Operators using telemetry over flow protocols are forced to use 1:1000 sampling or more, and transmit data on current traffic once every 30 seconds or less. This reduces the accuracy and timeliness of the received statistics, which in turn causes a delay between the start of the attack and the start of filtering. MITIGATOR can constantly monitor traffic and, if an anomaly is detected, activate filtering in less than a second.
Minimal impact on legitimate traffic.
To reduce the response time, the operator filters the service traffic all the time, which negatively affects the legitimate traffic of the protected service, leads to delays and an increase in RTT. MITIGATOR is installed next to protected resources, which makes it possible to avoid significant changes in the path of packets.
Safety for previously established sessions.
MITIGATOR monitors legitimate traffic even before the moment of attack, and when filtering is applied, it does not affect already established connections. In addition, MITIGATOR can filter constantly, which fundamentally excludes the possibility of sessions break.
Automatic activation of necessary countermeasures depending on the situation.
The MITIGATOR protection policy allows the detection subsystem to control each and any of the countermeasures and set the conditions under which they are independently activated. This method of protection avoids potential damage to traffic, unlike the standard mitigation templates applied to each anomaly that most of our competitors use.
MITIGATOR distributes traffic to independent protection policies in accordance with routing rules. The rules consist of five parameters: protocol, src prefix, src port, dst prefix, dst port. The value of each of the fields can be multiple or empty. This approach makes it possible to distribute the traffic of individual services to different policies and apply only the necessary countermeasures to scrub it. Understanding the specifics of traffic allows you to achieve the most efficient configuration of each of the countermeasures.
The fundamental difference in the approach to the attacks like TCP Flood.
MITIGATOR was designed to filter both symmetric and asymmetric traffic and has built-in mechanisms that eliminate the negative impact of TCP Flood attacks on protected resources. In the case of symmetric traffic, the system uses the TCP Splicing mechanism, which allows you to establish legitimate connections without consequences for the client application. For an asymmetric stream, MITIGATOR uses the ISN synchronization mechanism: when using it, the establishment of a TCP connection is transparent to the client and server.
Advanced UDP applications protection.
In addition to DNS and SIP protection, MITIGATOR employs countermeasures to ensure the security of many gaming applications running over the UDP protocol. An authentication mechanism by waiting for the redirection of UDP datagrams has been implemented, which allows the description of the necessary packets using rules for L3-, L4-headers and regular expressions for payload. Often, UDP application traffic is encrypted or has complex semantics. For such cases, the client application has the MITIGATOR Challenge Response open authentication protocol, which improves the quality of protection for both UDP and TCP applications. In addition to existing countermeasures, MITIGATOR, using a programmable filter mechanism, allows you to develop algorithms independently and protect any application, including your own. This can be done for example, by supporting a special client authentication logic. Algorithms are created as C programs and loaded directly to the countermeasure.
Analysis of logs of a protected HTTPS server.
In addition to protection for TCP and analysis of TLS Client Hello, MITIGATOR analyzes the logs of the protected Web server. During the analysis, anomalies are detected and attacking IP addresses are blocked. Analysis of web server logs allows you to improve the quality of protection without decryption on the filtering device. Additionally, MITIGATOR supports JA3-fingerprints, which allow you to block bots when they try to connect.
New functionality is constantly being added to MITIGATOR to effectively counter emerging threats. Releases are issued once every 2 months, contain new protective techniques and take into account customer requests.