Traditional Approach:
This traditional scheme is very effective against common network security threats, such as viruses and Trojan horses, unauthorized attempts to compromise databases or hosts, and other illegitimate actions that the attacker wishes to accomplish unnoticed. However, adapting these techniques to combat DDOS attacks is problematic.
Router
Main function - Packet routing
Auxiliary function - Provide netflow information for billing and network diagnostics. Netflow information is used by anomaly detection devices to detect unusual network utilization, signaling a potential DDOS attack.
During a DDOS attack, once the attacker is identified, network operators can eliminate the attack by manually "null routing" (dropping) attack traffic, one attacking host or domain at a time.
Access Control List and/or Firewalls
Maintain a list of rules detailing the restriction of use for each host and device on the network.
Restricts traffic to and from a host unless it is a permitted and known type of service.
Can be configured to control both inbound and outbound traffic.
Once a DDOS attacker is identified, network operators can eliminate the attack by manually changing the ACL or Firewall table, one attacking host or domain at a time.
Intrusion Detection Systems (IDS)
Use deep packet inspection to analyze packets for virus, trojan horse and other application attacks.
Deep packet inspection technique is applied to DDOS protection, but must examine every packet in real-time.
|
|
RioRey™ Approach:
RioRey's innovative protection architecture, which features our Perimeter Protection Platform (PPP), is depicted in the diagram below. Our Platform removes attack traffic at the edge of the network, delivering line rate filtering to the entire infrastructure downstream. Because RioRey algorithms recognize good traffic and allow it to flow unimpeded, network communication is not hampered.
Perimeter Protection Platform
Added in front of the router, dedicated to DDOS mitigation.
High throughput, delivering line rate filtering to the entire network.
Filters out the majority of DDOS, preserving good data to the network.
Router, with the added Perimeter Protection
Relieves router congestion during a DDOS attack, maintains network performance despite an attack.
No need to update thousands of "null route" tables and clean up after an attack.
Access Control List and or Firewalls with the added Perimeter Protection
No manual intervention such as updating access lists during and after an attack
Intrusion Detection Systems with the added RioRey Perimeter Protection
Without the extra DDOS packets flooding the IDS, the system can now devote all resources to monitor and filter traditional attacks, which often attempt to penetrate under the cover of a DDOS attack.
|
