines for UDP packets to assist with UTM detections. For these reasons and others, they are vulnerable to:

  • Small-packet random-source UDP floods which fill connection tables
  • Fragmented UDP floods which fill IPS buffers
  • TCP Flag floods which either fill connection tables with ½ open sessions (SYN Floods of various kinds) or exhaust resources by forcing the firewall to check SYN-ACK floods against the existing outbound ½ open session table.
  • Most firewalls’ performance degrades in the face of small-packet UDP and TCP Flag floods since processing many packets rapidly taxes the CPUs
  • Simple blocking thresholds for these attacks often result in all new TCP connections blocked or all UDP traffic blocked
  • Many UDP and non-standard Protocol floods result in outbound ICMP messages, further taxing the firewall CPUs.

FortiDDoS does not need state information to detect 99.99% of attacks:

  • UDP Protocol and Port floods are rate-based and FortiDDoS detects floods to all 65,535 valid UDP ports as well as FROM UDP ports 1-9999 (a much wider range than currently known UDP reflected floods like DNS, NTP, CLDAP, and wider than any other DDoS vendor).
  • Stateless mitigation of 3 different types of SYN Floods to the Internet link line rate. A SYN flood through a GE Internet link can reach 1.5 million pps.
  • FortiDDoS unique hardware architecture with 100% small-packet line-rate inspection and mitigation allows the system to see and mitigate TCP illegal flag floods from the first packet, with no impact on system throughput.
  • FortiDDoS is state-aware for the 9 TCP flag combinations that may happen during a real TCP session. For example, instead of setting a threshold for SYN-ACKs that would result in blocking all new connections when the inbound threshold is crossed, as firewalls and other DDoS vendors do, FortiDDoS monitors the state of up to 24 million TCP connections. If a SYN packet is seen outbound, it allows the matching inbound SYN-ACK to pass. If a SYN-ACK arrives without a corresponding SYN-ACK match, the packet is instantly dropped (again, at the line-rate of the link). This STOPS any SYN-ACK attack while continuing to allow “good” SYN-ACKs in response to outbound SYNs – something no other vendor can claim. Similarly, a single RST is allowed to take down an existing TCP session but no RSTs are allowed outside a connected session. By being aware of the session state, out-of-state RSTs are dropped instantly without thresholds. This also works for ACK, FIN-ACK, ACK-PSH, etc., all without interfering with legitimate traffic.
  • FortiDDoS uses its superior state-aware NBA performance to support other stimulus-response applications such as DNS and NTP. Up to 12 million DNS Queries per second are monitored and matched with incoming DNS responses. Unmatched DNS responses are instantly dropped while DNS Responses from outbound Queries are allowed, stopping attacks instantly with no thresholds, while allowing continued internet access for legitimate users – performance and mitigation that firewalls and other DDoS vendors cannot approach.

FortiDDoS compared with conventional intrusion prevention systems

FortiDDoS-F is a rate-based IPS device that detects and blocks network attacks which are characterized by excessive use of network resources. It uses a variety of schemes, including anomaly detection and statistical techniques, to detect and block malicious network traffic. When it detects an intrusion, the FortiDDoS-F blocks traffic immediately, thus protecting the systems it is defending from being overwhelmed.

Unlike conventional content-based IPS, an NBA system does not rely on a predefined attack “signature” to recognize malicious traffic. An IPS is vulnerable to “zero-day” attacks, or attacks that cannot be recognized because no signature has been identified to match the attack traffic. In addition, attack traffic that is compressed, encrypted, or effectively fragmented can escape many pattern-matching algorithms in content-based IPS. And many rate-based attacks are based on genuine and compliant traffic being sent at high rates, effectively evading the IPS.

An NBA provides a network with unique protection capabilities. It delivers security services not available from traditional firewalls, IPS, or antivirus/spam detectors. The detection, prevention, and reporting of network attacks is based on traffic patterns rather than individual transaction or packet-based detection, which enables the FortiDDoS-F to serve a vital role in an effective security infrastructure. Rather than replacing these elements, an NBA complements their presence to form a defense-in-depth network security architecture.

DDoS mitigation techniques overview

DDoS mitigation techniques overview

The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors, or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.

Firewalls

Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy. But public websites and eCommerce servers cannot know in advance who will access them and cannot 'prescreen' users via an access list. Certain protocols can be blocked by firewalls, but most DoS attacks utilize authorized ports (e.g. TCP port 80 for a web server) that cannot be blocked by a firewall without effectively blocking all legitimate HTTP traffic to the site, thereby accomplishing the hacker’s objective.

Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known), but most DoS attacks today are distributed among hundreds or thousands of zombies, each of which could be sending legal packets that would pass firewall scrutiny. Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.

Router access control lists

Likewise, access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks. In a DDoS attack, thousands of innocent looking connections are used in parallel. Although router access lists can be used to eliminate offending packets once they are identified, routers lack the processing power and profiling heuristics to make such identifications on their own.

In addition, complex access lists can cause processing bottlenecks in routers, whose main function is to route IP packets. Performing packet inspections at Layers 3, 4, and 7 taxes the resources of the router and can limit network throughput.

Antivirus software

End systems cannot be considered secure without antivirus software. Such software scans all inputs to the system for known viruses and worms, which can cause damage to the end system and any others they may infect. Even after a virus is known and characterized, instances of it are still circulating on the Internet, through email, on CDs and floppy disks. A good antivirus subscription that is frequently updated for the latest protection is invaluable to any corporate or individual computer user.

But even antivirus software is not enough to catch certain attacks that have been cleverly disguised. Once a system is infected with a new strain, the damage can be done before the virus or worm is detected and the system is disinfected.

Application protection

Such packages include software that watches for email anomalies, database access queries, or other behavior that may exploit vulnerability in the application. Because it must be very specific—and very close—to the application it is protecting, application protection is typically implemented as software on the host. Dedicated servers would benefit from well-designed application security software that will maintain the integrity of the code and detect anomalous behavior that could indicate an attack. Certain malicious code can attempt to overwrite registers on the end-system and thereby hijack the hardware for destructive purposes.

Intrusion detection systems

Intrusion Detection Systems (IDS) are designed to 'listen' to traffic and behavior and set an alarm if certain conditions are met. Some IDS implementations are implemented in the host, while others are deployed in the network. The IDS sensor monitors traffic, looking for protocol violations, traffic rate changes or matches to known attack 'signatures'. When a threat is detected, an alarm is sent to notify a (human) network administrator to intervene.

Host-based intrusion detection systems are designed as software running on general purpose computing platforms. Not to be confused with application security software (mentioned above), which runs on the end system and focuses primarily on Layers 5-7, software based intrusion systems must also focus on Layers 3 and 4 of the protocol stack. These packages rely on the CPU power of the host system to analyze traffic as it comes into the server. General purpose computers often lack the performance required to monitor real-time network traffic and perform their primary functions. Creating a bottleneck in the network or on the server actually helps the hacker accomplish his goal by restricting access to valuable resources.

End-systems provide the best environment for signature recognition because packets are fully reassembled and any necessary decryption has been performed. However, signature-based intrusion detection has its limitations, as described below.

The next step in the evolution of intrusion security was content-based Intrusion Prevention Systems (IPS). Unlike IDS, which require manual intervention from an administrator to stop an attack, a content-based IPS automatically takes action to prevent an attack once it is recognized. This can cut down response time to near zero, which is the ultimate goal of intrusion security.

IPS must be intelligent, however, or the remedy might actually accomplish the hacker's goal: denying resources to legitimate users.

Prevention mechanisms can also be harmful if detection is subject to false positives, or incorrect identification of intrusion. If the prevention action is to disable a port, protocol, or address, a false positive could result in denial of service to one or more legitimate users.

Network behavior analysis

An alternative to signature recognition is network behavior analysis (NBA). Rate-based systems must provide detailed analysis and/or control of traffic flow. A baseline of traffic patterns is established, usually during a learning mode in which the device only 'listens' without acting on any alarm conditions. A good system will have default parameters set to reasonable levels, but the 'listening' period is required to learn the traffic behavior on various systems. The listening period should be 'typical,' in the sense that no attacks or unusual traffic patterns should be present. For example, Saturday and Sunday are probably not good days to build a baseline for a corporate server that is much busier during the workweek. Periods of unusually high or low traffic also make bad listening intervals, such as Christmas vacation week, unusually high traffic due to external events (press releases, sales promotions, Super Bowl halftime shows, and so on).

Once a baseline is established, rate-based systems watch for deviations from the known traffic patterns to detect anomalies. Good systems will allow an administrator to override the baseline parameters if events causing traffic surges are foreseen, for example, a server backup scheduled overnight.

While signature-based systems are scrutinized for false-negatives, or failing to identify an attack, rate-based systems should be scrutinized for false positives, or misidentifying legitimate changes in traffic patterns as attacks. Whether setting alarms or taking preventative action, rate-based systems must be well-designed to avoid unnecessary overhead.

Equally important for rate-based systems are their analysis tools. Administrators should be able to view their traffic patterns on a variety of levels, and use this information to tune their network resources.

FortiDDoS compared with firewalls

FortiDDoS’ state-aware NBA architecture for TCP, DNS and NTP detection and line-rate mitigation is significantly different and better than firewalls.

Firewalls maintain state to ensure NAT operates correctly, among other things. They also often create timer-based “virtual” state machines for UDP packets to assist with UTM detections. For these reasons and others, they are vulnerable to:

  • Small-packet random-source UDP floods which fill connection tables
  • Fragmented UDP floods which fill IPS buffers
  • TCP Flag floods which either fill connection tables with ½ open sessions (SYN Floods of various kinds) or exhaust resources by forcing the firewall to check SYN-ACK floods against the existing outbound ½ open session table.
  • Most firewalls’ performance degrades in the face of small-packet UDP and TCP Flag floods since processing many packets rapidly taxes the CPUs
  • Simple blocking thresholds for these attacks often result in all new TCP connections blocked or all UDP traffic blocked
  • Many UDP and non-standard Protocol floods result in outbound ICMP messages, further taxing the firewall CPUs.

FortiDDoS does not need state information to detect 99.99% of attacks:

  • UDP Protocol and Port floods are rate-based and FortiDDoS detects floods to all 65,535 valid UDP ports as well as FROM UDP ports 1-9999 (a much wider range than currently known UDP reflected floods like DNS, NTP, CLDAP, and wider than any other DDoS vendor).
  • Stateless mitigation of 3 different types of SYN Floods to the Internet link line rate. A SYN flood through a GE Internet link can reach 1.5 million pps.
  • FortiDDoS unique hardware architecture with 100% small-packet line-rate inspection and mitigation allows the system to see and mitigate TCP illegal flag floods from the first packet, with no impact on system throughput.
  • FortiDDoS is state-aware for the 9 TCP flag combinations that may happen during a real TCP session. For example, instead of setting a threshold for SYN-ACKs that would result in blocking all new connections when the inbound threshold is crossed, as firewalls and other DDoS vendors do, FortiDDoS monitors the state of up to 24 million TCP connections. If a SYN packet is seen outbound, it allows the matching inbound SYN-ACK to pass. If a SYN-ACK arrives without a corresponding SYN-ACK match, the packet is instantly dropped (again, at the line-rate of the link). This STOPS any SYN-ACK attack while continuing to allow “good” SYN-ACKs in response to outbound SYNs – something no other vendor can claim. Similarly, a single RST is allowed to take down an existing TCP session but no RSTs are allowed outside a connected session. By being aware of the session state, out-of-state RSTs are dropped instantly without thresholds. This also works for ACK, FIN-ACK, ACK-PSH, etc., all without interfering with legitimate traffic.
  • FortiDDoS uses its superior state-aware NBA performance to support other stimulus-response applications such as DNS and NTP. Up to 12 million DNS Queries per second are monitored and matched with incoming DNS responses. Unmatched DNS responses are instantly dropped while DNS Responses from outbound Queries are allowed, stopping attacks instantly with no thresholds, while allowing continued internet access for legitimate users – performance and mitigation that firewalls and other DDoS vendors cannot approach.

FortiDDoS compared with conventional intrusion prevention systems

FortiDDoS-F is a rate-based IPS device that detects and blocks network attacks which are characterized by excessive use of network resources. It uses a variety of schemes, including anomaly detection and statistical techniques, to detect and block malicious network traffic. When it detects an intrusion, the FortiDDoS-F blocks traffic immediately, thus protecting the systems it is defending from being overwhelmed.

Unlike conventional content-based IPS, an NBA system does not rely on a predefined attack “signature” to recognize malicious traffic. An IPS is vulnerable to “zero-day” attacks, or attacks that cannot be recognized because no signature has been identified to match the attack traffic. In addition, attack traffic that is compressed, encrypted, or effectively fragmented can escape many pattern-matching algorithms in content-based IPS. And many rate-based attacks are based on genuine and compliant traffic being sent at high rates, effectively evading the IPS.

An NBA provides a network with unique protection capabilities. It delivers security services not available from traditional firewalls, IPS, or antivirus/spam detectors. The detection, prevention, and reporting of network attacks is based on traffic patterns rather than individual transaction or packet-based detection, which enables the FortiDDoS-F to serve a vital role in an effective security infrastructure. Rather than replacing these elements, an NBA complements their presence to form a defense-in-depth network security architecture.