Objective Comparison on Prominent (D)DoS Solutions

Sunday, December 19, 2010

Alicia Smith


RioRey RX4410 and Arbor Networks Peakflow SP

I have had the opportunity to evaluate two unique solutions for DDoS Mitigation in an effort to find a solution suitable for hosting providers.

I have professional experience with Arbor's Peakflow appliance as well as with Cisco's solution the Cisco Guard.  While researching possible solutions I found there weren't really any reviews available with comparisons between products.

This review won't mention any more on the Cisco Guard considering it's been discontinued in favor of a collaborative solution from Cisco and Arbor Networks called Clean Pipes 2.0, which is more of a cloud service.

This review is geared more towards a sustainable solution. I evaluated the following appliances:

  • Arbor Network's Peakflow SP: An appliance that detects via deep packet inspection and blackholes based on a variety of matching (regex, packet analysis, rate limiting) but it also gives us valuable incite into our network and it's performance.
  • RioRey's RX4410: An appliance that detects and blackholes based on a matched algorithm and on the same criteria that Peakflow SP does.

In order to effectively determine the best solution you must know some key things about DDoS and your own network. There are many different types of DDoS attacks and they can affect your network in various ways - all of which are negative.

In essence, a DoS (Denial of Service) attack is a low profile attack in that it is often simply an annoyance that causes simple resource starvation on a target system or systems. The DDoS (Distributed Denial of Service) attack is a DoS on steroids.

It's high profile and consumes much more bandwidth and is capable of taking down entire network environments. Instead of breaking down each type of (D)DoS attack I will simply categorize them into two parts.

There are those attacks which are made up of correctly formed packets, and those made up of malformed packets. The (D)DoS formed from malformed packets are the most common and easily detected by  deep packet inspection.

The correctly formed packets that are sent via some (D)DoS attackers are not so easily detected and thus the most common form of mitigation is called rate limiting. Rate limiting is used to control the flow of traffic sent or received on an interface, any traffic in excess of the threshold set on that interface is generally dropped.

This is where (D)DoS protection gets tricky. Rate limiting can cause a loss of known good traffic or leave room for marginal (D)DoS impacts depending on how high or low the threshold is set, and it will not discriminate against which traffic is dropped.

As a security engineer for a hosting provider it is vitally important that availability is safeguarded regardless of an attack. That is not to say rate limiting is not an option, it's just not the best option.

The wonderful people at RioRey have developed an answer to this dilemma in the form of an appliance that automatically generates an algorithm to match particularly harmful traffic in response to increases in packets per second or common attack patterns and automatically blackholes it.

It requires little to no human involvement. Which can be quite helpful if you are short on security staff.  It can also mitigate via rate limiting and regex rules. There is also an option to create whitelist or blacklist up to fifty-thousand IPs indefinitely or until manually removed.

This allows you to keep known good traffic from being blocked, as well as the ability to unblock particular sources of traffic if needed. These algorithms will stay in place as long as the attack persists, once the harmful traffic has ceased, the algorithm retires itself.

The appliance holds information on 25 different (D)DoS classifications and has a sensitivity level that can be adjusted. Higher sensitivity levels will mean higher possibilities of blocking good traffic.  

You can download attack records that are retained up to 10 days if you need to keep any documentation or perform any further analysis. Sadly, there is no visual reporting functionality built into the management application which is something I feel would enhance the product's value quite a bit. 

There are three traffic views to be obtained through the RioRey management interface. There is a built-in backup function that allows you to download and save the device configuration.  

The cost is quite affordable for anyone requiring (D)DoS protection and works well in conjunction with other solutions. If you are a technophile and love advanced, bleeding edge technology this is definitely the solution for you.

Arbor Network's Peakflow SP is the premier tool for most hosting providers because it performs not only in the capacity of (D)DoS Solution, but also as a window into your network from many perspectives, from a very broad to a very granular level.  

Very large organizations could really benefit from the visibility as Peakflow SP actually accounts for growth in your network over time as well. The appliance boasts 385 different views into your network.

I've worked with the Peakflow device, and I can vouch for many views, but I don't think I've ever had the time to actually test out all 385! The Peakflow device mitigates via deep packet inspection, rate limiting and monitoring, and matching via regex rules.

Some of the mitigation may need human involvement which would require a knowledgeable security staff to intelligently determine what should be blocked and what shouldn't.

There is an ability to automate blacklisting of traffic that matches any rules you create. From a Security Infrastructure perspective the appliance will provide the ability to hone in on attacks and allow you to perform traceback (identify the source), analysis, and mitigation based on three types of anomalies:

Anomaly Classification and Reporting:

  • Profiled Anomalies - Deviations from the normal traffic levels on the network, and it's designed to scale with natural progression of growth
  • Misuse Anomalies - Traffic destined to hosts that exceed what should normally be seen for that network
  • Fingerprint/Worm anomalies - Traffic that fits a user specified signature

 From a traffic and routing perspective it will allow you to effectively analyze and manage your routing, transit and peering, and backbone. It also provides the ability to create up to 1000 managed objects which can consist of a single IP or several subnets per profile.

The Peakflow SP appliance is also IPv6 capable which is still in the process of being expanded which is good news for those who are already using it.

The views and reports are very useful, they can show you traffic by device, application, packets per second, bits per second, and by named interface, routers, switches, hosts, and AS to AS.

It can perform analysis and give you monthly weighted averages and alert you to bandwidth spikes. It includes templates/APIs for customized portals, data synchronization, one-click or auto-mitigation, customizable mitigation templates, real-time mitigation dashboards and comprehensive mitigation reports.

Either the RioRey appliance and Arbor Networks Peakflow SP devices allow you to configure alerting via syslog, SNMP Traps, or e-mail to specified systems. They both have their own API, the Peakflow device utilizes REST while the RioRey API is through XML.

Both devices inform you of updates as they are available and must be applied manually for either. While RioRey does not require you to apply all updates they develop, Arbor Networks does require you to apply theirs to the Peakflow SP appliance.

I was evaluating the appliances here for a 3GB pipe. You would need 3x (1GB each) RX4410 to facilitate a 3GB pipe which in total was about half cost of one Peakflow SP appliance that could facilitate up to 5GB.

The throughput on one RX4410 is 1.4Mpps while the Peakflow SP device can push through about 3Mpps at their largest. Either appliance may be deployed in an off-ramp or in-line solution.

I believe both devices are phenomenal in what they provide. I know of some very prominent hosting providers that use both of these products together in their (D)DoS solutions.

I hope this helps anyone who has the task of choosing what which solution best suits their intended application.

If you'd like to know more about (D)DoS please review the RFC on it : RFC4732.


Possibly Related Articles:
Denial of Service DoS internet DDoS Network Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.