Juniper Networks announced a set of improvements to its Juniper DDoS Secure solution to provide tighter integration into routing and service provider infrastructures with BGP Flowspec and GPRS Tunneling Protocol (GTP) protocols. The goal is to enable new forms of protection that can more effectively and efficiently mitigate a variety of DDoS attacks without restricting or impacting normal service.
Highlights of the announcement include:
Upstream Attack Mitigation
- DDoS Secure provides distributed enforcement at the network boundary that protects the edge equipment and the resources behind it from becoming overwhelmed, especially with larger and more challenging volumetric attacks.
- The solution scales DDoS mitigation by extending enforcement upstream to Juniper's MX at the edge, border or closest to the attack source, allowing only clean traffic to enter the network.
- As DDoS Secure continuously monitors inbound and outbound traffic, it can determine if a high-volume DDoS attack is underway and subsequently communicate with the MX router by publishing Flowspec rules to block the malicious traffic upstream.
- Flowspec provides the ability to take enforcement actions such as source-based black hole filtering to drop malicious packets or redirecting traffic to select network points for mitigation.
Accurate Enforcement on Mobile Networks with GTP Network Protocol Unwrap
- New capabilities protect against the growing problem that service providers face in detecting and mitigating malicious traffic originating from botnets exploiting users' devices.
- The ability to inspect different network protocols becomes a key enabler in identifying legitimate traffic.
- DDoS Secure provides visibility into malicious and/or errant mobile devices, identifying both User Equipment (UE) to UE and UE to Internet traffic.
- DDoS Secure's ability to inspect GTP packets and identify malicious endpoints allows service providers to enforce mitigation, maintain performance and protect their Radio Access Network (RAN) bandwidth.
- The new GTP packet unwrap capability allows DDoS Secure to identify inside-out bot attacks originating in the mobile service provider's access network. Botnet malware that enters mobile devices from home, at work or in the macro RAN can degrade legitimate user experience and also consume valuable mobile bandwidth.
DNS Inside-Out Attack Protection
- DDoS Secure protects the core DNS infrastructure from participating in DNS amplification and reflection attacks that are difficult to detect and can have disastrous effects on network availability.
- In these attacks, the DNS server can become the victim of a DNS attack or can be used to launch a DNS amplification attack on another server.
- DDoS Secure applies heuristics-based intelligence to automatically mitigate these attacks by black listing and rate limiting certain DNS requests. The solution can also generate a BGP Flowspec rule, allowing attack traffic to be blocked upstream at the MX.