Distributed-denial-of-service attacks are a concern for all organizations. But financial institutions face unique challenges, and so they require a unique level of protection, says Mark Byers of Fortinet.
"We find that [financial institutions] tend to be targeted more often, and not for the same reasons that other organizations are targeted," says Byers, director of product marketing at Fortinet.
And while disruption is often a primary objective, "We're also finding out that banks are being targeted with DDoS attacks to mask other intrusion events," Byers says. Because the attacks are unique, so must be the solutions that protect against them.
In an interview about DDoS attacks and solutions, Byers discusses:
- What's unique about DDoS attacks on financial institutions;
- Strategies and solutions for defending against DDoS;
- The merits of a hardware-based solution.
As director of product marketing, Byers manages product marketing for Fortinet's application delivery, web application firewall and DDoS attack mitigation products. Prior to joining Fortinet in 2013, he worked at Coyote Point Systems, where he led marketing for the company and its application delivery controller appliances.
Dedicated DDoS Protection
TOM FIELD: Tell us a little bit about yourself and Fortinet.
MARK BYERS: I cover most of Fortinet's advanced technology products, and that includes things like application delivery controllers, web application firewalls, and DDoS mitigation appliances. Fortinet is one of the largest manufacturers of network security products. We're mostly known for our next generation firewalls and unified access management products, however we also have other products like wired and wireless switches. We have solutions that pretty much run the gamete of all segments, ranging from small [to] medium business appliances and solutions all the way to enterprise and carrier solutions.
DDoS Attack Targets
FIELD: What do you find to be unique about DDoS attacks targeted at banks and other financial institutions?
BYERS: The fundamentals of a DDoS attack are the same for most businesses. For financial institutions and banks, we found that they tend to be targeted more often, and not for the same reasons that other businesses [or organizations] are targeted. The primary motivation for attacking financial institutions is either to disrupt commerce or bank operations. But, we're also finding out that banks are being targeted with DDoS attacks to mask other intrusion events in order to get financial data, be it credit cards, banking records, accounts, etc. etc. Bulk attacks have been used to mask these more insidious levels of attacks, or they can just be small layer seven attacks that are going after this data. A lot of times they are not just looking to congest services and the pipes as in normal DDoS attacks, they are actually using it to probe weaknesses in data center systems for these institutions.
Data Center ManagerFIELD: What should the data center managers be looking for when they turn to a DDoS solution?
BYERS: Well DDoS solutions typically require layer three and layer four, and now layer seven, attacks. Most of those solutions out in the market have been around for a long time, [and] primarily focused on layer three and four bulk attacks. Most ISPs already have bulk attack prevention, and there are a lot of DDoS service providers. Cloud-based providers that provide more or [a] comprehensive layer three and four [service], also provide layer seven services. [For] financial institutions and banks, they'll have to have the bulk protections of layer three and four. They also really need to focus now on layer seven attacks, as they are one of the fastest growing categories and out there probing the systems.
The layer seven attacks themselves actually get fairly tricky, and even some of the largest DDoS service providers like Cloud and others don't have the full comprehensive services. Plus, they don't necessarily know [or can identify] zero day attacks. A lot of companies now are going with their own hardware based solutions, based upon the deficiencies in the cloud service providers. Also, they are using either a full comprehensive layer three, four, and seven solution, or they are using them to augment their ISP for layer seven attacks only.
Hardware-Based DDoS Solutions
FIELD: Why are hardware-based DDoS solutions really not best way to go?
BYERS: Now you've probably been talking to the DDoS service providers. They would love to have everyone believe that a hardware-based solution is very expensive and requires a lot of upfront cost, etc. They also want us to believe that the DDoS solutions [that] are an extra piece of hardware require a lot of management or are difficult to set up, all those types of things. They want to make their solution seem as easy as possible.
Some of that is true, I'm not going to deny it. For some of our competitors, their products can be expensive and complicated to set up. Some of them do require a lot of updating to keep them up to date from the latest attacks using signature pals, etc. Even though [it is] an expensive option, ones that costs hundreds of thousands of dollars do break. They can be justified when customers are hit with huge over charges from their DDoS service providers. Using a hardware-based appliance, prices are predictable whether a customer gets hit with a single DDoS attack every year, or if they are unlucky enough to be getting hit with them on a daily basis. As for management and updating, some solutions are difficult to both set [up] and [will] require signature updates. FortiDDoS uses a different approach. We use a 100 percent behavior-based detection engine, so we don't require signatures and the constant updating notice-solutions need. We also have a lot of setup tools that can have a customer up within minutes, without having to do anything other than unpacking the box, putting it in, [and choosing] a couple of options. We've got a solution that really does overcome a lot of the detractions of the hardware-based appliances or methods to protect against DDoS attacks.
Overwhelming Data Center Appliances
FIELD: Wouldn't a large-scale DDoS attack overwhelm a data center appliance as compared to a hosted DDoS provider that would have hundreds of gigabytes of capacity?
BYERS: That is one of the primary ones we get asked by customers. Most attacks that are hitting the average data center are around 10 to 20 gigabytes per second. A lot of the latest attacks that you'll hear [about are] 300 [or] 400 gigabytes, and those are very large attacks that are coordinated against some of the big names and targets in the industry, like CloudFlare [or] VeriSign. Typically speaking, an average business is not going to see that level of volume or sophistication. The good news here is that these targets, they are really more publicity stunts in some ways. Average businesses are getting hit with larger attacks, but mostly the real threats, especially to banks and financial institutions, are getting hit with the layer seven attacks. They are one of the fastest growing segments of DDoS attacks.
We do things a little bit differently, again, then other manufacturers out there who are limited [in] capacity. We do offer a box that goes up to 24 gigabytes per second. We do mitigation or stop traffic, even when it's coming in these massive flights. We still [allow] a lot of traffic to continue through the box, we have a feature called 'Mind Reading' which will still allow traffic to come through. With our IT reputation services, we can actually identify good traffic and continue to allow that into the system, and be somewhat uninterrupted. Under a very heavy stress attack, it is going to slow things down for these customers, but at least the traffic will continue to go through until the event is complete.
We also do recommend for customers that are worried about very large attacks, to continue [using] the DDoS protections that their ISP provider has, but to put in a hardware-based appliance so they have a sophisticated layer seven attack prevention.
FIELD: What makes your solution, FortiDDoS, better then what they offer?
BYERS: We do have [a] behavior-based model, everything with us is 100 percent behavior-based. We can detect the smallest of attacks, and even zero day attacks, that haven't been identified. We watch all services automatically and react to any anomalies that crop up. Most of the DDoS service providers offer layer seven, however many are signature-based and they'll need to know about the parameters of the attacks [to be] able to block it. Some do have behavioral-based tools, but they are not as sophisticated and granular for every possibility and nuance, and they do require software sensor [installation] in the customer's data center in order to be able to report back to the DDoS mitigation or service provider to stop a threat.
FortiDDoS can react in as little as five seconds to an attack. Signature systems, even with behavior back-ups they have, still take around 30 seconds for a service provider to fully mitigate an attack. Service-based solutions usually quarantine traffic through redirection before mitigating it, and this sometimes adds additional delays to stop an attack; whereas FortiDDoS will begin the mitigation as soon as it detects it after five seconds, and within another five seconds the attack is stopped. FortiDDoS can also be configured and customized much more easily to do work with a DDoS service provider. They don't offer as many configuration options, especially when it comes to layer seven attacks. Finally, most DDoS service providers charge more for layer seven, or require expensive enterprise plans. We include it in FortiDDoS at no extra cost so you get a full-layer three, four, and seven protection.
Extra Device Management
FIELD: You hear often that management of an extra device is an issue with data center managers. How do you counter that argument?
BYERS: Any time you add an additional device to a network, you're adding extra complexity. Some people actually try to get around this; they'll try and squeeze as much functionality out of a device, such as firewalls and intrusion protection systems. Some of those do offer DDoS protections, but they really don't have a layer seven protection and [are] easily overwhelmed by a bulk layer three or layer four attack. A DDoS service provider still adds complexity. It's not just a service you sign up to and give them your credit card, you still have to actually manage the service, and if you're using a layer seven protection you are going to have to manage the software and elements that are installed on your network. FortiDDoS was designed to be easy to set up and manage. They have automated scanning tools and standardized defaults that make it really simple [and] easy to install. The learning we have [can] literally, within minutes, build a baseline profile and begin protecting against even the most sophisticated attacks. We don't use signatures, as I mentioned before, so there is really no updating that has to be done to the box. I want to use the term "set it and forget it," that's kind of the model that we have built with this.
FIELD: How do you justify or validate the cost versus that of a hosted DDoS prevention service?
BYERS: A DDoS appliance does require an upfront purchase and some can be very expensive. Even the expensive ones, though, do have a payback period when you look out two to three years. Sort of like a $15 dollar to rent the cable modem, versus buying one for $150. FortiDDoS models are less than half the price of hardware-based competitive solutions, and generally take about 10 to 12 months to break, even compared to most DDoS service providers when you look at their enterprise plans. That's not even taking into the account the overage fees that most service providers tag on. It's like that $15 cable modem becomes a $50-a-month cable modem because you are using it too much. So would you rather pay one price, or wait to see how much your bill is going to be each month?