It is impossible to provide DDoS protection at an individual
site with today's Internet. By the time a packet flood hits
a victim, it is too late — many of the packets of legitimate
customers would already have been discarded upstream thanks
to the congestion caused by the DDoS attack.
Denial of Service attacks are really a symptom of deficiencies in the Internet infrastructure. Solving DDoS attacks and other security and quality-of-service problems requires fixing the holes in the Internet infrastructure.
Cs3's patented MANAnet Shield (MANA means "soul" or "essence" in the languages of the Pacific Islands) is a family of products and technologies that provide comprehensive, infrastructure-level defenses against both incoming and outgoing packet-flooding Distributed Denial of Service (DDoS) attacks on the Internet. MANAnet Shield incorporates both active, inline solutions and passive, off-line solutions.
MANAnet FloodWatcher is a passive, off-line device that monitors network traffic parameters, detects anomalies indicative of a DDoS attack, and alerts administrators with critical information to take remedial actions.
Several active, inline solutions are also available. DDoS attacks can be throttled at the edge of a network with the MANAnet product, Reverse Firewall®, which can be used by ISPs, Universities, and all owners of infrastructure. To allow customers to communicate with a site through incoming DDoS attacks it is necessary to have cooperation between the site and upstream infrastructure. Devices that accomplish such cooperation to combat incoming DDoS attacks include the MANAnet Linux Router and the MANAnet Firewall.
Many customers prefer not to have additional active, inline devices within their networks. FloodWatcher provides such customers with a passive, offline solution. It monitors a network for anomalies related to packet flood attacks, notifies administrators about such discrepancies, along with accurate information about the source of the attack.
Most DDoS attacks are launched from compromised computers (called "zombies") by attackers. The MANAnet Reverse Firewall stops DDoS attacks by not forwarding floods between the networks it separates. This patented device regulates incoming and outgoing traffic from a network. It provides fair service to packet streams, and limits the rate of "unexpected" packets, those that are not replies to earlier packets in the other direction.
This provides great benefits to other customers of the local infrastructure, as well as to the Internet at large. And unlike intrusion detection tools that seek to ferret out known zombie signatures, the Reverse Firewall® requires no updates as hackers become more sophisticated.
It is well known that defending against incoming DDoS attacks will take cooperation between the infrastructure and different sites. The MANAnet technology offers a systemic, infrastructure-level DDoS defense based on cooperation. Two products play a key role in defending against incoming DDoS attacks:
The MANAnet philosophy of DDoS defense and its technologies are explained in the following white papers:
Additional detail on Cs3's MANAnet DDoS defense products can be found in the following product sheets:
While DDoS attacks have receded from the headlines, they remain very much a looming and very real threat to those relying on the Internet for critical operations. As TechRepublic noted in August 2008: ...other more powerful DDoS variants are on the horizon. The problem is so wide-spread, fast-evolving, and confounding, that network security researchers, vendors, administrators, and law enforcement agencies are scrambling to keep up.
What are Denial of Service (DoS) Attacks?
Many of us, as children, probably placed phone calls to random numbers or rang the doorbells at homes as pranks just to enjoy watching grown folks expending a lot of effort uselessly. A DoS attack is a sophisticated, extremely fast, computer version of the prank call. A successful DoS attack is intended to waste the victim's available computing resources by using bogus requests, thereby degrading and/or denying service to regular customers.
What are Distributed Denial of Service (DDoS) Attacks?
This is a version of the DoS attack where the victim is targeted simultaneously by attackers from different parts of the infrastructure. Often, the "attackers" are compromised computers (or "zombies") that have come under the control of the attacker. The attacker uses the compromised computers to conduct a coordinated attack that seems to be coming from many places.
Are there different kinds of DoS and DDoS attacks?
Yes, indeed. There are many scripts available in the hacker community to conduct attacks. Some of the attacks exploit known bugs in commonly used operating systems and server programs on the Internet. Other attacks simply flood the victim with various kinds traffic, preventing customers from getting through.
Why are Denial of Service Attacks Hard to Defend?
Typical security systems tend to guard individual sites. Unfortunately, DoS and DDoS attacks cannot be defended at a site. This is because traffic congestion resulting from the attack has already occurred upstream from the victim, and legitimate customers, therefore, cannot get through. Thus, in a sense, it is too late for the victim to act. Defending a potential victim from denial of service attacks requires cooperation from upstream infrastructure.
With the present-day Internet, it is relatively easy for attackers to "spoof" packet source addresses. It is, therefore, to tell precisely where the attack traffic originates. This makes it difficult to defend against attacks.
Why Does Cs3 Distinguish "Incoming" and "Outgoing" Attacks?
Most people think of security as defending one's own computing resources against external threats. With DDoS attacks, it is also possible that your own infrastructure is being used (wittingly or unwittingly) to host attacks on others. So, it makes sense to see DDoS defense for both incoming and outgoing attacks.
Why Can't a Firewall stop a DDoS Attack?
A Firewall can be used to filter certain kinds of traffic. As we have mentioned, if you rely on data controlled by the attacker, you could be playing into his hands. Further, the firewall does not help customers whose traffic might have been dropped further upstream because of congestion from the attack.
What is Cs3's Solution to Incoming Attacks?
Incoming DDoS attacks at a site are defended via the MANAnet Shield. The vision behind the MANAnet Shield is to build "cooperative neighborhoods" around sites that need protection. Within a neighborhood, one essentially eliminates source forgery, which forms the basis for DDoS defense. Please see Cs3's White Paper, "Towards a More Secure and Robust Internet", which explains the technical ideas in more detail.
What are the Products in the MANAnet Shield?
The MANAnet Shield involves the following devices:
What is Cs3's Solution to Defend Against Outgoing Attacks?
The best device for outgoing attacks is the MANAnet Reverse Firewall. The Reverse Firewall regulates outbound traffic using fair service to places inside the network. In addition, it rate limits "unexpected packets" — those that are not replies to packets in the other direction. The Reverse Firewall not only makes DDoS attacks impossible to mount from inside the network, it notifies administrators about the origins of the suspicious traffic. The administrator can then target those networks/computers for follow on security measures.
Why is Cs3's Solution Better than the Competition?
Cs3's patented devices have unique features that you will not find in competing approaches:
What are the Benefits of the Reverse Firewall?
The Reverse Firewall provides many benefits in terms of DDoS:
Could Reverse Firewall Have Helped with Code Red and Nimda?
Reverse Firewall would not have stopped infestation of computers, but it would have detected and drastically slowed the spread of these worms, which work through rapid port scanning — one of the numerous kinds of "unexpected packets", whose bandwidth is rate limited by the device.
How many Reverse Firewalls do I need in my infrastructure?
If all you want is to ensure that no DDoS attack from inside reaches the Internet, you can use Reverse Firewall with 2 NICs, one connecting to the inside and the other the outside. However, if you have multiple subnetworks that you wish to distinguish (e.g., for fair service), you can do that by getting a Reverse Firewall with up to 6 NICs — which can distinguish 5 internal subnetworks.
You can also use multiple Reverse Firewall (RFW) units inside your network, depending on its topology, to protect internal networks from one another or to distinguish traffic coming from those locations.
The demo is in Flash format and illustrates how the MANAnet technology defends against attacks from without and within networks.