ARBOR INSIGHT
Security Begins With
The Bottom Line
Firewalls and IPS devices do
not solve the DDoS problem
because they:
1. Asecurity
re optimized for other
problems
2. Cannot detect or stop
distributed attacks
3. Cin-cloud
annot integrate with
security solutions.
Because they are stateful,
they are part of the
DDoS problem and
not the solution
Availability and Existing
Security Devices Are
No Longer Sufficient
In recent months, high-profile attacks and outages have
brought to light the fact that existing security devices are not
sufficient to protect enterprise data centers from Distributed
Denial of Service (DDoS) attacks. While Intrusion Protection
Systems (IPS) and firewalls are an important part of a defense
strategy, they lack a vital capability—these solutions do not
protect the availability of services. Additionally, these products
are themselves often the target of DDoS attacks.
Data center operators are starting to understand that availability of services begins
with security. If your data center is not available, network integrity and confidentiality
will get you nowhere because it will not help your customers, business or your brand.
This article will examine why IPS devices and firewalls are insufficient to protect data
center availability, and will describe a best practice for combating DDoS threats to
availability of services and applications.
IPS and Firewalls Can’t Do It Alone
IPS devices, firewalls and other security products are essential elements of a
layered-defense strategy, but they are designed to solve security problems that are
fundamentally different from dedicated DDoS detection and mitigation products. They
effectively address network integrity and confidentiality, but they fail to address a
fundamental focal point of DDoS attacks—network availability. Adding to the security
threat, IPS devices and firewalls maintain state information for every session estab-
lished between a client on the Internet and the corresponding server in the data
center, which means they are vulnerable to DDoS attacks and often become the tar-
gets themselves, serving as chokepoints.
When it comes to protection against DDoS, many enterprises and data center opera-
tors have a false sense of security. They think they have secured their key services
against attacks simply by deploying IPS devices or firewalls in front of their servers. In
reality, such deployments can actually expose these organizations to service outages,
having a direct impact on customer satisfaction and therefore, revenue. Typical users
of data center and cloud services expect on-demand services. When business-critical
services are not available, enterprises and data center operators can lose millions
of dollars and potentially damage important customer and partner relationships.
Availability of services is critical and can be pose a major barrier to cloud adoption.
 ARBOR INSIGHT

In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier
and an alarming 77% of respondents detected application layer attacks. Nearly
49 percent of respondents reported a firewall or IPS outage due to a DDoS attack.

The Attack Landscape

Attackers see high-profile applications in shared Cloud Data Centers as an attractive
target for criminal activity. According to the enterprises that participated in the 2010
Worldwide Infrastructure Security Report, DDoS was cited as the primary threat to the
data center and as one of the biggest obstacles to moving to a cloud-based infrastruc-
ture. In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier
and an alarming 77% of respondents detected application layer attacks. Nearly 49
percent of respondents reported a firewall or IPS outage due to a DDoS attack.

Application-layer attacks are low bandwidth, difficult to detect and target both end
customers and network operators’ own ancillary supporting services, such as HTTP
Web services and domain name system (DNS). DNS has become a favorite attack
target and vector. Nearly one-third of the report respondents have experienced
customer-impacting DDoS attacks on their DNS infrastructure over the course of a
year from 2009–2010. Due to the relative lack of attention to DNS protection and
scalability by many network operators, DNS has emerged as one of the easiest ways
to take a server, application or data center down via DDoS.

Hackers love cloud infrastructures because these involve a small number of service
providers who are responsible for delivering, distributing and hosting a large amount
of content. This allows their attack to create the collateral damage effect. If they attack
one of the providers or anyone who is operating on a shared infrastructure of that pro-
vider, it is possible for them to damage or negatively impact any number of consumers
using that shared infrastructure. When one domain is attacked, those hundreds of
thousands of domains can go off-line or experience connectivity issues. The damage
is not isolated or limited to a partitioned area. Do the math. Attack one target and a
million domains can be affected. The ripple effect is staggering.

On-Premises Threat Mitigation to the Rescue

Visibility into DDoS botnets is an absolute necessity, especially when they are
constantly changing and morphing to thwart detection. An on-premises availability
protection system (APS) offers an ideal solution by enabling a layered defense
strategy, which includes upstream ISPs and firewalls, to combat both volumetric
and application-layer DDoS attacks.

An on-premises DDoS device can block advanced attacks, such as application-layer

DDoS attacks, using packet-based threat detection and multiple counter-measures.
These threat detection and counter-measures detect and stop application-layer DDoS
attacks that are difficult to detect in the cloud. The on-premises DDoS device needs
to provide visibility into critical IP services and applications running in the data center
such as HTTP, DNS, VoIP/SIP and SMTP traffic. With the visibility, the data center
can be protected from numerous types of attack, including TCP State Exhaustion,
HTTP/Web Attacks, DNS Floods/Authentication Attacks, TCP SYN Floods,
Spoofed/Non-Spoofed Attacks, UDP Floods and dozens more.
 ARBOR INSIGHT

It’s important for today’s cloud-based data center to implement a multi-layered

security solution that can simultaneously protect its network infrastructure, IP-based
services and data, as all of these are vulnerable to attacks or compromise.

The Signs of Intelligence

A strong premises-based APS will provide immediate protection with zero downtime
for the data center and its services and applications. It also cannot have any lag time
between detection and protection for all botnet threats. But it also should not be
burdensome or cost-prohibitive and should not require in-house expertise or full time
operators to fully realize all of its benefits.

It’s important for today’s cloud-based data center to implement a multi-layered security
solution that can simultaneously protect its network infrastructure, IP-based services
and data, as all of these are vulnerable to attacks or compromise. This multi-layered
protection is the only to safeguard the data center infrastructure, the applications and
services, and finally, the data that drives the business, the brand and the revenue.

Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
T +65 6299 0695
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
www.arbornetworks.com AI/SECURITYBEGINS/EN/ 0213