Juniper stiffens DDoS defence

Denial of service attacks are among the most frustrating that IT security pros can face.

On the one hand, no corporate data is at risk; on the other hand the organization is shut down for the duration of the attack.

Juniper Networks has extended the ability of its DDoS Secure appliance to handle these attacks by integrating its detection and response defence to its MX-series of routers as well as any router or switch that uses the BGP (Border Gateway Protocol) standard.

In essence it means the standalone appliance can now make the routers policy enforcement points to mitigate attacks.

Often enterprises and service providers redirect the massive flows of requests that DDoS aim at a server to third-party scrubbing providers, Paul Scanlon, Juniper’s director of product management, said in an interview. But that’s often not enough, he said, particularly with high volume attacks. The local network infrastructure has to be leveraged as well, he said, by recognizing the source of attacks and filter traffic as much as possible at the network border.

“In a world where 300 Gbps-plus DDoS attacks are becoming relatively commonplace the traditional scrubbing architectures aren’t always sufficient,” Scanlon said, meaning extra traffic has to be backhauled to third parties. “Even the best networks have a finite number of scrubbing locations.”

The DDos Secure appliance (previously called WebScreen, Juniper bought the company last year) used to do filtering itself. Now its software has been upgraded to version 5.14 to include BGP Flowspec. That leverages the BGP control plane so filters recognizing attacks can be installed on routers and switches.

“We have to leverage as many capabilities and tools as we have, and Flowspec is one of them.”

Second, the updated software can see into the GTP tunneling protocol, which typically lives in cellular traffic. “As devices that are attaching to mobile networks become more intelligent, they are more powerful and more ripe for infection with malicious code,” Scanlon said. However most IP-based systems are blind to GTP and can’t tell if the traffic is legitimate, he said. DDoS Secure can now understand the context of GTP and the IP layers and spot abusing hosts.

DDoS Secure, a 1U appliance, is priced on a combination of hardware and software capacity . A 10GB unit ranges from US$10,000 to US$20,000 depending on whether it has copper or fibre connectivity. Software is another US$19,000.

Scanlon said 80 per cent of customers are enterprises, with the rest being service providers.



Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now