Businesses today demand more sophisticated protection as attacks on the network become more complicated and difficult to identify. Leveraging the information and intelligence that is inherent in the network is critical to building a secure High-IQ Network and Juniper Networks is enabling this capability with the developments that are described in today’s announcement. These new enhancements allow attacks detected by DDoS Secure at the network and application-layer to be stopped closer to the source by using networking protocols to make the Juniper MX Series routers function as enforcement points.
This approach provides enterprises and service providers a more efficient way of stopping the volumetric attacks that can potentially cripple a network. It also mitigates other popular DDoS attack methods, including inside-out Domain Name System (DNS) reflection and amplification attacks, as well as the negative effects that botnet-infected devices can have on the user experience for a service provider’s customers. According to Infonetics Research, new varieties of amplification attacks are pushing the boundaries of mitigation performance and driving increased investment in DDoS prevention. Examples include the 2013 DNS amplification attack aimed at Spamhaus that topped 300G, and the NTP amplification attack earlier this year that exceeded 400G.
Juniper Networks is introducing improvements to its Juniper DDoS Secure solution to provide tighter integration into routing and service provider infrastructures with BGP Flowspec and GPRS Tunneling Protocol (GTP) protocols. This approach enables new forms of protection that can more effectively and efficiently mitigate a variety of DDoS attacks without restricting or impacting normal service.
· Upstream Attack Mitigation
o DDoS Secure provides customers with distributed enforcement at the network boundary that protects the edge equipment and the resources behind it from becoming overwhelmed. This distributed approach to managing attacks increases the ability to handle larger and more challenging volumetric attacks.
o The solution scales DDoS mitigation by extending enforcement upstream to Juniper’s MX at the edge, border or closest to the attack source, allowing only clean traffic to enter the network.
o As DDoS Secure continuously monitors inbound and outbound traffic, it can determine if a high-volume DDoS attack is underway and subsequently communicate with the MX router by publishing Flowspec rules to block the malicious traffic upstream.
o Flowspec provides the ability to take enforcement actions such as source-based black hole filtering to drop malicious packets or redirecting traffic to select network points for mitigation.
· Accurate Enforcement on Mobile Networks with GTP Network Protocol Unwrap
o The capabilities introduced today also protect against the growing problem that service providers face in detecting and mitigating malicious traffic originating from botnets exploiting user’s devices. Unfortunately, the vast majority of mobile network operators today do not have visibility into malicious subscriber devices. The ability to inspect different network protocols becomes a key enabler in identifying legitimate traffic.
o DDoS Secure provides visibility into malicious and/or errant mobile devices, identifying both User Equipment (UE) to UEand UE to Internet traffic.
o DDoS Secure’s ability to inspect GTP packets and identify malicious endpoints allows service providers to enforce mitigation, maintain performance and protect their Radio Access Network (RAN) bandwidth.
o The new GTP packet unwrap capability allows DDoS Secure to identify inside-out bot attacks originating in the mobile service provider’s access network. Botnet malware that enters mobile devices from home, at work, or in the macro RAN can degrade legitimate user experience and also consume valuable mobile bandwidth.
· DNS Inside-Out Attack Protection
o DDoS Secure protects the core DNS infrastructure from participating in DNS amplification and reflection attacks that are difficult to detect and can have disastrous effects on network availability.
o In these attacks, the DNS server can become the victim of a DNS attack or can be used to launch a DNS amplification attack on another server.
o DDoS Secure applies heuristics-based intelligence to automatically mitigate these attacks by black listing and rate limiting certain DNS requests. The solution can also generate a BGP Flowspec rule, allowing attack traffic to be blocked upstream at the MX.