V-ISA Reputation Mechanism, Enabling

Precise Defense against New DDoS Attacks

1
Key Points:
DDoS attacks are more prone to targeting

Executive Summary:

the application layer.

Traditional attack detection and defensive

The fast growing prosperity of cloud computing is accompanied by a surge in the

measures fail to defend against these types

provision of Internet as well as DDoS attacks and their variants. DDoS attacks are more

of DDoS attacks.

prone to targeting the application layer especially WEB and DNS services, launched
mainly out of malicious competition. Profitable online services are allegedly undergoing
more and longer attacks, according to Huawei Cloud Security Center.
Currently, various functional evasion techniques are used on botnets to keep them alive
longer. Typical techniques used are the domain generation algorithm (DGA) and Fast-flux
techniques, which quickly replace C&C server IP address. The common defensive measure
of shutting down the C&C server (source of attacks) does not work effectively when
dealing with DDoS attacks launched using botnets. Since traditional attack detection and
defensive measures fail to defend against new types of DDoS attacks, there is rapidly
growing demand for new defensive measures which provide accurate detection and
correct identification of attacks.

V-ISA Reputation Mechanism,

Enabling Precise Defense against New DDoS Attacks

Trend of DDoS Attacks

1. Application services are suffering more DDoS attacks with light traffic and
low speed.
Carrier networks and their basic architecture and infrastructure have historically been the
target of DDoS attacks. In more recent times, internet applications and services, such as
enterprise website, online shopping, streaming services, online gaming, DNS, and email
have increasingly become prime targets of DDoS attacks. Web-targeted DDoS attacks
have accounted for over 87.11% DDoS attacks, according to the latest security report
released by Huawei. Hackers have been seen to prefer more elusive attacks requiring
lower bandwidth and lighter traffic because they can achieve their attack goals while
maintaining low costs.
By exploiting vulnerabilities of commonly-used flow detection techniques, applicationtargeted attacks that have light traffic and low bandwidth are prevailing. Packets have to
be verified one by one to detect DDoS attacks at the application layer.
2. DDoS attacks are becoming increasingly complex.
More simulated Http attacks: Before launching attacks, hackers usually select WEB
servers and perform tests to discover their vulnerabilities. They proceed to exploit these

Trends:
1) Application services are suffering more
DDoS attacks with light traffic and low
speed.
2) DoS attacks are becoming increasingly
complex.

vulnerabilities by repurposing ghost servers and resources to exhaust the system's

computing resources. In the meantime of achieving attack effects, they hide the attack
sources by instructing botnet computers to send normal-like requests to the WEB servers
over proxy servers. Such attacks have a relatively low access rate but a sufficiently
large volume of access requests will exhaust the servers computing resources, and
consequently result in a denial of service.
Traditional defenses technologies such as source detection and proxies cannot effectively counter such
attacks while a source reputation assessment system does, which is capable of handling such attacks
with high efficiency and precision.
Minnow-for-whale DNS Cache Miss attack: Second to WEB-targeted DDoS attacks in
terms of popularity, DNS-targeted DDoS attacks are launched by sending a large volume
of non-existing domain names to be queried to the DNS server aimed at increasing its
workload. This prevents legitimate queries to the DNS Server from querying the cache
preventing them from resolving domain names. DNS-targeted attacks are intended to
hit authoritative DNS servers that are used by online services. Such attacks lead to online
service failures and also bring down other Internet services that depend on domain
name resolution. This form of attack encompasses the largest scope of impact, severely
affecting services and infrastructure down to the most basic architecture of Internet. The
Kmplayer event in 2009 is an example of typical of a DNS Cache Miss attack.
To effectively defend against DNS-targeted attacks, both proactive and responsive countermeasures
shall be taken such as attack detection and analysis based on source reputation, session reputation,
and behavior analysis.

V-ISA Reputation Mechanism,

Enabling Precise Defense against New DDoS Attacks

3
Insufficiency of
traditional defenses
technical:
1) Maintaining a good user experience while
eliminating terminal misjudgment makes
defense against Http attacks extremely

Insufficiency of traditional
defenses against new DDoS
attacks

difficult.
2) Identification of spoofing sources is hard
for DNS Cache Miss attack defense.
2) Insufficient session techniques hardly
detect light-traffic attacks.

1. Maintaining a good user experience while eliminating terminal misjudgment

makes defense against Http attacks extremely difficult.
Defending against Http attacks aimed at e-commerce websites must avoid terminal
misjudgment while eliminating all impacts on user experience. Presently, techniques
such as URL redirection and code verification are commonly used to defend against
Http attacks. However, the web page displayed during verification cannot carry any
information, which impacts user experience. Most importantly, many users access
e-commerce systems using their smartphones as a result of their high mobility and
availability. Smartphones, however, do not completely implement the HTTP application
protocol stack and in most cases do not support redirection. This means that such a
common defensive measure may interrupt or completely prevent the access of mobile
terminal users. Being aware of such a prominent vulnerability, hackers may launch attacks
by disguising themselves as mobile smart terminals with full knowledge that it would be
harder to defend the DDoS attacks that target mobile web applications. To accurately
identify Http attacks while maintaining a good user experience, other countermeasures
like smart terminal identification, application-layer IP reputation, and session analysis
must be implemented.
2. Identification of spoofing sources is hard for DNS Cache Miss attack defense.
DNS querying is based on UDP protocol which is connectionless, thus presents a
challenge in defending against DNS Cache Miss attacks. A common countermeasure
taken to prevent DNS Cache Miss Attacks is to change UDP requests into TCP requests
to verify the sources. However, as seen on live networks, most DNS clients do not
support TCP, preventing this countermeasure from being physically applicable. If a hacker
launches a Cache Miss attack at the DNS authorization server by simulating or using a

V-ISA Reputation Mechanism,

Enabling Precise Defense against New DDoS Attacks

real DNS buffer server, defending against such an attack will be extremely difficult. An
effective source reputation mechanism is required such that source reputation is analyzed
for an ongoing session to distinguish between unauthorized and authorized accesses.
3. Insufficient session techniques hardly detect light-traffic attacks.
Among botnet based DDoS attacks, light-traffic attacks are the hardest to defend
against. They usually carry genuine IP addresses and exploit application access
vulnerabilities (after three handshakes with the application server). Such attacks can only
be detected through ongoing session monitoring and user behavior analysis. Detecting
and eliminating such attacks requires more precise defenses and better performance on
security devices than common attacks. At this moment, no vendor provides sufficient
session monitoring techniques capable of detecting and defending against light-traffic
attacks.

Huawei V-ISA Reputation

Mechanism, a Powerful
Technique to Defend Against
New DDoS Attacks
Based on professional software and hardware platforms with traditional competitive

edges, Huawei anti-DDoS solution introduces the first V-ISA reputation security system in
the industry and unique anti-DDoS product featuring advanced detection mechanisms all
while delivering over 100 Gbit/s of performance on a single device. This solution provides
a powerful tool for carriers, enterprises, and data centers to accurately defend against
new DDoS attacks.
1. Working mechanism of the V-ISA
In most cases, the system learns the characteristics of Layer-3, Layer-4, and Layer-7 traffic
and sets up service access models of the protected IP addresses, including service access
models of sources. Then the system compares traffic statistics with the service models
to detect anomalies. To prevent any impact on customer experiences, the system gives
top N traffic with good reputations bonus points during traffic model learning. When a
security event occurs, the solution ensures that access from users with a good reputation

Huawei V-ISA Reputation

Mechanism:
1) Multi-tenant-based anti-DDoS and
operation.
2) IP reputation-based defense against
DDoS launched by botnets.
3) Defense against Session reputation-based
low-rate attacks.
4) Defense against Behavior reputationbased application attacks.

is permitted and reputation authentication, behavior analysis, and session reputation

are implemented to identify suspicious sources that exceed the source access baseline.
Identifiable attacks include the botnet attacks with forged or real sources and the lowrate attacks simulating access from legitimate users. With the V-ISA reputation security
mechanism, no legitimate access is blocked and no attacks are permitted.
V-ISA Reputation Mechanism,
Enabling Precise Defense against New DDoS Attacks

2. Components of the V-ISA reputation security system

with large volumes of traffic and legitimate behaviors to an IP

In Huawei V-ISA reputation detection system

reputation list to ensure that traffic generated by these customers is

V, short for Virtual, indicates that Huawei anti- DDoS system can

rapidly forwarded. If used for mobile application and e-commerce

implement security protection and operation in cloud computing

website protection in case of mobile terminal access, this technology

multi-tenant scenario;

not only improves the defense efficiency but also lowers the number

I, short for IP, indicates that the system provides IP reputation-

of false positives to the lowest extent possible today.

based botnet defense;

S, short for Session, indicates that the system provides session

Defense against Session reputation-based low-rate attacks:

reputation-based low-rate attack defense;

Low-rate attacks target at TCP applications. This type of attacks are

A, short for Application, indicates that the system provides

launched by a massive number of zombies, each equipped with small

behavior reputation-based application attack defense.

volume of traffic, resulting in low traffic rates which are uneasy to

detected. Typical representatives include SSL-DoS/DDoS, HTTP slow

Multi-tenant-based anti-DDoS and operation: The Zone concept

headers/post attack, HTTP retransmission, and Sockstress attacks.

of Huawei anti- DDoS system echoes with the tenant concept of

Huawei anti-DDoS system sets up a session table for all suspicious

cloud computing. The system provides customized defense policies,

sources that pass source authentication and are excluded from

defense thresholds, and reports, supports the regular sending of

forged sources, records session indicators for these sources, analyzes

customized reports, and provides a report self-service portal.

abnormal behavior statistics, and proceeds to block packets from

these sources if their anomaly counts exceed the predefined limit.

IP reputation-based defense against DDoS launched by

botnets: Based on botnet detecting technologies and anti-DDoS

This anti-DDoS system features accurate differentiation between

blacklists, the system generates a "zombie" IP address database.

infected traffic and legitimate traffic without returning any false

From the active time of IP addresses, the system can tell zombie

positives or false negatives, unlikely to be detected by competing

activation time. Then the system adds the active IP addresses to the

vendors. Huawei is one of the few vendors that provide a

address list to filter malicious traffic.

complete session defense mechanism capable of detecting can

detect anomalies in ongoing sessions.

This technology filters out malicious traffic without source

authentication to prevent authentication impacts on legitimate

Defense against Behavior reputation-based application attacks:

services. In addition, the direct filtering technology provides a

This behavior-based defense technology works by analyzing and

vantage point from which it is possible to defend against mobile

comparing patterns generated by user and zombie behaviors. The

botnets since the traditional authentication scheme is in adequate.

resources accessed by legitimate users have no specific order and

the access frequency is random. However, zombie behaviors are

To prevent detrimental impacts on customer experience, Huawei anti-

designed, ordered and have specific targets. Therefore, the accessed

DDoS system employs a customer reputation mechanism. Before

resources and access frequency are fixed. Although the rate of a

attacks are launched, the system adds the IP addresses of customers

single source may be low, the QPS is high.

Whitelist &
blacklist

Whitelist
Blacklist

Source
authentication

First packet drop

Client

AntiDDoS

Client

AntiDDoS

1st SYN

SYN

2nd SYN

SYN ACK
wrong SEQ

No match

Client

AntiDDoS

SYN/ACK/RST N link
Data transfer

List out of session

reputation and source
authentication results
Off previously identified
attack packets
High performance

Drops the first SYN

packet and records
simple info
Off 80% fake source
attack packets

Cookie bounce,
verifying the source
Off 10% repeated fake
source attack packets

Avoiding full traffic bounce authentication,

saving bandwidth

V-ISA Reputation Mechanism,

Enabling Precise Defense against New DDoS Attacks

AntiDDoS

TCP handshake
Data transfer

N link
No reply

Client

N data

RST

Operation by list

Session
reputation

Portion statistics

N data

Normal
Over high

Session
record

Statistics on the
portion of packets for
session to packets data
trams mission

Whitelist generated for

Top N sessions

Off 10% true source

attack packets

Session credits
generated

Behavior analysis + session reputation,

complete and effective

As long as the model is correct, the behavior analysis technology does not have any adverse
impact user experience. In most cases, behavior analysis is used with session reputation
and source authentication to enhance defense accuracy. For example, behavior analysis can
detect attack sources that pass the transport-layer source authentication but have abnormal
TCP packet rates. To protect the HTTP server on a fixed network, source behavior analysis
can be configured to redirect the packets that exceed the source access baseline. Similarly,
in the DNS defense scenario, behavior analysis can be configured to detect DNS servers
under attack and function with source authentication on the suspicious sources to minimize
impact on legitimate user accesses. In conclusion, a complete behavior analysis involves
multi-dimensional analysis and usually needs to function with source authentication.
Consequently, this has high requirements on device performance. Due to high costs of
development and limited security capabilities, most security vendors are unable to produce
anti-DDoS products capable of conducting fine-tuned behavior analysis, preventing them
from conducting a world class defense against attacks. Huawei anti-DDoS devices, employs
the industry-leading distributed multi-core architecture, integrate four high-performance
CPUs on each SPU to deliver 10 Gbit/s application-layer behavior analysis capabilities, which
set it in a class of its own, delivering a world class, complete anti-DDoS defense suite.

Conclusion
Empowered by the V-ISA reputation detection system, Huawei anti-DDoS solution
provides powerful and intelligent defense mechanisms with seven protection layers
specific to each of the seven OSI layers for a complete anti-DDoS defense: deformed
packet filtering, by-feature packet filtering, application-layer source authentication,
source authentication, session analysis, behavior analysis, and smart rate limiting.
Deformed packet filtering: filters non-standard packets.
By-feature packet filtering: identifies attack traffic (by analyzing for its unique
fingerprint using Huawei-proprietary fingerprint learning and comparing algorithm),

and filters packets by customized attributes such as IP addresses and ports.

Application-layer source authentication and source authentication: verify the source IP
address and the intention of access.
Session analysis and behavior analysis: check for features of DDoS attacks targeting TCP
connections and applications. DDoS attacks usually have a light traffic, constant access
frequency, and same destination resource. The analysis techniques effectively defend
against botnet DDoS attacks that are usually undercovered by means of evasion.
Smart rate limiting: limits and controls access to heavy traffic to ensure availability of servers.
In all, Huawei anti-DDoS solution provides complete DDoS defense by cleansing traffic
layer by layer while maintaining consistent quality of user access.

References:
2013 Botnets and DDoS Attacks Report.pdf

http://enterprise.huawei.com/ilink/enenterprise/download/HW_315881
Huawei AntiDDoS Solution
http://enterprise.huawei.com/topic/AntiDDoS_2013_en/index.html
V-ISA Reputation Mechanism,
Enabling Precise Defense against New DDoS Attacks

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and

are trademarks or registered trademarks of Huawei Technologies Co., Ltd.

Other trademarks, product, service and company names mentioned are the property of their respective owners.

General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-032102-20131210-C-1.0

is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.

www.huawei.com