Distributed Denial of Service (DDoS) attacks remain a top threat to IT security and have evolved in almost every way to do what they do best: shut down access to your vital online services.
Unlike intrusion and malware attacks, DDoS attackers have learned that they don’t need to attack only end-point servers to shut you down. They attack any IP address that routes to your network: unused IPs, Inter-router-link public IPs or Firewall/Proxy/WiFi Gateway public IPs.
Cloud-based CDN and DNS-based cloud mitigation cannot protect you from these attacks. What is the impact to your business if your users cannot reach cloud services because your firewall or demarc router public IP is being DDoSed? Your CDN-based web servers may be up but your business is down!
Sophisticated multi-vector and multi-layer DDoS attacks use direct and reflected packets where the spoofed, randomized source IPs are impossible to ACL. These attacks are increasingly common as Mirai-style code has morphed into many variants and has been commercialized by providers of “stresser” sites. Anyone can call down large attacks for a few dollars.
To combat these attacks, you need a solution that dynamically protects a large attack surface.
Powered by SPU — A Different and Better Approach to DDoS Attack Mitigation
Only Fortinet FortiDDoS appliances use Machine Learning detection methods in dedicated, custom-silicon Security Processing Units (SPUs) to deliver the most advanced and fastest DDoS attack mitigation on the market today, without the performance compromises of multi-CPU or CPU/ASIC hybrid systems. The TP2 and TP3 SPU Traffic Processors inspect 100% of both inbound and outbound Layer 3, 4 and 7 packets, resulting in the fastest and most accurate detection and mitigation, and the lowest latency in the industry.
FortiDDoS uses 100% machine learning, behavior-based methods to identify threats. Instead of requiring predefined signatures to identify attack patterns, FortiDDoS uses its massively-parallel computing architecture to build an adaptive baseline of normal activity from hundreds-of-thousands of parameters and then monitors traffic against that baseline. Should an attack begin, FortiDDoS sees this as abnormal and immediately takes action to mitigate it.
The Power of SPUs — Flexible, Autonomous Defenses
FortiDDoS protects you from known and “zero-day” attacks without creating local or downloading subscription signatures for mitigation. Other vendors try to conserve CPU real-time by inspecting a relatively small number of parameters at a low sample rate, unless and until an explicit signature is created. FortiDDoS’ massively parallel SPU Traffic Processors sample 100% of even the smallest packets, for over 230,000 parameters for each Protection Profile. This allows FortiDDoS to operate completely autonomously, finding some attacks on the FIRST packet and all attacks within 2 seconds — broader and faster mitigation than any other vendor or method. There is no need to adjust settings, read pcaps or add regex-style manual signatures or ACLs in the middle of attacks. While attacks are being mitigated, FortiDDoS continues to monitor all other parameters to instantly react to added or changed vectors.
The Resurrection of Botnets
Easily-compromised IoT devices have allowed Botnet attacks to rise again and massive IoT growth assures us they are here to stay. While individual devices have little power, large groups can generate record traffic. Attackers want to hide the real Source IPs of botted devices so UDP, SYN, TCP Out-of-State (FIN/ACK/RST, etc.), DNS and Protocol direct and reflected floods using spoofed Source IPs are back in vogue. Attackers can launch an unprecedented variety of simultaneous attack vectors. Small-packet floods stress both firewalls and CPU-based DDoS appliances, preventing full inspection with unexpected results. FortiDDoS’ fully inspected packet rate is class-leading.
Botnet-driven DNS attacks are popular because they can target any type of infrastructure or they can co-opt your DNS servers to attack others with reflected DDoS attacks. FortiDDoS is the only DDoS mitigation platform that inspects 100% of all DNS traffic in both directions, to protect against all types of DDoS attacks directed at, or from DNS servers. It validates over 30 different parameters on every DNS packet at up to 12 M Queries/second. It’s built-in cache can offload the local server during floods. FortiDDoS’ innovative DQRM feature stops inbound Reflected DNS attacks from the very first packet. FortiDDoS also supports FortiGuard’s Domain Reputation Service for ISPs to protect clients from known malicious domains.
FortiDDoS complements Fortinet’s full suite of Security Fabric products, each of which uses purpose-built hardware with dedicated engineering and support resources to provide best-in-class focused protection. FortiDDoS displays system performance and mitigation activities in real time on a FortiOS Security Fabric Dashboard, providing a single pane-of-glass view of DDoS threats and mitigations along with other Security Fabric products and partners.
Hybrid On-premise/Cloud DDoS Mitigation
While FortiDDoS can mitigate any DDoS attack to the limit of the incoming bandwidth, large attacks can saturate incoming links, forcing ISP routers to drop good traffic. FortiDDoS’ open and documented Attack Signaling API allows our Security Fabric partners to provide you a choice of best-in-class hybrid CPE/cloud DDoS mitigation when attacks threaten to congest upstream resources. FortiDDoS inspects incoming GRE clean traffic from cloud DDoS providers to ensure continuity of logging and reporting, and complete threat mitigation. FortiDDoS on-premise appliances can also provide your ISP with Flowspec scripts to support diversion and multi-parameter blackholing of attack traffic.
Always-On Inline vs. Out-of-Path Mitigation
Many hosting providers, MSSPs and ISPs are moving away from out-of-path detection, diversion and scrubbing as too limited and too slow for important infrastructure. Netflow-based detection and mitigation monitors a limited number of parameters for a few different attack types. FortiDDoS mitigates more than 150 attack events, many with “depth” (all 65,000 TCP and UDP ports are monitored and mitigated, for example). 100% packet inspection and leading packet performance ensures mitigation from single-packet anomalies to link-filling small-packet, fragmented UDP floods.
Studies are showing that 75% of DDoS attacks last less than 15 minutes. Customers are also seeing multi-vector attacks, attacks that sequentially change vectors and pulsed attacks that start and stop frequently. FortiDDoS begins mitigating in less than 2 seconds and its massively-parallel detection and mitigation ensures multi-vector, sequential and pulsed attacks are seen and stopped.
All FortiDDoS models offer High Availability and select models offer Optical Bypass (to 100GE) to ensure network continuity in the event of system failures. When attacks threaten link bandwidth, Flowspec scripts can be generated to configure upstream router ACLs.
FortiDDoS also offers a wide range of static and dynamic ACLs to offload other infrastructure. For example, FortiDDoS supports BCP-38 and FortiGuard Domain Reputation blocks IoT and end-user communications to botnet controllers and malicious domains. FortiDDoS ACLs operate at line-rate with no impact on performance even with millions of blacklisted IPs.
FortiDDoS offers multitenant real-time graphing and attack reporting for resale to customers.