Corero (Top Layer) enhances DDoS defense to stop new types of attacks

In the IT world, security is a chess game. There's a constant back-and-forth volley between the IT defenders and the bad guys, with both sides using escalating efforts. Corero (Top Layer) puts DDoS attackers in check with an enhanced DDoS defense that is purpose-built to stop new kinds of attacks that would slip past most firewalls and IPS tools.

In the IT world, security is a chess game. There's a constant back-and-forth volley between the IT defenders and the bad guys, with both sides using escalating efforts. Just as the defenders think they've found a "checkmate" position, the bad guys seem to find a way around it.

One security concern that has been in the headlines lately is distributed denial of service (DDoS) attacks. In December 2010, the hactivist group calling itself Anonymous launched successful attacks against the websites of companies and organizations that opposed the activities of WikiLeaks. Visa and MasterCard, among others, had their Web sites knocked out of commission for more than six hours each -- an eternity for business that are heavily dependent on the Internet. 

ROUNDUP: The DDoS Hall of Shame

Of course, six hours is nothing compared to the month that the Sony PlayStation Network was down. Sony's woes began with a DDoS attack that morphed into a massive data breach and almost complete loss of confidence by the public. 

While denial of service attacks have been commonplace for more than a decade, some of the methods the attackers are using today are new. In the security chess game, attackers have just made a move that puts every organization's king at risk. This move helps attackers slip past traditional protection measures in firewalls and intrusion prevention systems (IPS).

Until recently, the most common way for someone to instigate a DDoS attack was to overwhelm the victim's network with massive amounts of incoming traffic that make the victim's site unavailable to legitimate users. Network security experts got wise to this and put up defenses that would look for and block this kind of bandwidth-hogging attack.

Then the bad guys realized they could achieve their desired result -- complete unavailability of a network or Web-based service -- by utilizing requests that look and act just like normal traffic until they are taken in aggregate.

Here's how it works. An attacker figures out what kind of request will make a website or back-end database do a relatively large amount of work to respond. For example, consider the online store that has a product comparison feature that allows a shopper to simultaneously view the specifications of five different widgets. The request goes to a database to pull up the details of each of the products in order to present a dynamic page with all the information. A single request is no big deal, but what if tens of thousands of zombies on a botnet have been instructed to make this same request over and over again? The network traffic and certainly each HTTP GET request might not be unusual, and thus they raise no red flags for a firewall or IPS. Nevertheless, the back-end database server is trying mightily to respond to tens of thousands of the requests and becomes so busy that a denial of service condition will be accomplished.

So the challenge is how to defend against this kind of attack.

Corero Network Security (previously Top Layer Security thinks it has an answer. The company this week announced an enhanced anti-DDoS solution that is purpose-built to counter this new type of attack.

Corero already has anti-DDoS functionality in its Top Layer IPS; it's one of the three dimensions of the IPS, with intrusion prevention and stateful firewall filtering being the other two dimensions. Now Corero has developed a dedicated box with the enhanced anti-DDoS capabilities. This box, aptly named the DDoS Defense System (DDS), can be put in front of a Web server or a database server to protect the application layer against "low and slow" DDoS attacks.

DDS utilizes unique "client request limiting" technology that distinguishes "good" application requests from "bad" ones -- even though the requests themselves appear very similar. This new system assigns a demerit score to something akin to an account balance associated with each source IP sending requests to the Web-based application. Demerits are based on different criteria defined by aberrant behavior. Likewise, each source IP can earn merits for good behavior. If the total score reaches a threshold, the traffic from that source is filtered out by the appliance.

Let's say that Joe is browsing an online store and makes a request to compare widgets. This is acceptable behavior that would earn him a positive score. If Joe makes the exact same request 10 times in a row, DDS will notice and assume that Joe is really a bot and assign a demerit to his source IP address, lowering his account score. When the score hits a specified threshold, the traffic coming from Joe's device will be blocked.

The Corero device actively tracks several million source IP addresses that are traversing the network at any given time, so even if a large botnet is taking full aim at this network, the appliance can block the offending repetitive traffic. It's common to see tens of thousands of bots participating in an attack, and even if they send their "normal" traffic at very slow rates, the new anti-DDoS technology isn't fooled. The merit scoring system keeps track of cumulative bad behavior no matter how small or slow the traffic is.

The appliance has dozens of conditions for assigning demerits, such as making the same request repeatedly, and trying to hit illegal pages and getting an error response. The parameters can be adjusted for a given defense scenario. This system of scoring "good" vs. "bad" behavior puts Corero at the cutting edge of this kind of technology. It puts attackers' latest methods in "check."

Corero's DDoS Defense System can complement whatever firewall or IPS a company has, even if those tools come from another vendor. The appliance is suitable for 100Mbps, 1G and 10G Ethernet networks, as well as networks with redundant designs. The goal of this product is to provide automated defense against all DDoS attacks, including those aimed at the application layer.

Whether attackers are motivated by criminal extortion, political or religious activism or unfair business advantage, every organization doing business on the Internet is vulnerable to application layer DDoS attacks. Most firewalls and IPS systems are not prepared to catch the "low and slow" kinds of traffic that constitute a modern-day attack. The Corero DDoS Defense System is a good move in the IT security chess game.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Group used 30,000-node botnet in MasterCard, PayPal attacks

Sony's 'in for a hell of a wake-up call," Anonymous says

WikiLeaks: DDoS attacks reflect 'public opinion'

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT