Denial of service attacks are among the most frustrating that IT security pros can face.
On the one hand, no corporate data is at risk; on the other hand the organization is shut down for the duration of the attack.
Juniper Networks has extended the ability of its DDoS Secure appliance to handle these attacks by integrating its detection and response defence to its MX-series of routers as well as any router or switch that uses the BGP (Border Gateway Protocol) standard.
In essence it means the standalone appliance can now make the routers policy enforcement points to mitigate attacks.
Often enterprises and service providers redirect the massive flows of requests that DDoS aim at a server to third-party scrubbing providers, Paul Scanlon, Juniper’s director of product management, said in an interview. But that’s often not enough, he said, particularly with high volume attacks. The local network infrastructure has to be leveraged as well, he said, by recognizing the source of attacks and filter traffic as much as possible at the network border.
“In a world where 300 Gbps-plus DDoS attacks are becoming relatively commonplace the traditional scrubbing architectures aren’t always sufficient,” Scanlon said, meaning extra traffic has to be backhauled to third parties. “Even the best networks have a finite number of scrubbing locations.”
The DDos Secure appliance (previously called WebScreen, Juniper bought the company last year) used to do filtering itself. Now its software has been upgraded to version 5.14 to include BGP Flowspec. That leverages the BGP control plane so filters recognizing attacks can be installed on routers and switches.
“We have to leverage as many capabilities and tools as we have, and Flowspec is one of them.”
Second, the updated software can see into the GTP tunneling protocol, which typically lives in cellular traffic. “As devices that are attaching to mobile networks become more intelligent, they are more powerful and more ripe for infection with malicious code,” Scanlon said. However most IP-based systems are blind to GTP and can’t tell if the traffic is legitimate, he said. DDoS Secure can now understand the context of GTP and the IP layers and spot abusing hosts.
DDoS Secure, a 1U appliance, is priced on a combination of hardware and software capacity . A 10GB unit ranges from US$10,000 to US$20,000 depending on whether it has copper or fibre connectivity. Software is another US$19,000.
Scanlon said 80 per cent of customers are enterprises, with the rest being service providers.
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."