Published on July 24th, 2014 | by Alexis Argent0
Juniper Networks Delivers The First Holistic Distributed Denial of Service (DDOS) Protection Solution in the Network for Enhanced Detection and Mitigation of Complex Attacks
New DDoS Secure and MX Solution for the Network Fabric Enables Enterprises and Service Providers to Stop DDoS Attacks Farther Out in the Network
Juniper Networks (NYSE: JNPR), the industry leader in network innovation, today announced enhancements to its Juniper Networks® DDoS Secure solution that help companies mitigate complex attacks by more effectively leveraging security intelligence throughout the network fabric, taking them one step closer to building a High-IQ Network.
Businesses today demand more sophisticated protection as attacks on the network become more complicated and difficult to identify. Leveraging the information and intelligence that is inherent in the network is critical to building a secure High-IQ Network and Juniper Networks is enabling this capability with the developments that are described in today’s announcement. These new enhancements allow attacks detected by DDoS Secure at the network and application-layer to be stopped closer to the source by using networking protocols to make the Juniper MX Series routers function as enforcement points.
This approach provides enterprises and service providers a more efficient way of stopping the volumetric attacks that can potentially cripple a network. It also mitigates other popular DDoS attack methods, including inside-out Domain Name System (DNS) reflection and amplification attacks, as well as the negative effects that botnet-infected devices can have on the user experience for a service provider’s customers. According to Infonetics Research, new varieties of amplification attacks are pushing the boundaries of mitigation performance and driving increased investment in DDoS prevention. Examples include the 2013 DNS amplification attack aimed at Spamhaus that topped 300G, and the NTP amplification attack earlier this year that exceeded 400G.(1)
Juniper Networks is introducing improvements to its Juniper DDoS Secure solution to provide tighter integration into routing and service provider infrastructures with BGP Flowspec and GPRS Tunneling Protocol (GTP) protocols. This approach enables new forms of protection that can more effectively and efficiently mitigate a variety of DDoS attacks without restricting or impacting normal service.
Upstream Attack Mitigation
- DDoS Secure provides customers with distributed enforcement at the network boundary that protects the edge equipment and the resources behind it from becoming overwhelmed. This distributed approach to managing attacks increases the ability to handle larger and more challenging volumetric attacks.
- The solution scales DDoS mitigation by extending enforcement upstream to Juniper’s MX at the edge, border or closest to the attack source, allowing only clean traffic to enter the network.
- As DDoS Secure continuously monitors inbound and outbound traffic, it can determine if a high-volume DDoS attack is underway and subsequently communicate with the MX router by publishing Flowspec rules to block the malicious traffic upstream.
- Flowspec provides the ability to take enforcement actions such as source-based black hole filtering to drop malicious packets or redirecting traffic to select network points for mitigation.
Accurate Enforcement on Mobile Networks with GTP Network Protocol Unwrap
- The capabilities introduced today also protect against the growing problem that service providers face in detecting and mitigating malicious traffic originating from botnets exploiting users’ devices. Unfortunately, the vast majority of mobile network operators today do not have visibility into malicious subscriber devices. The ability to inspect different network protocols becomes a key enabler in identifying legitimate traffic.
- DDoS Secure provides visibility into malicious and/or errant mobile devices, identifying both User Equipment (UE) to UE and UE to Internet traffic.
- DDoS Secure’s ability to inspect GTP packets and identify malicious endpoints allows service providers to enforce mitigation, maintain performance and protect their Radio Access Network (RAN) bandwidth.
- The new GTP packet unwrap capability allows DDoS Secure to identify inside-out bot attacks originating in the mobile service provider’s access network. Botnet malware that enters mobile devices from home, at work or in the macro RAN can degrade legitimate user experience and also consume valuable mobile bandwidth.
DNS Inside-Out Attack Protection
- DDoS Secure protects the core DNS infrastructure from participating in DNS amplification and reflection attacks that are difficult to detect and can have disastrous effects on network availability.
- In these attacks, the DNS server can become the victim of a DNS attack or can be used to launch a DNS amplification attack on another server.
- DDoS Secure applies heuristics-based intelligence to automatically mitigate these attacks by black listing and rate limiting certain DNS requests. The solution can also generate a BGP Flowspec rule, allowing attack traffic to be blocked upstream at the MX.
More than ever, businesses need to protect themselves against massive and complex DDoS attacks. With these new capabilities in an intelligent mitigation system, we are equipping companies to engage key network capabilities to coordinate advanced protection simply and giving them the intelligence to adapt defenses actively and extend enforcement to the edge, allowing businesses to protect their critical services even under extreme attack conditions. By leveraging the intelligence and information inherent in the system, DDoS Secure is providing yet another capability in helping our customers build High-IQ Networks.
– Paul Scanlon, director of product management, Juniper Networks
Demand for non-stop business services via high-availability networks is growing — this includes protection from ongoing cyber attacks that can disrupt critical resources and threaten profitability. With new enhancements such as the MX integration to Juniper Networks’ DDoS protection solution, Netrix is expanding our portfolio and service offerings to keep our customers’ businesses secure and operational 24/7.
– Vladimir Gotsev, director of engineering, Netrix, Great Lakes region, Partner of the Year 2014
Leveraging a single provider for DDoS mitigation and DNS availability can optimize network operations, streamline remediation and improve customer experience.
– Jeff Wilson, principal analyst, Infonetics Research