Protection Against DoS and DDoS Attacks

Live help by Top Layer

In addition to its content-based IPS capabilities, the Top Layer IPS solution also has features to defend against a wide variety of botnet-based attacks that are designed to render computers, servers and/or the network incapable of providing normal services. Using the Top Layer's IPS solution, multi-gigabit/sec attacks can be mitigated all the while allowing legitimate traffic to continue passing through.

Sitting in-line, the Top Layer IPS performs stateful packet inspection to keep track of the millions of network connections travelling across it. Using patented algorithms, the Top Layer IPS is able to identify attacks and mitigate them.

The Top Layer IPS solution can be used by any organization that requires dedicated infrastructure to protect against DDoS attacks. In addition, service providers can protect their own critical infrastructure or that of their individual customers. The Top Layer family of appliances are best suited to protecting links that have a capacity exceeding 100Mbit/sec.

Key Features

DoS & DDoS Protection
Patented algorithms provide comprehensive protection against SYN floods, ICMP floods, UDP floods and application overload attacks.

Application Rate Limits
Using policy-based rules, traffic rates to applications and servers can be limited based on acceptable application usage.

Connection Limits
Configurable rules that protect network resources (such as servers and routers) from being overwhelmed by too many connections.

Client Request Rules
Configurable rules that limit the rate at which individual clients can initiate transactions.

DShield Updates
DShield is a community-based collaborative log correlation system. It receives logs from numerous sensors throughout the world and analyzes attack trends. It is also used as the data collection engine behind the SANS Internet Storm Center. Top Layer collects data feeds from the DShield engine and forwards lists of badly-behaving IP addresses to the IPS which in turn can block any traffic sent to or from these malicious IP addresses. Typical blocked IP addresses include those used in cross-site scripting, SQL injection attacks, directory traversals, spam and other botnets and zombies.

Shunning
Attackers can be identified in a configurable dashboard and blocked en masse with a simple mouse click. Any traffic received from these shunned IP addresses can be temporarily or permanently blocked.

Stateful Inspection
The IPS contains built-in state tables that hold in memory significant attributes from start to finish for all network connections. Included are details such as IP addresses, ports involved in the connection and the sequence number of the packets traversing the connection. From these tables, the IPS is able to gather significant context from which it can determine attack type, direction of attack, and attack frequency.

ProtectionCluster™
The Top Layer IPS can be deployed in configurations of up to 8 parallel appliances, particularly useful when 10Gig/sec of protection is required or the network is asymmetric. Management of multiple devices is achieved with a centralized IPS Controller software module. The IPS Controller shows real-time data and includes drill-down incident response capabilities. Editing configurations is intuitive and simple and applying new TopResponse protection packs across the entire IPS appliance infrastructure couldn't be easier.

Definitions

What is a Denial of Service (DoS) attack?

A Denial of Service attack is designed to render a computer or network incapable of providing normal services. Common DoS attacks target the network bandwidth or server connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.

What is a Distributed Denial of Service (DDoS) attack?

A Distributed Denial of Service attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one or more computers using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.

How is a DDoS Attack executed against a website?

A website DDoS is executed by flooding one or more of the site's web servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable.