Critical Infrastructure Security, Incident Response, TDR

Stopping distributed denial-of-service attacks

Distributed denial-of-service (DDoS) attacks certainly are a serious issue that can cause lots of productivity loss. These incursions also can cost hard dollars when they prevent paying customers from spending money on a site under attack. The key issue, of course, is separating the DDoS packets from legitimate data packets. When the DDoS packets are flooding at nearly wire speeds, that is a lot easier to talk about than it is to do. That, though, is exactly what the Fortinet FortiDDoS-200A accomplishes.

FortiDDoS is an appliance that examines data packets in a variety of ways to separate DDoS packets from legitimate packets. In order to accommodate high volume data, all filtering is done in hardware. The platform contains hardware-based policies that can be tuned to allow such things as virtual partitioning, which in turn allows different policies for different business units, for example. 

Setting up the appliance is straightforward, if not exactly simple. The first step is to set up the virtual partitions – if one wishes to have different partitions. Next, the partition is baselined. The device starts in detection mode. In this mode it learns a baseline, but does not block anything. Once the baseline is complete and defining expected traffic loads, the appliance is switched to prevention mode where it begins to block and continues to learn.

One of the most powerful features of this tool is its suite of traffic graphs that allow the administrator to pinpoint DDoS activity, understand its nature and observe the effects of the appliance. Because the solution can drop traffic at layers 3, 4 and 7, spoofing or application-based attacks are caught and stopped. This is actually packet inspection – looking for malformed packets. However, even though the FortiDDoS uses these techniques, it also uses some traditional techniques, such as geo-location filtering and blacklisting. 

Much of the product's power resides in its layer 7 filtering. Heuristic filtering addresses bot traffic, while operation code floods are blocked as well. All of these filtering activities are shown clearly on the appliance's traffic graphs. 

Individual sessions can be analyzed with session diagnostics that allow drill-downs on, for example, source addresses. To the extent that this information is available, it is very valuable for after-attack forensic analysis and tracing. In the FortiDDoS, the data is available. And that makes it a powerful analytic tool, as well as a protective device for the network.

We liked this for its original and common sense approach to a problem that usually is not solvable – or, at least, easily solvable – by the usual methods of blocking and filtering. Once deployed, this is an easy device to manage and tune because it is replete with graphs and tables that show clearly what is actually happening on the wire. That makes tuning much more straightforward than tuning and waiting to see if what one did caused unintended consequences.

If you are troubled by DDoS attacks, regardless of the size of your enterprise, this just might be the solution for you.


At a glance

Product: FortiDDoS-200A

Company: Fortinet

Price: Starts at $49, 998.

What it does: Stops distributed denial-of-service attacks.

What we liked: Straightforward to use, effective, and easy to evaluate its effect on the enterprise.

What we didn't like: Not much not to like here. It is, perhaps, a bit pricey for some types of customers, but it gives a lot of value nonetheless.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.