Juniper Networks delivers holistic DDoS protection solution

Juniper Networks has announced enhancements to its Juniper Networks® DDoS Secure solution that help companies mitigate complex attacks by more effectively leveraging security intelligence throughout the network fabric, taking them one step closer to building a High-IQ Network.

  • 10 years ago Posted in

Businesses today demand more sophisticated protection as attacks on the network become more complicated and difficult to identify. Leveraging the information and intelligence that is inherent in the network is critical to building a secure High-IQ Network and Juniper Networks is enabling this capability with the developments that are described in today’s announcement. These new enhancements allow attacks detected by DDoS Secure at the network and application-layer to be stopped closer to the source by using networking protocols to make the Juniper MX Series routers function as enforcement points.


This approach provides enterprises and service providers a more efficient way of stopping the volumetric attacks that can potentially cripple a network. It also mitigates other popular DDoS attack methods, including inside-out Domain Name System (DNS) reflection and amplification attacks, as well as the negative effects that botnet-infected devices can have on the user experience for a service provider’s customers. According to Infonetics Research, new varieties of amplification attacks are pushing the boundaries of mitigation performance and driving increased investment in DDoS prevention. Examples include the 2013 DNS amplification attack aimed at Spamhaus that topped 300G, and the NTP amplification attack earlier this year that exceeded 400G.



Juniper Networks is introducing improvements to its Juniper DDoS Secure solution to provide tighter integration into routing and service provider infrastructures with BGP Flowspec and GPRS Tunneling Protocol (GTP) protocols. This approach enables new forms of protection that can more effectively and efficiently mitigate a variety of DDoS attacks without restricting or impacting normal service.


· Upstream Attack Mitigation
o DDoS Secure provides customers with distributed enforcement at the network boundary that protects the edge equipment and the resources behind it from becoming overwhelmed. This distributed approach to managing attacks increases the ability to handle larger and more challenging volumetric attacks.
o The solution scales DDoS mitigation by extending enforcement upstream to Juniper’s MX at the edge, border or closest to the attack source, allowing only clean traffic to enter the network.
o As DDoS Secure continuously monitors inbound and outbound traffic, it can determine if a high-volume DDoS attack is underway and subsequently communicate with the MX router by publishing Flowspec rules to block the malicious traffic upstream.
o Flowspec provides the ability to take enforcement actions such as source-based black hole filtering to drop malicious packets or redirecting traffic to select network points for mitigation.
· Accurate Enforcement on Mobile Networks with GTP Network Protocol Unwrap
o The capabilities introduced today also protect against the growing problem that service providers face in detecting and mitigating malicious traffic originating from botnets exploiting user’s devices. Unfortunately, the vast majority of mobile network operators today do not have visibility into malicious subscriber devices. The ability to inspect different network protocols becomes a key enabler in identifying legitimate traffic.
o DDoS Secure provides visibility into malicious and/or errant mobile devices, identifying both User Equipment (UE) to UEand UE to Internet traffic.
o DDoS Secure’s ability to inspect GTP packets and identify malicious endpoints allows service providers to enforce mitigation, maintain performance and protect their Radio Access Network (RAN) bandwidth.
o The new GTP packet unwrap capability allows DDoS Secure to identify inside-out bot attacks originating in the mobile service provider’s access network. Botnet malware that enters mobile devices from home, at work, or in the macro RAN can degrade legitimate user experience and also consume valuable mobile bandwidth.
· DNS Inside-Out Attack Protection
o DDoS Secure protects the core DNS infrastructure from participating in DNS amplification and reflection attacks that are difficult to detect and can have disastrous effects on network availability.
o In these attacks, the DNS server can become the victim of a DNS attack or can be used to launch a DNS amplification attack on another server.
o DDoS Secure applies heuristics-based intelligence to automatically mitigate these attacks by black listing and rate limiting certain DNS requests. The solution can also generate a BGP Flowspec rule, allowing attack traffic to be blocked upstream at the MX.
 

The four-year project extension focuses on cloud transformation and enhanced operational efficiency...
Businesses in the UK are risking slower development as they fail to fully embrace technologies that...
Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...