Akamai & Prolexic Vs Cloudflare Vs Check Point DDOS Protection Vs Corero Smartwall Appliance v Incapsula (Imperva) Cloud Web Application Firewall – WAF

DDOS service or appliance buying and specifying considerations

What is DDOS?

DDoS is a distributed denial of service. A hacker with malicious intent uses a flooding type attack to make a computer resource (i.e. – website, application, e-mail, voicemail, network) stop responding to legitimate users, customers. The hacker achieves this by commanding an army of remotely controlled computers (bot net/zombie net) to send a deluge of traffic to the target. The target infrastructure becomes overwhelmed with the attacker’s requests that it doesn’t have time to respond to legitimate users’ requests or simply runs out of resources.

Why look at implementing a DDOS countermeasure solution? They’re only blocking my internet traffic? Right? No, over the last 2 years there has been a significant number of DDOS attacks, the attacks themselves are disruptive and could negatively impact on a companies security reputation and credibility.

More than one type of DDOS

Application layer, or layer 7 attacks do not necessarily create high volumes of network traffic, but they can impact your website in a more devastating way. An application-layer DDoS works is by activating some aspect of a web application which runs on the website. Layer 7 attacks can rapidly change. Anything a customer has access to, an attacker does too – the traffic is virtually indistinguishable to the System Administrator.

Several of these assaults on connectivity have been more a diversionary tactic whilst the underlying aim of the attack is to leverage intellectual property, confidential information and much more whilst the administrators eyes are turned to dealing with the DDOS as it stunts business activity.

With the world growing into a more connected, always-on society, the race for presence and reputation force companies to put always on, on-demand services at the fingertips of the world, exposing their systems to both customers and malicious users/groups.

When considering a Corporate DDOS protection setup, there are several market runners which ITogether have knowledge of, can provide critique on and can ultimately provide advice about.

The DDOS solutions we have included in this report are:

BGP Routed

Akamai Prolexic

DNS re-directed

  • Incapsula
  • Akamai Kona Site Defender
  • CloudflareHybrid Appliance and Cloud Logging Service
  • Check Point
  • Corero

Within the industry the market leaders are often reviewed by Gartner, an independent IT research and advisory company. So what do, first stop review shop, ‘Gartner’ think of the DDOS market? Sadly despite best endeavors we have been unable to find a specific Gartner report featuring DDOS. Fortunately as in the world of technology providers, there are other reviewers of DDOS implementers.

Forrester identified that 3 of the above solutions we can support are ‘Market Leaders’, Akamai’s Prolexic, Cloudflare and Incapsula using Imperva Technology are all favourably reviewed. Most reviewers prefer Incapsula over CloudFlare for a multitude of reasons. The market leader for ‘BGP routed’ is Akamai, but it is regarded as being a ‘get what you pay for’ service.

There are 2 distinct deployment modes of DDOS. An ‘on demand’ service which allows the customer to manually or automatically initiate protective measures when an attack commences, the benefits of this the low latency experienced when the service is not preventing an attack. The other implementation is an ‘always-on’ method, this has several advantages such as the hands off approach to management of BGP and DNS.

There are also the deployment models of ‘re-directing’ DNS records to direct website traffic to these cloud services first. For example, the store.itogether.co.uk has the IP address w.x.y.z (we won’t tell you the ‘real’ IP address. Instead when your browser goes to https://store.itogether.co.uk it goes like this..

Simons-MacBook-Pro:~ simonrichardson$ nslookup

> store.itogether.co.uk

Server:                192.168.0.1

Address:     192.168.0.1#53

 

Non-authoritative answer:

store.itogether.co.uk    canonical name = p2hag.x.incapdns.net.

Name:        p2hag.x.incapdns.net

Address: 149.126.74.132

 

So your browser will actually go to p2hag.x.incapdns.net NOT directly to store.itogether.co.uk

The connection to store.itogether.co.uk is ONLY permitted by the ITogether firewall rules to originate ‘from’ the Incapsula source IP addresses. Therefore the connections to the webserver are essentially a closed safe loop. The same principle applies to Kona and Cloudflare.

Vendors

Incapsula

Through an application-aware, global content delivery network (CDN), Incapsula provides any website and web application with best-of-breed security, DDoS protection, load balancing and failover solutions—available as standalone services or as an integrated solution.

UK Reference customer: ITogether store. Siemens

Attack Types Defended Response Tactics Protections
CGI request, denial of capability,diluted low rate degrading, direct, DNS request attack, high-rate disruptive, hybrid attack, ICMP attack, isotropic attack traffic distribution, land attack, mail bomb, non-isotropic attack traffic distribution, ping of death, reflector, TCP reset, TCP SYN .flooding, teardrop attack, UDP .flooding, varied rate, headless browser attacks, CAPTCHA-solving botnets, XML bombs, NTP/DNS amplification. Attack source path identification, filtering, bandwidth throttling, reconfiguration, overprovisioning, router queue management, IP blacklisting, DNS recursion attenuation, malformed packet dropping. AMT, ARP, BGP, BOOTP,DHCP, DNS, FTP, GRE,HTTP, HTTPS, ICMP,

IMAP, MVRP, NNTP, NTP,

OSPF, PIM, POP, PPOe,

PPP, PTP , RADIUS,

RTPS, SFTP, SMTP,

SNMP, SSH, SSL, TCP,

Telnet, TLS, TTL, others

Sales Staff PS Staff Development Staff
100-249 25-99 25-99
Cost Always On On Demand
Cloud Based 5 websites, upto 200Mb of traffic, £2k per month

Akamai (Prolexic) (Kona Site Defender is a similar service to Incapsula and CloudFlare so not detailed here)

DDoS attacks are growing bigger and more complex. Today’s denial of service attackers can easily send 300 gigabits per second of malicious traffic to their targets. That’s much too much to handle for a local network appliance, an Internet service provider (ISP), and even many cloud-based solutions. If your organisation depends on a website or Internet-facing infrastructure, the best DDoS protection service can provide peace of mind and reduce business risk.

This only looks at Prolexic, though costs are roughly similar for either Prolexic or Kona Site Defender.

UK Reference customer: William Hill, Lloyds Bank, Office (shoe retailer), The Met Office.

Worldwide customers: Philips, US Air Force, Airbnb, Clearchannel, Ikea, Puma, IHG, EMC, BNP Paribas, Etrade, Nomura, Standard Chartered, Thomson Reuters.

Attack Types Defended Response Tactics Protections
CGI request, denial of capability, diluted low rate degrading, direct, DNS request attack via fast DNS, high-rate disruptive, hybrid attack, ICMP attack, isotropic attack traffic distribution, land attack, nonisotropic attack traffic distribution, ping of death, rediector, TCP reset, TCP SYN . flooding, teardrop attack, UDP . flooding, varied rate, highly volumetric AppSec, poison dart, slow POST, and origin error attacks. Attack source path identification, filtering, bandwidth throttling, reconfiguration, overprovisioning, router queue management, IP blacklisting, DNS recursion attenuation, malformed packet dropping. AMT, ARP, BGP, BOOTP,DHCP, DNS, FTP, GRE,HTTP, HTTPS, ICMP,

IMAP, MVRP, NNTP, NTP,

OSPF, PIM, POP, PPOe,

PPP, PTP, RADIUS,

RTPS, SFTP, SMTP,

SNMP, SSH, SSL, TCP,

Telnet, TLS, TTL

Sales Staff PS Staff Development Staff
500-749 100-249 100-249
Cost £12-15k per month depending on whether ‘on-demand or always on service’ Always On£15k for 200Mb of throughput On Demand£11k for 200Mb of throughput – on-demand
Cloud Based £12k for upto five websites per month. DNS hosting is £1k a month for upto ten domains.

CloudFlare

Online threats range from nuisances like comment spam and excessive bot crawling to malicious attacks like SQL injection and denial of service (DOS) attacks. CloudFlare provides security protection against all of these types of threats and more to keep your website safe.

Reference customers: Cisco, NasDAQ

Attack Types Defended Response Tactics Protections
CGI request, denial of capability, diluted low rate degrading, direct, DNS request attack, high-rate disruptive, hybrid attack, ICMP attack, isotropic attack traffic distribution, land attack, nonisotropic attack traffic distribution, ping of death, reflector TCP reset, TCP SYN . flooding, teardrop attack UDP .flooding, varied rate. Attack source path identification, filtering, bandwidth throttling, reconfiguration, overprovisioning, router queue management, IP blacklisting, DNS recursion attenuation, malformed packet dropping. DNS, HTTP, HTTPS,SSH, SSL, TCP, others(WebSockets)
Sales Staff PS Staff Development Staff
25-99 100-249 100-249
Cost Always On On Demand
Cloud Based £5k a month

Check Point

Check Point DDoS Protector™Appliances block Denial of Service attacks within seconds with multi-layered protection and up to 40 Gbps of performance. Modern DDoS attacks use new techniques to exploit areas where traditional security solutions are not equipped to protect. These attacks can cause serious network downtime to businesses who rely on networks and Web services to operate. DDoS Protectors extend company’s security perimeters to block destructive DDoS attacks before they cause damage.

Reference customers: All of the FTSE 100.

Attack Types Defended Response Tactics Protections
Network Flood, App Sec, Low-rate DoS (LDOS), Peer-to-peer, Low-Orbit Ion Canon (LOIC)2, High-Orbit Ion Canon (HOIC), proxy, Slowloris, RUDY, Google+, THC-SSL, Apache Killer Optima Aggressive Aging, Quotas, Blocks, Inspections, GeoProtections, Signature, Window size Enforcement, Syn Flood Protection, dropping Not Listed
Staff
3,400 – 3600
Cost Always On On Demand
Appliance Based Support 1-2Gb£50k per site per appliance & £20k pa Support per site The Threatcloud element is security monitoring and storage of logs. For 2Tb of logs and monitoring, approx. £35k pa

Corero

Provides continuous visibility and security policy enforcement so that organizations can establish a proactive First Line of Defense for inspecting traffic, detecting threats and blocking attacks. It is capable of mitigating a wide range of DDoS attacks while maintaining full service connectivity and availability to avoid degrading the delivery of legitimate traffic. The SmartWall Network Threat Defense appliance is designed to handle volumetric network based DDoS attacks or floods, reflective amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks that are typically too low to be detected by out of band solutions.

UK Reference customer: Hyve – UK Hosted Services Provider

Attack Types Defended Response Tactics Protections
Flood,Fake Session Attack, Fragmentation,IP NULL/TCP NULL Attack,Smurf/Fraggle Attack, Reflected, Reflective, Slow Session Attack,Slow Read Attack, Fragmentation Excessive Verb – Single Session,Multiple Verb – Single Request,Recursive GET,RandomRecursive GET, Specially Crafted Packet, Scans and Reconnaissance, Buffer Overflows, Code Injections, DirectoryTraversals, Advanced Evasion Techniques, Stack Attacks(ProtocolAbuse), Brute-Force Pass-word Attacks,Lack of Protocol “State-Awareness” Attack, Remote Code Execution Stateful Flow AwarenessAdvanced Evasion DetectionAttack & Vulnerability Signatures

Brute-Force Detection

Client Request Limiting

Dynamic Threat Assessment

L3/L4 Packet Filtering

L3/L4 Packet Filtering (Stateful Flow Awareness)

Overflows and Injections

Request/Response Behavior Analysis

Stateful Protocol Validation

SYN Flood & Connection Limits

UDP Flood Defense

Not Listed
Staff
3,400 – 3600
Cost Always On On Demand
Appliance Based £110k & £30k pa Support for ongoing years.

 

 

DDOS on the Rise

According to Akamai Technologies, Q1 2015 showed that distributed denial-of-service attacks are on the rise again, and according to Akamai Technologies, Q1 set a record for the number of DDoS attacks, where the numbers of attacks by DDoS doubled comparing with Q1 2014.

Compared to Q4 2014

35% increase in DDOS attacks

22% increase in layer 7 attacks

36% increase in layer 3&4 attacks

15% decrease in average attack duration

China top source of attacking IPs

 

Compared to Q1 2014

116% increase in DDOS attacks

59% increase in layer 7 attacks

124% increase in layer 3&4 attacks

42.8% increase in average attack duration

This entry was posted in Managed Service, Network Security, Networks, News and Updates, Opinion. Bookmark the permalink.

Leave a Reply