The firewall is failing. That was the conclusion of a recent study by independent security testing organization NSS Labswhich discovered three out of six firewall products failed to remain operational when subjected to stability tests. Products tested included those from stalwarts of the industry. 

 

As the accepted foundation for perimeter security, these test results are particularly alarming for the data center manager, especially when you consider that the threats to service availability they are facing are larger and more prevalent than at any time before.

 

The sixth annual Worldwide Infrastructure Security Report by Arbor Networks, for example, showed that in 2010 botnet-driven volumetric and application-layer Distributed Denial of Service (DDoS) attacks continue to be the most significant threats facing network operators in future. 

 

The growing DDoS threat

DDoS attacks can be split into three categories: what we call volumetric attacks, which attempt to consume forwarding or link capacity; state-exhaustion attacks, which attempt to exhaust the state tables in our infrastructure and servers; and application-layer attacks, which attempt to exhaust application layer resources. In all of these cases the aim of the attacker is to prevent genuine users accessing a given network, service or application.

 

Although DDoS attacks have been around for well over ten years, DDoS hit the mainstream headlines in December 2010 when they brought down the Wikileaks website. This was followed by counter-attacks by Wikileaks sympathisers against targets including Mastercard, PayPal, Visa and others. 

 

According to research by Arbor Networks, released earlier this year in its Worldwide Infrastructure Security Report, volumetric DDoS attacks topped the 100Gbps barrier for the first time in 2010. Simply put, DDoS attacks are getting significantly larger. What is also revealed by the report, and is potentially more concerning, is that application-layer DDoS attacks against data centres are increasing in frequency, sophistication and operational impact. 

 

How does this affect the data center? 

The report revealed findings from Internet data centre (IDC) operators, who reported that application-layer DDoS attacks are leading to significant outages, increased operational expenditures (OPEX), customer churn and revenue loss. The vast majority (77%) of respondents surveyed for Arbor’s Worldwide Infrastructure Security Report detected application layer attacks, while nearly half (49%) had experienced a failure of their firewalls or IPS due to DDoS attack.

 

While IPS, firewalls and other security products are essential elements of a layered-defence strategy, they do not solve the DDoS problem. Firewalls and IPS’ are designed to protect the network perimeter from infiltrations and exploits, and to be policy enforcement points in the security portfolio of organisations. They leverage stateful traffic inspection technologies to enforce network policy and integrity. 

 

Unfortunately, the state a firewall or IPS can maintain is finite – and attackers know this – and when the resources within a device are exhausted the results can be dropped traffic, device lock-ups and potential crashes.

 

Application-layer DDoS is also a significant threat to data center operators as they represent a target rich environment. Firewalls and IPS’ cannot generally detect or block an application layer DDoS attack and thus an alternative solution is required. 

 

What can be done to mitigate risk? 

Layered defence is accepted by the security industry as best practice, and the same approach is required to address the evolving DDoS threat. Volumetric and large state-exhaustion attacks need to be stopped in the ISP / MSSP but application-layer DDoS detection generally needs to be performed at the ISP edge, or within the data center itself.  This is because application layer DDoS attacks can be relatively difficult to detect, and can often slip under the radar of the detection solutions deployed to monitor large ISP networks carrying 10s or 100s of Gigabits of traffic.  

 

A DDoS detection and mitigation solution that sits at the perimeter of the data center should offer packet-based detection and immediate protection from all kinds of DDoS attacks;  however, an ISP/MSSP cloud solution is also required to stop high-bandwidth, volumetric and state-exhaustion attacks, which might exhaust links to upstream ISPs, outside of the data center. 

 

In an ideal world these two solutions will work together, by way of signaling technologies, to provide a completely automated, layered defence against the DDoS threat. 

 

For best effect, data center operators will need to work together with ISPs to deliver this multi-faceted solution, creating an offering for customers – whether they are enterprises or managed security service providers – that protects their services from the growing DDoS threat.