Arbor Networks Pravail APS 2003 PRA-APS-2003-AC Fiche De Données
Codes de produits
PRA-APS-2003-AC
Arbor also provides another alternative for enhanced DDoS attacks with the Arbor Cloud
®
.
Using Pravail Availability Protection System as the on-premise protection, the Arbor Cloud
service provides an on-demand traffic scrubbing service staffed by Arbor’s DDoS security
experts to quickly defend against volumetric DDoS attacks that are too large to be
mitigated on-premise.
service provides an on-demand traffic scrubbing service staffed by Arbor’s DDoS security
experts to quickly defend against volumetric DDoS attacks that are too large to be
mitigated on-premise.
Traditional Perimeter Security Solutions Cannot Defend Against DDoS
Traditional perimeter security devices, such as firewalls and intrusion prevention systems
(IPS), are essential elements of a layered defense strategy, but are not designed to solve the
DDoS problem. Firewalls enforce policies that govern access to data center resources, and
IPS devices block threats that can exploit known vulnerabilities. DDoS is a different problem.
DDoS attacks consist of legitimate traffic from multiple sources crafted to exhaust critical
resources, such as link capacity, session capacity, application service capacity (e.g., HTTP(S),
DNS) or back-end databases. Because such traffic is authorized and does not contain the
signature content of known malware, it is not stopped by firewalls and IPS. In fact, as inline,
stateful inspection devices, firewalls and IPS can be frequent victims of DDoS attacks.
(IPS), are essential elements of a layered defense strategy, but are not designed to solve the
DDoS problem. Firewalls enforce policies that govern access to data center resources, and
IPS devices block threats that can exploit known vulnerabilities. DDoS is a different problem.
DDoS attacks consist of legitimate traffic from multiple sources crafted to exhaust critical
resources, such as link capacity, session capacity, application service capacity (e.g., HTTP(S),
DNS) or back-end databases. Because such traffic is authorized and does not contain the
signature content of known malware, it is not stopped by firewalls and IPS. In fact, as inline,
stateful inspection devices, firewalls and IPS can be frequent victims of DDoS attacks.
Key Technologies
Stateless Analysis Filtering Engine
Arbor’s stateless packet filtering engine provides the foundation for both the Pravail
Availability Protection System. Unlike load balancers, IPS or firewalls, this unique packet
filtering technology detects and mitigates most DDoS attacks without tracking any ses-
sion state. In cases where tracking is required, it only stores minimal information for a short
period of time. Because it is not stateful, the Pravail Availability Protection System can with-
stand DDoS attacks that target session tables and knock other security appliances offline.
Further, the filtering engine incorporates advanced packet-based DDoS countermeasures
developed by the Arbor Security Engineering and Response Team (ASERT) to neutralize
multiple categories of advanced threats.
Availability Protection System. Unlike load balancers, IPS or firewalls, this unique packet
filtering technology detects and mitigates most DDoS attacks without tracking any ses-
sion state. In cases where tracking is required, it only stores minimal information for a short
period of time. Because it is not stateful, the Pravail Availability Protection System can with-
stand DDoS attacks that target session tables and knock other security appliances offline.
Further, the filtering engine incorporates advanced packet-based DDoS countermeasures
developed by the Arbor Security Engineering and Response Team (ASERT) to neutralize
multiple categories of advanced threats.
Centralized Multi-Device Management via Pravail
®
Network Security Intelligence
The Pravail Threat Console, available on Pravail Network Security Intelligence appliances,
gives organizations a single dashboard to view and manage up to 25 Pravail Availability
Protection System devices. The Console provides full traffic visibility for each appliance and
protection group, as well as a central log for all blocked threats. In addition, administrators
have a single console where they can monitor security events and system status, manage
black and white lists and respond to attacks with easy workflows on the console and single
sign on to drill down into individual systems for more detail, such as packet captures.
gives organizations a single dashboard to view and manage up to 25 Pravail Availability
Protection System devices. The Console provides full traffic visibility for each appliance and
protection group, as well as a central log for all blocked threats. In addition, administrators
have a single console where they can monitor security events and system status, manage
black and white lists and respond to attacks with easy workflows on the console and single
sign on to drill down into individual systems for more detail, such as packet captures.
Customized Protection Recommendations with Immediate “Out-of-the-Box” Blocking
The Pravail Availability Protection System features a simple user interface that makes it
easy to install, configure and use. Upon installation, the device will immediately begin block-
ing most attacks from causing harm to the network. However, it also features an optional
calibration period where the product will record and analyze traffic patterns unique to the
organization and recommend customized protection settings for that network and its specific
applications. During this calibration, the network remains protected from most threats.
easy to install, configure and use. Upon installation, the device will immediately begin block-
ing most attacks from causing harm to the network. However, it also features an optional
calibration period where the product will record and analyze traffic patterns unique to the
organization and recommend customized protection settings for that network and its specific
applications. During this calibration, the network remains protected from most threats.
Can You Afford to Ignore
Availability Threats Like DDoS?
Availability Threats Like DDoS?
When Internet-facing services are down,
the impact can have severe business
consequences. Consider the following:
the impact can have severe business
consequences. Consider the following:
Direct Loss of Revenue and Profit
This is arguably the largest cost
and easiest-to-calculate measure of
downtime. For example, if an online
retailer that makes 40 percent of its
revenue in the last two weeks of the
year suffers an outage two days before
Christmas, the financial impact can be
devastating. Attacks can continue for
days, even weeks.
and easiest-to-calculate measure of
downtime. For example, if an online
retailer that makes 40 percent of its
revenue in the last two weeks of the
year suffers an outage two days before
Christmas, the financial impact can be
devastating. Attacks can continue for
days, even weeks.
Tarnished Reputation or Brand
News travels fast in today’s age of
information—especially when it comes
to news regarding service outages or
security breaches. This negative media
coverage could have a major impact
on an organization’s reputation or
brand value.
information—especially when it comes
to news regarding service outages or
security breaches. This negative media
coverage could have a major impact
on an organization’s reputation or
brand value.
Lower Productivity
When online services go down, the
productivity of employees and busi-
nesses that rely on these services
can be drastically reduced. A simple
calculation shows the impact: cost of
lost productivity = number of employees
using the application x average hourly
salary x hours of downtime.
productivity of employees and busi-
nesses that rely on these services
can be drastically reduced. A simple
calculation shows the impact: cost of
lost productivity = number of employees
using the application x average hourly
salary x hours of downtime.
Penalties
Some organizations may face financial
penalties if they fail to meet certain
availability requirements. For example,
a company that provides a service that
is part of a complex supply chain could
face stiff penalties for any delays that
it causes.
penalties if they fail to meet certain
availability requirements. For example,
a company that provides a service that
is part of a complex supply chain could
face stiff penalties for any delays that
it causes.
Organizations must consider availability
threats when developing risk mitigation
plans. To better understand the direct
and indirect costs associated with
availability attacks, please refer to
the Arbor white paper entitled The
Business Value of DDoS Protection.
threats when developing risk mitigation
plans. To better understand the direct
and indirect costs associated with
availability attacks, please refer to
the Arbor white paper entitled The
Business Value of DDoS Protection.
Why Firewall and IPS Devices Do Not Solve the Problem
Vulnerable to DDoS
Attacks
Attacks
• As inline, stateful devices, they are vulnerable targets of DDoS attacks.
• First to be affected by large fl ood or connection attacks.
• First to be affected by large fl ood or connection attacks.
Failure to Ensure
Availability
Availability
• Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not across sessions.
• Designed to look for threats within single sessions, not across sessions.
Protection Limited
to Certain Attacks
to Certain Attacks
• Address only specifi c application threats.
• By default, they must allow common attack traffi c such as TCP port 80 (HTTP)
• By default, they must allow common attack traffi c such as TCP port 80 (HTTP)
or UDP port 53 (DNS). Do not handle attacks containing valid requests.
Deployed in Wrong
Location
Location
• Very close to servers.
• Too close to protect upstream router.
• Too close to protect upstream router.
Incompatible with
Cloud-Based DDoS
Protection Systems
Cloud-Based DDoS
Protection Systems
• Fail to interoperate with cloud-based DDoS prevention solutions.
• Increase time for response to DDoS attacks.
• Increase time for response to DDoS attacks.
Lack of DDoS
Expertise
Expertise
• Require skilled security experts.
• Demand knowledge of attack types before attacks.
• Demand knowledge of attack types before attacks.