FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>DDoS</strong> <strong>Attack</strong> Trends in 2012<br />
SYN Floods will continue to grow<br />
The size of SYN floods has been growing. SYN Floods are easiest to create and are<br />
tough to mitigate as the size in terms of bandwidth grows.<br />
There are many schemes for SYN Flood mitigation. Hardware logic based mitigation is<br />
the only practical way to sustain large SYN floods. Software based solution, even<br />
those deployed on blade-center platform, do not have the capability to perform SYN<br />
flood mitigation at high data rates.<br />
Hardware logic can perform anti-spoofing, depending on the size of the attack and<br />
suitability, using:<br />
• SYN Cookies<br />
• ACK Cookies<br />
• SYN Retransmission<br />
Concurrent connection-based attacks will be on the rise<br />
Botnet floods will be rising<br />
It is easy for hackers to hire a botnet which runs scripts that open connections and<br />
leave them in established state after performing a proper 3-way TCP handshake. A<br />
limited number of connection from many such botnet machines can easily overwhelm<br />
a server. When the number of these attacker IPs is small, you can use software scripts<br />
to stop the attack using IPTABLES and TCPKILL like tools. You can try Nginx<br />
constellation reverse proxy configuration and DNS round robin mechanism to reduce<br />
the pressure. But practically, this doesn’t seem to work as it requires multiple machines<br />
to be managed.<br />
A hardware logic based solution which monitors all connections for behavioral<br />
anomalies can easily stop such attacks and aggressively age them both internally and<br />
from the servers by sending a TCP RST on behalf of the client.<br />
<strong>Attack</strong>s mimicking legitimate users are on the rise. Even low-bandwidth of such<br />
attacks seem to bring down the servers. Existing tools fail to stop such attacks<br />
because they don’t have visibility and control over such behavioral attacks. Smarter<br />
bots will be rising that will obfuscate most algorithmic systems.<br />
Hardware logic which can look simultaneously granularly and deeply into the packet’s<br />
network and application headers can stop such attacks by determining self-similarity<br />
among packets at some level.<br />
Volumetric and application layer <strong>DDoS</strong> attacks will be converging in 2011 onwards and<br />
therefore require <strong>DDoS</strong> mitigation systems that can intelligently provide solutions for<br />
both of them well.<br />
Forti<strong>DDoS</strong> <strong>DDoS</strong> <strong>Attack</strong> <strong>Mitigation</strong> <strong>Guide</strong><br />
28-100-167076-20120501 10<br />
http://docs.fortinet.com/ • Feedback