Attack Scenarios
How IntelliGuard DPS Defeats Attacks (that rival systems cannot)
DDoS attacks are a major problem for online businesses. The continuing evolution of new attacks and their success in disrupting Internet services is evidence that current systems claiming to provide DDoS protection either fail to provide adequate protection or any protection at all for many attacks.
IntelliGuard is the only system that protects a full hierarchy of network components against a full range of known and unknown attacks and traffic floods while managing and filtering traffic at true line-rate under worst case conditions.
Click on attack scenarios below for more details about how IntelliGuard protects against each scenarios.
 |
Open Connection attacks are a form of resource starvation attack in which bots are directed to establish and keep open TCP connections with a web server. This fills the web server software’s connection table so that further requests cannot be served and legitimate clients are unable to connect.
IntelliGuard’s solutions distinguish between bots and legitimate client connections automatically, defeating these attacks.
|
Open Connection attacks are a form of resource starvation attack in which bots are directed to establish and keep open TCP connections with a web server. This fills the web server software’s connection table so that further requests cannot be served and legitimate clients are unable to connect. The attacks can take a few basic forms.
Attacks in which bots leave connections idle. These can be mitigated with a firewall configured to enforce connection limits and aggressive idle time time-outs, which will close most of the bots’ connections. In theory the web server software could close idle connections, however it is unclear whether any commonly used application implements this.
Attacks in which each of a relatively small number bots attempts to establish a large number of connections. These can be mitigated with a firewall that limits the number of connections that each client can establish, which will block the majority of connection attempts.
Attacks in which each of a large number bots attempt to establish a large number of connections. These cannot be mitigated by firewalls, since the firewall will allow more connections than the web server can handle. However, attempting to establish a large number of connections is blatant aberrant behavior that a few of the better dedicated anti-DDoS appliances on the market should be able to detect and deal with.
Attacks in which bots use the connections they’ve established, and do not each attempt to establish a large number of connections. Traffic from these bots appears just like that from genuine clients: there are no idle connections to close, nor apparent misbehavior to detect. Under these circumstances even the best anti-DDoS appliances looking for misbehaving clients will have extreme difficulty distinguishing between bots’ and legitimate clients’ connections.
IntelliGuard’s DPS series appliances have no such difficulty distinguishing between bots’ and legitimate clients’ connections. They employ a unique design that provides inherent strong protection against all types of connection attacks by way of independent monitoring of traffic to each server, configuration of limits, and automatic dropping of the least legitimate traffic when a server is at threat of being overwhelmed. In addition to this inherent protection, a number of specific server protection techniques are used, including limiting connection rates and number of simultaneous connections per server, authenticating the connections, and semi-automatic blacklisting of sources based on discovered commonalities between attack packets.
Download Details
 |
When a DDoS defence system is unable to process traffic at full line-rate it will contribute to the DDoS attack by dropping legitimate packets. Attackers can generate any size packets they want, and simply bring about this failure generating large numbers of small packets, thus making the DDoS defence system the weakest link in the network.
The only defense against small packet attacks is true line-rate performance.
|
 |
Different components of a network/application infrastructure can handle different traffic rates. Attackers can target to overwhelm any of these components.
A DDoS protection solution must have fine-grain levels of protection to succeed.
|
Different components of a network/application infrastructure can handle different traffic rates. Attackers can target to overwhelm any of these components. For example, a single server or a link capable of handling 100 Mbps may easily be sent in excess of 200 Mbps.
Rival anti-DDoS systems monitor aggregate traffic rates and particular aspects of packets for anomalies. They are incapable of the multi-level monitoring needed to recognize when a particular part of a network is under attack, and are useless against attacks where there is nothing anomalous about the traffic other than the rate to a particular part of the network or server. This leaves attackers free to work within the threshold of the internet link to knock out low bandwidth services or servers without triggering any protection response. Some DDoS protection systems can protect particular servers, but not all the other network links simultaneously.
 |
IntelliGuard’s Hierarchical multi-level traffic management system monitors, and establishes traffic limits for, each part of the network to ensure that all such attacks are detected and blocked. All downstream links, servers and services are individually protected. IntelliGuard DPS ensure that each receives only as much traffic as they can handle.
Download Details
|
 |
Many networks have multiple incoming links able to carry attack traffic into the network.
To detect and filter such attacks a DDoS Protection System (DPS) must build an aggregate view of all traffic entering the network.
Only IntelliGuard's solutions have the high throughput and port density to enable 10 Gbps (or more) protection with multiple incoming links.
|
Many networks have multiple incoming links able to carry attack traffic into the network.
For example, 300 Mbps of attack traffic could arrive from each of three separate links. While link congestion at the network edge might not be apparent, the traffic aggregates within the network to overwhelm any number of links, servers and services.
To detect and filter such attacks a DDoS Protection System (DPS) needs an aggregate view of all traffic entering the network.
Rival anti-DDoS products lack the high throughput and numerous interfaces needed for this, and therefore cannot properly protect downstream network components in this scenario.
Deploying separate appliances on each incoming link provides at best partial protection. A device in this configuration that does not see all incoming traffic, does not know how much traffic downstream components are receiving nor how much traffic neighboring protection devices are blocking, and therefore does not know when to initiate or cease filtering.
IntelliGuard DPS’s high throughput and port density enables multi-gigabit protection with multiple incoming links.
Download Details
 |
Attackers can easily target a specific serve3r (or service) in a network and effectively bring down the entire network/application infrastructure.
IntelliGuard's fine grained monitoring protects individual serve3rs and services.
|
Data centres can have thousands of separate servers. Attackers can overwhelm these with any type of traffic, but typically send traffic that the servers normally see (i.e. requests) so that the attack remains undetectable by upstream security devices. For example, servers capable of handling 100 requests per second may be sent many hundreds of requests per second which is only a minor increase in overall traffic in the network.
These are trivial attacks to instigate. Security devices are powerless against them because there is nothing anomalous about the requests sent to the web server, nor in the aggregate number of requests.
Traditional anti-DDoS devices are incapable of the fine-grained monitoring needed to recognize when a server is under attack.
IntelliGuard’s fine-grained traffic management system monitors and establishes traffic limits for each part of the network (over 65,000 different protected entities) to ensure all such attacks are detected and blocked.
Download Details
 |
An attacker can take a single web server offline with as few as 5-10 bots sending a total of 300 Mbps of large UDP packets to the web server. This will cause most packets to be dropped by the switch directly upstream, effectively blocking all TCP connections.
IntelliGuard intelligently manages traffic capacity defeating UDP flood attacks.
|
An attacker can take a single web server offline that resides within a network, on a 100Mb link, and typically sees around 30 Mbps of TCP web traffic. To do this, the attacker can instruct as few as 5-10 bots to send a total of 300 Mbps of large UDP packets to the web server’s IP address. This will cause 2/3 of packets to be dropped by the switch directly upstream of the server. With this degree of packet loss no TCP connections can be completed and the attack is successful.
Any anomaly-based DDoS Protection System deployed near the front of the network would be sure to detect such a significant increase in traffic. It would either:
- notice a significant portion of UDP traffic if there was usually very little. It could then block all the UDP traffic, which would block the attack but could deny legitimate customers access.
- notice that a small number of IP addresses are sending far too much traffic and black-list those addresses, but could at the same time inadvertently also block some legitimate customers.
IntelliGuard’s DPS achieves the same goal differently. In less than 1 second it will detect traffic exceeding a 100 Mb limit set for the webserver. It will then give preference to legitimate customers causing the attacking IP addresses’ traffic to be dropped.
Download Details
 |
Browser malware can lead to a large number of incoming connections, meaning legitimate customers have little chance of making a connection.
Anomaly-based DDoS Protection methods may detect the increase in number of incoming connections, but be unable to differentiate attack from legitimate traffic.
IntelliGuard automatically prioritizes recognized custoemrs, defeating the attack.
|
A hosted web server on a 1Gbps link might typically see 100 requests/sec. An attacker can compromise one or more other web servers and then put hidden JavaScript (or flash) on a frequently accessed page.
Normal users browsing these these pages unwittingly download the malicious JavaScript, which directs their web browser to access the victim's web server many times.
The attacked servers cannot process the large number on incoming connections, meaning legitimate customers of those servers have a very low chance of their connections being processed.
Such attacks do not require a bot-net. They consist of a large number of connections where the attack traffic looks like legitimate traffic because it originates from non-compromised web browsers and involves each client sending only a small number of connection requests.
Anomaly-based DDoS Protection methods may detect the significant increase in number of incoming connections, but be unable to differentiate attack from legitimate traffic. Thus the attack defeats them.
IntelliGuard DPS, on the other hand, detects connection attempts exceeding limits in under one second and limits incoming connections down to a rate that the attacked web servers can handle, giving preference to prior customers of the attacked web server.
Download Details
 |
While not an attack, flash crowds can overwhelm servers with the same effect as a DDoS flood attack.
Web servers can be suddenly hit with an unexpectedly large number of requests, commonly as a result of focused media attention or timelines or unexpected events.
IntelliGuard's solution optimizes traffic flow so that as many 'regular'customers as possible as served without network/application failure.
|
While not an attack, flash crowds can overwhelm servers with the same effect as a DDoS flood attack.
Web servers can be suddenly hit with an unexpectedly large number of requests, commonly as a result of focused media attention or timelines or unexpected events.
This can overload web servers, which may then be unable to deal with any requests. The overload situation persists because users continue to send requests in an attempt to access the overloaded servers. Thus the Web site becomes inaccessible.
This is a particular problem for stock trading sites, online ticketing sites, sports betting sites, news portals, and government emergency information sites.
As all traffic is legitimate, there is nothing anomalous about it, thus rendering rival anti-DDoS systems ineffectual in dealing with it.
IntelliGuard DPS, on the other hand, ranks all clients that interact with a network, and limits the requests to a rate webservers can handle. In this type of legitimate traffic flood, the process is “Learn, Rank, Prioritise”, whereby the highest ranked clients are permitted to access the webserver and complete their transaction. Once done so, the next best clients are permitted to access the webserver, and so on, keeping the webservers available and effectively smoothing out large spikes of web requests.
Download Details
Traditional DDoS defence systems fail to perform their claimed functions because:
- They have evolved from, or are just tack-on additions to firewall and IPS systems that are not designed to handle DDoS attacks.
- They look for bad behaviour based on anomalies rather than protect legitimate clients. Attackers can easily defeat them with attack traffic that doesn’t appear to be anomalous.
- They look for signatures or fingerprints - methods which don’t work for most types of known attacks or new attacks.
- They cannot manage traffic at true line rate and therefore contribute to the success of attacks they try to defend by contributing to the attack’s success rather than providing protection.
- They cannot provide sufficiently fine-grained analysis and traffic monitoring to protect individual network components and servers from attacks directed against individual network components and servers. IntelliGuard has developed world leading Learn Rank & Protect technology to protect online business from DDoS attacks and traffic floods.
