Juniper Networks has added a new way for its anti-DDoS appliance to mitigate what’s known as massive UDP-based amplification attacks that typically work by exploiting compromised servers of different kinds to both spoof and vastly increase the denial-of-service barrage.
One type of such attack that has been on the rise this year is the Network Time Protocol (NTP) amplification attack that works when the attacker exploits vulnerable and unpatched NTP servers to overwhelm the victim’s system with UDP traffic. The size and scale of these UDP-based DDoS attacks is now reaching 300G/bit sec and more, making it hard to simply backhaul traffic, says Paul Scanlon, director of product management at Juniper Networks.
The enhanced Juniper DDoS Secure appliance announced today has added a method to detect this kind of unwanted attack traffic and the source of the attack and apply filters through Border Gateway Protocol (BGP) routers supporting the Flowspec protocol to block the attack closer to the border of the network or closer to the source of the attack. “The router is being told to filter the traffic in the interface with the source of the attack,” Scanlon says.
Juniper’s BGP routers support Flowspec but so do those from Cisco and Alcatel-Lucent, says Scanlon, pointing out this anti-DDoS mitigation technique is intended to work across multi-vendor gear.
Juniper’s DDoS Secure, which works bi-directionally so it’s not just monitoring inbound traffic, can be used in either enterprise or carrier networks. In the enterprise, the DDoS Secure appliance would typically be deployed at the data center. DDoS Secure blocks many type of DDoS attacks, and can also be used by service providers to protect against the problem of mitigating malicious traffic originating from botnets exploiting users’ mobile devices.
DDoS Secure, available now, costs $29,950 for the hardware component with additional costs for software that start at $18,995 depending on potential gigabit of protected capacity.