Firewall vendor Fortinet introduced a series of high-performance DDoS protection appliances for enterprises and service providers.
The Fortinet distributed denial-of-service (DDoS) protection appliances use behavioral analysis exclusively to detect DDoS attacks, making them ideal for catching DDoS traffic aimed at the application and protocol layers. While volumetric DDoS attacks that exceed 300 Gbps garner attention in the technology press, subtler attacks on applications are becoming more common and require behavioral analysis.
"[Behavioral analysis is] important for DDoS protection, especially as you look at the Layer 7 attacks that aren't loud and that kind of fly below the radar," said John Grady, research manager for Framingham, Mass.-based IDC. "It's difficult to pick those up with signatures. You have to dig into the traffic more and figure out if it's machine-generated."
The Fortinet DDoS protection appliances rely on a single-path application-specific integrated chip (ASIC) for both detection and mitigation, enabling low-latency protection. Many DDoS protection vendors forward some of that processing to a general-purpose CPU, which adds latency to a box, said Mark Byers, director of product marketing for Fortinet. Distributing packet processing across an ASIC and a CPU is also a potential vulnerability, he added.
"With multiple events, an attack can create a bug on the DDoS device itself by injecting code as traffic is passed back and forth between processors. That traffic is vulnerable," he said.
"They've obviously banged the drum on the ASIC front for quite a while," Grady said. "Performance has been an issue [for DDoS protection]. It's part of the reason you've seen such an increase in cloud services. On-premises equipment hasn't been able to keep up. The goal is zero downtime, so the ability to truly sit inline and instantaneously mitigate an attack [with low latency] is incredibly important to everyone, but especially organizations that derive revenue from the Web. "
Grady said Fortinet is one of the first vendors to offer this single-pass processing on its DDoS appliances.
Fortinet DDoS protection appliances answer call for on-premises appliances
On-premises DDoS protection is becoming more important for enterprises, but it is requiring more powerful products. Consequently, Fortinet, like some other vendors, is transitioning away from offering DDoS protection as a service on multiple-purpose network security and application delivery appliances. Instead, it is offering dedicated high-performance appliances engineered to handle increasingly sophisticated attacks.
Grady said IDC recommends enterprises adopt a hybrid approach to DDoS, using cloud-based and hosted DDoS protection to catch volumetric attacks and deploying dedicated appliances within their data centers to catch more evasive attacks aimed further up the stack.
"The cloud model doesn't always lend itself to being the sole protection against DDoS," Grady said. "A lot of these cloud services are expensive, especially a fully hosted solution where traffic is directly routed through a provider. Your cloud provider may not be looking at traffic and [may] have a better chance of seeing attacks, but you're paying an enormous amount of money to have that [routing] done. Most organizations have a manual method to reroute that traffic, but they have to know about the attack, and there is too big a time lag in making the change. Being able to have that Layer 7 visibility and real-time visibility into reasonably sized volumetric attacks [on-premises] is important to companies that rely on the Web for revenue."
Fortinet is offering four DDoS protection appliances: the FortiDDoS 400B, 800B, 1000B and 2000B. Performance on the boxes ranges from 4 to 24 Gbps of full-duplex throughput with support for simultaneous sessions ranging from 1 million to 6 million. The boxes are shipping today and their list price starts at $40,000.