Tuesday evening, September 20, 2016, was a warm, rainy day in Northern Virginia that had given no hint of what was to come. And then, at 8:00 pm, BOOM! The biggest distributed denial of service (DDoS) attack the world had ever seen, a sophisticated mix of application layer and volumetric DDoS attack vectors, hit the Krebs on Security site.
Before the night was through, the site would see traffic flows as high as 620 Gbps. As we know now the DDoS attack was based on the new Mirai botnet. By harnessing woefully unprotected IoT devices (when was the last time you checked that internet-connect cam in your backyard?) the attack was able to focus heretofore unheard of traffic volumes on its targets.
Fighting Volumetric DDoS Attacks
The basic strategy to mitigating volumetric DDoS attacks is not particularly complex:
- Set-up rules to flag the attack traffic
- Detect the attack
- Apply these rules to dump attack traffic
- Be sure to keep all other traffic flowing normally
Not very complex, but that is not the same as easy. It turns out that mitigating attacks of this size is actually excruciatingly difficult.
Stemming the Tide
There are several places mitigation can fall down:
- Inability to store enough rules to cover the massive quantity of bots involved in the attack
- Inability to create and store the rules quickly enough
- Inability to process all the rules in real time, at line-rate
If mitigation fails at any of these, the attack succeeds and the site comes down.
Corsa Red Armor NSE7000
The Corsa Red Armor NSE7000 was made for precisely this kind of volumetric DDoS attack. It provides universal enforcement for any size volumetric DDoS attack:
- Installs in minutes within existing networks
- Operates as a bump in the wire
- Delivers 100G enforcement in a compact footprint
- Provides full line-rate performance even with small packets and a large number of rules
- Works with every DDoS detection technology
100G DDoS enforcement at line-rate is a big claim. To verify the Red Armor NSE7000 platform was up to the task we ran rigorous performance tests.
Today’s announcement of the NSE7000 performance tests show <60-second mitigation of an IoT-generated volumetric DDoS attack.
The testing included inserting 200,000 rules into the NSE7000 while it was saturated with a 100 Gbps mix of normal and attack traffic. It took just 59 seconds to insert all 200,000 rules, and even while the Red Armor NSE7000 worked to kill the attack traffic, the normal traffic never missed a beat:
Inserting 200,000 rules in under 60 seconds corresponds to a rate of 3,389 rules per second. This rate was constant regardless of how many rules were in the NSE7000’s table.
In summary, the performance test results show the Corsa Red Armor NSE7000 DDoS mitigation appliance forwarding traffic at 100G line-rate under very aggressive volumetric DDoS attack scenarios with no interruption of legitimate traffic and zero collateral damage.
Next Generation DDoS Protection
Security is like an arms race – the black hats introduce new weapons, the security vendors respond with more capable safeguards. The Corsa Red Armor NSE7000 platform is the industry’s most capable response to the next generation of volumetric DDoS attacks.