THE INCREASING FREQUENCY AND SEVERITY OF DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS ARE RAPIDLY CHANGING THE FACE OF NETWORK SECURITY. VERISIGN DDoS PROTECTION SERVICES PROVIDE CLOUD-BASED MONITORING, DETECTION AND SUPERIOR ATTACK MITIGATION.

VERISIGN® DDoS PROTECTION SERVICES

VerisignInc.com

DDoS attacks continue to emerge as a growing threat to online business: in size, frequency and complexity. Based on a recent survey conducted by Verisign, over one-third of outages experienced by organizations were the result of DDoS attacks and the average attack size was 7.4 Gbps; a 245 percent year-over-year increase. As a result, DDoS protection has become one of the top security and business continuity issues for any online organization. However, the common approach of stopping DDoS attacks at the network border has become an expensive and typically ineffective solution.

Verisign DDoS Protection Services provide organizations with a reliable and scalable DDoS protection strategy. As a trusted partner, Verisign helps companies stay online without having to invest in the massive infrastructure to do so.

DDoS ATTACKS: A GROWING THREATDDoS attacks intentionally deprive legitimate users of Internet resources, typically by overloading a network with a flood of data packets from multiple sources. Attackers usually create the denial of service condition by either consuming server bandwidth or by impairing the server itself. The threat landscape is ever expanding with a growing diversity of attackers, motivations and attack vectors. Additionally, as organizations increasingly host applications and services in cloud environments, the attack surface is growing and becoming more challenging to protect.

Typically, malevolent actors enlist the help of compromised computers to form “botnets” capable of launching major attacks against unsuspecting victims. Estimates suggest that anywhere between eight and 10 million computers are actively used in botnets at any time. These botnets harness the processing power and bandwidth of thousands of compromised computers to bring down the largest and most sophisticated networks. Some reports estimate that more than 10,000 attacks occur each day. Additionally, Verisign’s research indicates that 42 percent of attacks are greater than one Gbps and 17 percent exceed 100 Gpbs.

OVERVIEWVerisign DDoS Protection Services help organizations reduce the risk of catastrophic DDoS attacks by detecting and filtering malicious traffic aimed at disrupting or disabling their Internet-based services. Unlike traditional security solutions, Verisign DDoS Protection Services filter harmful traffic upstream of the organizational network or in the cloud.

Verisign DDoS Protection Services combine the security from Verisign’s world-class traffic analysis and detection platforms with the flexibility of utilizing the mitigation components only when required. By using a combination of proprietary, globally-distributed DDoS mitigation platforms that scale to handle the Internet’s largest and most complex attacks and a purpose built, globally-

DATA SHEET

Verisign Public

connected network, Verisign DDoS Protection Services provide superior attack mitigation against a broad range of attack vectors.

When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign DDoS Protection Services site. The redirection happens in the cloud, swinging attack traffic to Verisign before it can overwhelm or otherwise harm the customer network. As Verisign monitors and analyzes traffic pattern data, the 24x7 security team begins “scrubbing” redirected traffic through the use of world-class mitigation technologies. Malicious traffic is progressively blocked while filtered traffic is sent to the customer’s network, thus helping the customer sustain normal business operations.

SERVICE COMPONENTS MonitoringMonitoring customer traffic is critical to identifying and mitigating attacks in their infancy. Verisign collects traffic flow data from the customer’s Internet-connected routers. Samples of the customer’s Internet traffic are incorporated into Verisign’s correlation engine for threat detection, alerts and reporting. The frequency of packet sampling can be tailored based on customer size, type and router performance.

Packets are classified and analyzed by correlating a number of fields contained in the headers of the sampled packets. The packets are then broken down into categories and correlated using advanced heuristics to profile normal versus anomalous traffic patterns.

By utilizing Verisign OpenHybrid™ technology, Verisign can also monitor a customer’s services hosted in public cloud environments, such as Amazon Web Services (AWS),

for indicators of DDoS attacks. Additionally, other points within a customer’s network (such as existing firewalls and on-site DDoS mitigation appliances) can also be monitored for attacks using the Verisign OpenHybrid cloud signaling API. Customers can utilize the APIs to automatically signal to Verisign’s DDoS Protection cloud when pre-defined thresholds are breached for customer’s appliances.

Customer traffic is monitored by Verisign’s 24x7 Security Operations Center. Customer-specific alerts enable trained security experts to immediately identify nascent potential attacks. Additionally, customers can monitor their own traffic and alerts across all monitored environments (such as private datacenters and public clouds) via a secure online portal.

Threat Detection Identifying potential DDoS events in their early stages is critical to mitigating them before they can impact organizations. As such, Verisign continually looks for new methods to identify and classify malicious activity. Threat detection is composed of two primary components: signature analysis and dynamic profiling.

• Signature Analysis – Signature analysis, or misuse detection, looks for predefined deviations that are signs of a DDoS attack. Verisign uses a combination of industry best practices and proprietary intelligence to identify these signatures. Since attacks are always evolving, lessons learned from mitigating them feed into ongoing research and development to help identify new threat signatures.

• Dynamic Profiling – Because all customers are different and attack profiles are constantly changing, it is vital that Verisign understands each customer’s “normal” traffic

2 Verisign Public

• Custom-built technology platform for DDoS mitigation, providing enhanced protection against zero-day attacks

• DDoS protection for critical applications across private and public cloud environments using Verisign OpenHybrid

• Purpose-built, highly scalable cloud mitigation network

• 24x7 operational support from expert teams

• Detailed and unified event reporting for multiple environments through a secure portal

• Always-on monitoring - Flow or signals based • On-demand mitigation • Choice of DNS or BGP traffic off-ramping • Tunneling, VPN or direct connect traffic off-ramp options*

• Requires no customer premise equipment**

FEATURES

* Available in certain areas ** If VPN is not required

3Verisign Public

patterns. To do so, Verisign works with the customer to establish a dynamic profile of its Internet traffic. Deviations from the established customer profile that exceed predefined thresholds automatically activate an alert for Verisign 24x7 security teams, enabling Verisign to respond to new and one-of-a-kind attack profiles.

Mitigation Verisign establishes event mitigation procedures with the customer to fit the customer’s service model. Mitigation is composed of three components: on-ramping, filtering and off-ramping. Because timeliness is critical to protecting customer services, Verisign works extensively with the customer during the initial set-up and testing phases to ensure a seamless implementation of all three components.

• On-Ramping Traffic – Verisign security experts redirect Internet traffic destined for the customer directly to Verisign. Off-ramping occurs when a potential attack warrants traffic redirection. Verisign offers several methods for off-ramping traffic, including BGP announcements or changes to customer domain name system (DNS) records. Optimal solutions vary by customer and depend upon the size of the customer

network, the types of services they utilize and a host of other considerations.

• Filtering – Verisign employs a layered approach to traffic filtering that progressively enhances rule sets over time. Since blocking all traffic to a customer accomplishes the same goals as a DDoS attack, Verisign helps legitimate traffic reach its intended destination. Over time, state-of-the-art filtering technology increases the level of filtering to progressively block more malicious traffic. Filters are applied at various layers of the OSI stack. Although some attacks can be mitigated by implementing filters at the network layer, complex attacks may require analysis and filtering up through the application layer. Verisign utilizes a combination of custom built, proprietary DDoS mitigation technology layered with additional commercial off-the-shelf (COTS) platforms to ensure protection against a larger set of attack vectors. Using multiple platforms gives mitigation engineers the ability to utilize and combine the most effective mitigation techniques needed to defend against the attack.

• Off-Ramping Traffic – Once traffic is “cleaned,” Verisign redirects it back to the customer’s network. Verisign network architects work with the customer to establish

Scrub CentersClean TrafficDDoS Attack

Globally Distributed Load Balancing ATHENA

AthenaiDefense®

DDoS Appliance

CustomerData Center

Security intelligence experts proactively work with Verisign’s DDoS team to identify zero-day vulnerabilities and help assess complex attacks

Verisign’s interconnected backbone enables balancing of attack traffic across globally deployed scrubbing centers

Local Load Balancing: Advanced balancing across servers within Verisign scrubbing centers helps ensure effective mitigation

Unified Functionality: Packet- and application-level mitigation performed on the same server, improving horizontal scaling capabilities

Athena Shield:High-speed, packet-level attack mitigation software that uses a range of techniques for inspection and filtering

Athena Proxy: Enables inspection and filtering of HTTP/HTTPS  content prior to connection with protected server

For mitigation of basic attacks, Athena off-loads traffic to a variety of DDoS appliances

Verisign Public VRSN_VSS_DDoSProtectionServ_DS_201506

VerisignInc.com© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

the best method for redirecting clean traffic back into its network, such as GRE tunneling, establishing a VPN or directly connecting to a site.

Reporting Because understanding a customer’s traffic is the first step in protecting critical services, Verisign provides detailed reports on customer traffic statistics to enable informed decisions.

Examples include traffic summary reports, application reports, protocol reports and event reports. Verisign OpenHybrid technology also provides unified DDoS reporting on Verisign’s customer portal for additional environments being monitored (e.g., applications hosted within public cloud environments).

SUMMARY As malicious actors relentlessly pursue new means to sharpen their craft and avoid detection, the threats to organizational networks grow exponentially. Botnets composed of hundreds of thousands of compromised devices provide the foundation for tools that can inflict devastating attacks that not only impact revenue but damage company reputations and reduce customer confidence. Simply stated, threats are evolving at an extraordinary rate – and so too must security solutions.

Verisign DDoS Protection Services is a product of this security evolution. By mitigating threats closer to the

core of the Internet, Verisign is able to effectively and efficiently mitigate some of the world’s largest attacks. At the same time, Verisign is able to quickly react to defend against the rapidly changing environment. As a proven leader in protecting critical Internet infrastructure, Verisign now provides that experience and technology to help organizations guard their own Internet assets.

ABOUT VERISIGN Verisign, a global leader in domain names and Internet security, enables Internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key Internet infrastructure and services, including the .COM and .NET domains and two of the Internet’s root servers, as well as performs the root-zone maintainer functions for the core of the Internet’s Domain Name System (DNS). Verisign’s Security Services include intelligence-driven Distributed Denial of Service Protection, iDefense Security Intelligence and Managed DNS. To learn more about what it means to be Powered by Verisign, please visit VerisignInc.com.

LEARN MORE For more information about Verisign DDoS Protection Services, contact a Verisign representative by phone at 866-367-0095 or 1-703-948-4140, by email at websales@verisign.com or visit us at VerisignInc.com/ddos.

Key Benefits

Proven mitigation technology that scales to the size, speed and complexity of the threat Athena, our globally-distributed mitigation system provides comprehensive protection against network- and application-layer attacks, specializing in mitigating Layer-7 and Secure Sockets Layer (SSL)-based attacks.

Faster mitigation for distributed environments The Verisign OpenHybrid architecture enables seamless interoperability between on-premise devices, cloud platforms and Verisign’s cloud-based DDoS Protection Services.

Unmatched operational expertise – TSIA-rated outstanding customer support Verisign has proven experience protecting critical Internet infrastructure, having maintained 100 percent operational accuracy and stability of its DNS infrastructure for .COM and .NET for more than 17 years.

Purpose-built, globally connected and highly scalable network for fast and effective mitigation Verisign DDoS Protection Services directly connects with over 700 networks at 1,600 points of interconnection to mitigate attacks with minimal latency.

Detailed and unified event and traffic reporting for multiple protected environments Through Verisign OpenHybrid, Verisign provides a single pane of glass and consolidated view of traffic and DDoS threats across different customer environments (datacenter/cloud).