DDoS attack mitigation with WANGUARD Filter

OVERVIEW: The Filter component included in WanGuard is an anti-DDoS traffic analyzer and intelligent firewall rules generator designed to protect networks from internal and external threats (availability attacks on DNS, VoIP, Mail and similar services, unauthorized traffic resulting in network congestion). It includes sophisticated traffic analysis algorithms that are able to detect and side-filter malicious traffic in a granular manner, without impacting the user experience or resulting in downtime.

The Filter can be used only in conjunction with a Flow Sensor (for NetFlow, sFlow, jFlow or IPFIX) or a Packet Sensor (for in-line servers, port mirroring or network TAPs).

KEY FEATURES
AND BENEFITS:
  • Management and reporting through a single web-based Console with a unified, holistic presentation
  • Analyzes IP packets (incl. VLAN and MPLS traffic) and/or NetFlow, sFlow and IPFIX flow data
  • Defends against known, unknown and evolving DoS, DDoS and other volumetric attacks by filtering dynamically any combination of source and destination IPv4 or IPv6 addresses, source and destination TCP ports, source and destination UDP ports, IP protocols, invalid IP headers, ICMP types, common Time To Live values, packet lengths, etc.
  • Recognizes and blocks malicious traffic in under 5 seconds
  • Does not block or blacklist valid customer traffic
  • Does not require network baseline training or operator intervention
  • Stateles operation designed to work with asymmetric routing
  • Per-endpoint flexible threat management tools and an easy-to-use API for scripting the reaction to attack patterns:
    • Alert your NOC, customer or the ISP of the attacker using user-defined email templates
    • Send custom Syslog messages to remote log servers or SIEM systems
    • Capture a sample of the attacker's traffic for forensic investigation and legal evidence
    • Execute your own scripts that extend the built-in capabilities:
      • Configure ACLs or execute PIX "shun" commands on routers or firewalls
      • Filter attacking IP addresses by executing “route blackhole” commands on Linux servers
      • Send SNMP TRAP messages to SNMP monitoring stations, etc.
  • Supports multiple packet filtering backends:
    • Software filtering using the NetFilter framework provided by the Linux kernel
    • Hardware-based filtering on 1/10 Gbps network cards with Intel's 82599 chipset (Intel X520 NIC, Intel X540 NIC, HP 560 NIC, other vendors), or better
    • Hardware-based filtering on 10/40 Gbps Chelsio T4 or T5 network adapters
    • Dedicated firewalls and IPSes using helper scripts
  • The cleaning server can be deployed in-line or can scrub malicious traffic by BGP off-/on-ramping
  • The cleaned traffic can be re-injected downstream into the network with static routing or GRE/IPIP tunnelling
  • Easy and non-disruptive installation on common server hardware
  • The most affordable on-premise Anti-DDoS protection and DDoS mitigation software solution on the market
DEPLOYMENT SCENARIOS:
  • Side filtering. The Filter sends a BGP routing update to a border router (route reflector) that sets the Filter's server as the next hop for the suspect traffic. The cleaned traffic is routed back into the network.

    DDoS Defense Topology
  • In-line routing. The Filter runs on a server that resides in the main data path, configured as an Linux router.
  • In-line network bridging. The Filter runs on a server that resides in the main data path, configured as an OSI Layer 2 Linux network bridge.
  • Out-of-line monitoring. The Filter runs on a server that receives a copy of packets from a network TAP or a mirroring port. Direct filtering is not possible, but the Filter is still able to generate filtering rules that improve the visibility of attacks and can be applied on other in-line appliances.
  • Critical services. The Filter runs as a service on each server that provides critical services. The filtering rules are applied on the local firewall.

MINIMUM SYSTEM
REQUIREMENTS:   

1 Gbps mitigation 10 Gbps mitigation
Deployment Type:   In-line or out-of-line deployment Out-of-line deployment recommended
CPU: 2.5 GHz dual-core Xeon 2.8 GHz quad-core Xeon
RAM: 2 GB 8 GB
Network Cards: 2 x Gigabit Ethernet 1 x 10 GbE card (Chelsio T4 or T5, Intel 82599 chipset or better)
1 x Gigabit Ethernet
Operating System:   Red Hat / CentOS 6 or 7, Debian Linux 6 or 7, Ubuntu Server 12 or 14, OpenSUSE 13 Red Hat / CentOS 6 or 7, Debian Linux 6 or 7, Ubuntu Server 12 or 14, OpenSUSE 13
Disk Space: 10 GB (including OS) 10 GB (including OS)

PACKET
FILTERING &
FORWARDING
PERFORMANCE:
The traffic-filtering methods directly supported by the Filter complement each other performance-wise and feature-wise:
  • The software firewall is very flexible, but not fast enough on common hardware to be able to filter a full 10 GbE link flooded with small packets. The software filtering performance depends on may parameters, such as: CPU type/speed/cache, Linux kernel version, NIC chipset, NIC driver, attack type, server load, routed traffic size, multi-core balance of hardware interrupts, number of existing rules, multi-queue settings, etc.
  • The hardware packet filter is able to drop 10G traffic at wire-speed, inside the network adapter's chipset, without using the CPU of the server. A subset of filtering rules can be applied on it, so it might not as efficient as the software firewall against all types of attacks.
The stateless operation of the Filter ensures detection and mitigation of volumetric attacks that may cripple even the most powerful stateful devices, such as firewalls, Intrusion Detection Systems (IDS) or Intrusion Protection Systems (IPS). The disadvantage of the stateless operation is that the Sensor and Filter are unable to detect and block non-volumetric application-layer (OSI Layer 7) attacks, unlike traditional IPSes. The Filter should be installed on the network's entry points, before other stateful devices.

To increase the packet filtering capacity to 40 Gbit/s, 100 Gbit/s or more, you can cluster multiple Packet Filters deployed on different servers with 10 Gbit/s network adapters. To split the traffic you can use a hardware load balancer or equal-cost multipath routing.
When a DDoS attack saturates the uplink bandwidth or is above the capacity of the filtering server(s), the Sensor is able to BGP black-hole/null-route the attacked destinations.

ADDITIONAL
INFORMATION:
You can download and use the Filter for 30 days by requesting an evaluation license.
WanGuard Filter licenses can be purchased through the online store.
The answers for several frequently asked questions are listed in the Knowledge Base.
If you need any further information, do not hesitate to contact us.