Infrastructure-level DDoS Defense

It is impossible to provide DDoS protection at an individual site with today's Internet. By the time a packet flood hits a victim, it is too late — many of the packets of legitimate customers would already have been discarded upstream thanks to the congestion caused by the DDoS attack.

Denial of Service attacks are really a symptom of deficiencies in the Internet infrastructure. Solving DDoS attacks and other security and quality-of-service problems requires fixing the holes in the Internet infrastructure.

Cs3's patented MANAnet Shield (MANA means "soul" or "essence" in the languages of the Pacific Islands) is a family of products and technologies that provide comprehensive, infrastructure-level defenses against both incoming and outgoing packet-flooding Distributed Denial of Service (DDoS) attacks on the Internet. MANAnet Shield incorporates both active, inline solutions and passive, off-line solutions.

MANAnet FloodWatcher is a passive, off-line device that monitors network traffic parameters, detects anomalies indicative of a DDoS attack, and alerts administrators with critical information to take remedial actions.

Several active, inline solutions are also available. DDoS attacks can be throttled at the edge of a network with the MANAnet product, Reverse Firewall®, which can be used by ISPs, Universities, and all owners of infrastructure. To allow customers to communicate with a site through incoming DDoS attacks it is necessary to have cooperation between the site and upstream infrastructure. Devices that accomplish such cooperation to combat incoming DDoS attacks include the MANAnet Linux Router and the MANAnet Firewall.

MANAnet FloodWatcher: Detection, Alerts, and Attribution of DDoS Attacks

Many customers prefer not to have additional active, inline devices within their networks. FloodWatcher provides such customers with a passive, offline solution. It monitors a network for anomalies related to packet flood attacks, notifies administrators about such discrepancies, along with accurate information about the source of the attack.

MANAnet Reverse Firewall®: Choking Off DDoS Attacks at The Edge of Networks

Most DDoS attacks are launched from compromised computers (called "zombies") by attackers. The MANAnet Reverse Firewall stops DDoS attacks by not forwarding floods between the networks it separates. This patented device regulates incoming and outgoing traffic from a network. It provides fair service to packet streams, and limits the rate of "unexpected" packets, those that are not replies to earlier packets in the other direction.

This provides great benefits to other customers of the local infrastructure, as well as to the Internet at large. And unlike intrusion detection tools that seek to ferret out known zombie signatures, the Reverse Firewall® requires no updates as hackers become more sophisticated.

MANAnet Routers and Firewalls: Protecting Communications During Incoming Attacks

It is well known that defending against incoming DDoS attacks will take cooperation between the infrastructure and different sites. The MANAnet technology offers a systemic, infrastructure-level DDoS defense based on cooperation. Two products play a key role in defending against incoming DDoS attacks:

  • MANAnet Linux Router:   It implements Path Enhanced IP, whereby a packet carries path data with it that cannot be forged. MANAnet routers provide "fair service" to incoming packets based on path — a protocol called PLFQ. The MANAnet router also provides rate limiting by path to its nearest neighbors when they request it. Together, PEIP and PLFQ make the infrastructure work more robustly against DDoS attacks.
  • MANAnet Firewall:   In addition to normal firewall functionality the MANAnet Firewall implements PEIP/PLFQ for DDoS defense. It also tracks "unexpected" incoming packets — those that are not replies to earlier packets in the other direction. Such packets are served at a lower rate. The Firewall detects attacks, and can request its neighbor routers to rate limit by path when DDoS attacks are under way.

MANAnet™ DDoS White Papers

The MANAnet philosophy of DDoS defense and its technologies are explained in the following white papers:

MANAnet DDoS Product Sheets

Additional detail on Cs3's MANAnet DDoS defense products can be found in the following product sheets:

  • The MANAnet Shield:   A Systemic Solution to DDoS Attacks   read more...
  • MANAnet Router:   A Working Defense Against DDoS Attacks read more...
  • MANAnet Firewall:   Cooperating with Upstream Infrastructure
  • MANAnet Reverse Firewall:   Fighting DDoS Attacks at Their Origins read more...
  • MANAnet FloodWatcher:   Detection, Alerts, Attribution of DDoS Flood Traffic   read...

While DDoS attacks have receded from the headlines, they remain very much a looming and very real threat to those relying on the Internet for critical operations. As TechRepublic noted in August 2008: ...other more powerful DDoS variants are on the horizon. The problem is so wide-spread, fast-evolving, and confounding, that network security researchers, vendors, administrators, and law enforcement agencies are scrambling to keep up.

Frequently Asked Questions About DDoS and MANAnet Product Solutions

What are Denial of Service (DoS) Attacks?

Many of us, as children, probably placed phone calls to random numbers or rang the doorbells at homes as pranks just to enjoy watching grown folks expending a lot of effort uselessly. A DoS attack is a sophisticated, extremely fast, computer version of the prank call. A successful DoS attack is intended to waste the victim's available computing resources by using bogus requests, thereby degrading and/or denying service to regular customers.

What are Distributed Denial of Service (DDoS) Attacks?

This is a version of the DoS attack where the victim is targeted simultaneously by attackers from different parts of the infrastructure. Often, the "attackers" are compromised computers (or "zombies") that have come under the control of the attacker. The attacker uses the compromised computers to conduct a coordinated attack that seems to be coming from many places.

Are there different kinds of DoS and DDoS attacks?

Yes, indeed. There are many scripts available in the hacker community to conduct attacks. Some of the attacks exploit known bugs in commonly used operating systems and server programs on the Internet. Other attacks simply flood the victim with various kinds traffic, preventing customers from getting through.

Why are Denial of Service Attacks Hard to Defend?

Typical security systems tend to guard individual sites. Unfortunately, DoS and DDoS attacks cannot be defended at a site. This is because traffic congestion resulting from the attack has already occurred upstream from the victim, and legitimate customers, therefore, cannot get through. Thus, in a sense, it is too late for the victim to act. Defending a potential victim from denial of service attacks requires cooperation from upstream infrastructure.

With the present-day Internet, it is relatively easy for attackers to "spoof" packet source addresses. It is, therefore, to tell precisely where the attack traffic originates. This makes it difficult to defend against attacks.

Why Does Cs3 Distinguish "Incoming" and "Outgoing" Attacks?

Most people think of security as defending one's own computing resources against external threats. With DDoS attacks, it is also possible that your own infrastructure is being used (wittingly or unwittingly) to host attacks on others. So, it makes sense to see DDoS defense for both incoming and outgoing attacks.

Why Can't a Firewall stop a DDoS Attack?

A Firewall can be used to filter certain kinds of traffic. As we have mentioned, if you rely on data controlled by the attacker, you could be playing into his hands. Further, the firewall does not help customers whose traffic might have been dropped further upstream because of congestion from the attack.

What is Cs3's Solution to Incoming Attacks?

Incoming DDoS attacks at a site are defended via the MANAnet Shield. The vision behind the MANAnet Shield is to build "cooperative neighborhoods" around sites that need protection. Within a neighborhood, one essentially eliminates source forgery, which forms the basis for DDoS defense. Please see Cs3's White Paper, "Towards a More Secure and Robust Internet", which explains the technical ideas in more detail.

What are the Products in the MANAnet Shield?

The MANAnet Shield involves the following devices:

  • MANAnet Router: MANAnet Routers mark packets with path information so that source forgery can be eliminated (a protocol called Path Enhanced IP — PEIP). Path information is used by cooperating MANAnet Routers to provide "fair service" to incoming packets based on their true source. MANAnet Routers will also accept requests from their trusted neighbors to slow down traffic with specific paths.
  • MANAnet Firewall: MANAnet Firewall is installed at each site. In addition to PEIP, MANAnet Firewall allows site-specific parameters for DDoS attacks. Once an attack is sensed, the firewall contacts upstream cooperating MANAnet routers to slow down traffic with specific paths. With the MANAnet Firewall one can do better than "fair service" on the DDoS defense.

What is Cs3's Solution to Defend Against Outgoing Attacks?

The best device for outgoing attacks is the MANAnet Reverse Firewall. The Reverse Firewall regulates outbound traffic using fair service to places inside the network. In addition, it rate limits "unexpected packets" — those that are not replies to packets in the other direction. The Reverse Firewall not only makes DDoS attacks impossible to mount from inside the network, it notifies administrators about the origins of the suspicious traffic. The administrator can then target those networks/computers for follow on security measures.

Why is Cs3's Solution Better than the Competition?

Cs3's patented devices have unique features that you will not find in competing approaches:

  • 1) MANAnet products provide DETECTION and automatic, real-time DEFENSE against DDoS attacks. The DEFENSE is built in to the "fair service" behavior of routers and firewalls.
  • 2) MANAnet Reverse Firewall is the only product in the marketplace that deals with defending against outbound DDoS attacks.
  • 3) MANAnet involves NO signature analysis, hence requires no updates of software to keep up with the ingenuity of potential attackers.
  • 4) MANAnet tackles the DDoS problem by fixing the infrastructure vulnerabilities (e.g., source spoofing of packets) within cooperative neighborhoods. This provides a reasonably incremental solution that addresses the true complexity of the DDoS problem.

What are the Benefits of the Reverse Firewall?

The Reverse Firewall provides many benefits in terms of DDoS:

  • Properly deployed, it can protect the internal and external communication of legitimate users during an attack from your own infrastructure. This is a significant security benefit.
  • Protects the organization from embarassment, even liability, associated with having its infrastructure co-opted in a DDoS attack.
  • Protects the Internet from attacks within the infrastructure, thereby restricting damage to the smallest possible network.
  • Reverse Firewall provides notifications of attacks, which could indicate compromised computers within the infrastructure.

Could Reverse Firewall Have Helped with Code Red and Nimda?

Reverse Firewall would not have stopped infestation of computers, but it would have detected and drastically slowed the spread of these worms, which work through rapid port scanning — one of the numerous kinds of "unexpected packets", whose bandwidth is rate limited by the device.

How many Reverse Firewalls do I need in my infrastructure?

If all you want is to ensure that no DDoS attack from inside reaches the Internet, you can use Reverse Firewall with 2 NICs, one connecting to the inside and the other the outside. However, if you have multiple subnetworks that you wish to distinguish (e.g., for fair service), you can do that by getting a Reverse Firewall with up to 6 NICs — which can distinguish 5 internal subnetworks.

You can also use multiple Reverse Firewall (RFW) units inside your network, depending on its topology, to protect internal networks from one another or to distinguish traffic coming from those locations.

MANAnet Demo

The demo is in Flash format and illustrates how the MANAnet technology defends against attacks from without and within networks.