¶ What is a DDoS Attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted device, server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
¶ Challenges
Many network security tools use SSL/ TLS encryption (VPNs) which depend on TCP, making them vulnerable to TCP SYN floods, which fill session tables and cripple many off-the-shelf network stacks.
¶ The CyberMesh Way
With CyberMesh, the Trust paths for the Cyber Gateways and SASE on endpoints use WireGuard encryption, which is more resistant to DoS attacks because these works at a lower layer of the network, and by virtue of its use of two Message Authentication Codes (MACs), mac1 and mac2 .
For example, in a TCP SYN Flood attack, Spoofed SYN Packets will fail the WireGuard checks and will be dropped without making to the TCP stack as shown in Figure below.
¶ Benefit
DDoS protection prevents malicious traffic from reaching its target, limiting the impact of the attack, while allowing normal traffic to get through for business as usual benefiting both the user and IT teams.
¶ Preventing Volumetric Attacks?
A volumetric attack sends a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities. CyberMesh uses Machine Learning (ML) and performs IP/Port Analysis to determine if a traffic spike is a possible DDoS attack as shown in Figure below.
¶ Summary
CyberMesh DDoS protection secures network and applications, while ensuring the performance of legitimate traffic is not compromised.
|
Your Needs |
The CyberMesh Solution |
| Secure users and apps from Volumetric Attacks | A volumetric attack sends a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities. CyberMesh uses Machine Learning (ML) and performs IP/Port Analysis to determine if a traffic spike is a possible DDoS attack. |
|
Protect your infra/ servers from SYN flood attacks |
With CyberMesh, the Trust paths use WireGuard, which is more resistant to SYN flood attacks because it works at a lower layer of the network. In a TCP SYN Flood attack, Spoofed SYN Packets will fail the WireGuard check and will be dropped without making to the TCP stack. |
| Protect endpoints from DDoS attacks | Exium agents on endpoints use the WireGuard protocol which is supposed to be abuse-resistant, by virtue of its use of two MACs (mac1 and mac2). |
|
Protection from UDP flood attack |
CyberMesh drops all UDP traffic not related to the WireGuard ports 51800-51840. Further unrelated traffic on ports 51800-51840 is dropped after failing the WireGuard check at the lower layer without making to the transport layer. |
|
Protection from DNS Flood attack |
CyberMesh uses a very large and highly distributed DNS system (with a DNS resolver deployed in each CyberNode) that can monitor, absorb, and block the attack traffic in realtime. |
|
Protection from DNS amplification attack |
DNS resolvers sit inside the CyberNode and are non-discoverable (hidden) and invisible to the attackers preventing them launch DNS amplification attacks from the public Internet. The attacks from the compromised devices (bots) are prevented by stopping DNS requests from the spoofed IP address (which has been changed to the real source IP address of the targeted victim) protecting the target receiving bulk responses from the DNS resolver. |
To learn more about implementing SASE for your organization and explore tailored solutions that meet your unique requirements, contact Exium at partners@exium.net for a consultation or demonstration. If you are ready to get started, check out our testing and onboarding process.