DDoS Secure over Contrail: A Double Whammy against the increasingly elusive DDoS Attacks
Nov 19, 2013
There have been some very high-profile Denial-of-Service Attacks in the recent years. In Dec 24th 2012, a Christmas Eve DDoS attack against the Web site of Bank of the West, a San Francisco based regional financial institution, helped to distract bank officials from an online account takeover against one of its clients, resulting in more than $900,000 stolen. Earlier in August 2012, a Wikileaks opponent identified as Anti Leaks also launched a DDoS attack that rendered the Wikileaks site down for more than a week, with peak attack traffic reaching 10Gbps.
So what is DDoS attack? TechTarget defined it as a type of cyber attacks in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. These two videos Data Center Security part 1 and Data Center Security part 2 give an excellent explanation of various attacks including DDoS attack and the ways to mitigate them.
Basically if we look at the OSI seven-layer model, DDoS attacks can happen in multiple layers. I found this great article on Layer Seven DDoS Attacks that gave the following common attacks at different OSI layers:
IP attacks on the network bandwidth – Layer 3 (Network Protocol)
TCP attacks on server sockets – Layer 4 (Transport Protocol)
HTTP attacks on Web server threads – layer 7 (Application Protocol)
Web application attacks on CPU resources – layer 7+
At the lower layers, namely Layer 3 and Layer 4, DDoS attacks mainly manifest themselves as high-bandwidth volumetric attacks that bring down Web servers. But in the recent years, DDoS Attacks have evolved to highly sophisticated, targeted Layer 7 and above attacks that threaten availability of critical business resources.
While network layer DDoS attacks attempt to overwhelm the victim server with bogus requests, the application layer DDoS attacks rely on legitimate ones, which makes it much harder to detect and mitigate.
At the same time, the changes in the way applications are deployed in data centers also resulted in more complications in terms of protecting web servers and other business critical resource. Before, web servers were deployed on physical compute devices in well-defined DeMilitarized Zone (DMZ), so it was easy to deploy high-performance security devices to protect the web servers by safeguarding DMZ. This is similar to protecting a king in a castle, where you just need to strengthen the walls.
With the advancement of compute virtualization and cloud orchestration, web servers are moving to virtual machines, and the physical location of these virtual machines are decided at runtime by the cloud orchestrator based on a set of policies and the physical server resource utilization. Furthermore, the virtual machines can be moved from one server to another across the data center or even between different data centers. The boundaries of the DMZ are quickly disappearing. I equate this to trying to protect a team of guerrillas soldiers who move around, and the high castle walls stop working here.
So what do we do? We need to give them bulletproof vest to protect them at personal or small unit level. In the application scenario, we need to virtualize the Anti-DDoS service and orchestrate the service instance creation, insertion, migration, scaling and removal based on the application workload being protected.
Juniper’s DDoS Secure is the world’s most advanced heuristic anti-DDoS technology that can detect and mitigate both volumetric and low-and-slow attacks.
Using its unique CHARM algorithm DDoS Secure analyzes traffic flow and intelligently responds in real time by dropping suspect or noncompliant packets as soon as the optimum performance from critical resources begin to degrade.
Juniper’s Contrail is a powerful platform to realize network function virtualization, dynamic service provisioning, and network orchestration. There are significant benefits to provisioning DDoS Secure with Contrail:
Leveraging Network Function Virtualization, service providers and enterprises can quickly deploy services on demand and scale services up and down on existing network infrastructure in a cost efficient way.
Contrail automates the provisioning and service chaining of the DDoS Secure service to truly protect web service applications that are dynamic in nature and can be running anywhere in a data center or across multiple data centers, and moved on demand.
Together, DDoS Secure and Contrail can serve as a double whammy against some of the world’s most sophisticated attacks on business critical resources and guarantee business continuity.