ACLs act as a basic method of limiting access to the network. They constitute sequential lists of permit and deny conditions. The lists define the connections permitted to pass through a device, usually a router.
Analysis Module
This module is active during the Guard protection mode of operation. When no DDoS attack signs are indicated the Guard directs the diverted zone traffic to flow through this module. The analysis module lets the zone traffic flow unobstructed. The module analyzes the flows, allowing the recognition module to sample them.
Anti-Spoofing
A security feature designed to prevent unauthorized access to a network through the technique known as IP spoofing. See IP spoofing.
ARP Redirect Attack
An attack on a local subnet using the ARP protocol.
B
Basic Module
This module is active during the Guard protection mode of operation. This module utilizes the Guard initial challenge-and-response based anti-spoofing mechanisms. The Guard directs the traffic to the Strong protection module either in the case of an escalation or in certain cases which require the Strong anti-spoofing mechanisms to handle the suspected traffic flows.
block- unauthenticated
A policy action that directs traffic to an anti-spoofing mechanism that deals with unauthenticated traffic.
block-unauthenticated-basic
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Basic anti-spoofing mechanisms.
block-unauthenticated-strong
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Strong anti-spoofing mechanisms.
Bypass filter
A filter designed to enable you to direct desired traffic flows to bypass the Guard protection mechanisms. Thus, you can better adopt the Guard to its protection policy.
C
Comparator
A Guard module that compares between the input from the Dynamic filters and the input from the User filters. The Comparator then picks and executes the more severe protection means.
D
Distributed Denial of Service (DDoS) Attack
A Denial of Service attack against a site or server launched from multiple sources. This is sometimes carried out by concealed exploiting servers to function as agents for transmitting the attacks. In many cases, the attacker will place client software on a number of unsuspecting remote computers and then use these computers to launch the attack. A Distributed Denial of Service attack is more effective than a simple Denial of Service attack, as the volume of traffic is considerably higher, and is more difficult to prevent. Examples of DDoS attacks are Syn flood, Smurf attack and Targa attack.
DNS TCP
A policy template that produces a group of policies related to DNS-TCP protocol traffic.
DNS UDP
A policy template that produces a group of policies related to DNS-UDP protocol traffic.
Drop Module
This module is active during the Guard protection mode of operation. When all other protection mechanisms are insufficient or when user-configured filters direct the diverted zone traffic to the Drop protection module. This module drops the malicious zone traffic directed by the Flex, User, and Dynamic filters.
Dynamic filter
Dynamic filters are created by the Guard as the result of analysis of traffic flow. They are used to filter out DDoS attacks. This set of filters is continuously adapted to the zone traffic and the type of the DDoS attack.
F
Flex filter
The Flex filter is a Berkley Packet filter that facilitates the user with extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. It enables to use complex Boolean expressions. The Flex filter is used to count a specified packet flow.
G
Guard
A system designed to protect network elements against DDoS attacks.
H
http
A policy template that produces a group of policies related to HTTP traffic flowing, by default, through port 80 or other user-configured ports.
I
IP Traffic Diversion
A process consisting of transparently diverting the traffic of one or more zones to the Guard, and returning the legitimate, cleaned traffic from the Guard to the original data path and on to the zone. Traffic diversion is also performed for learning purposes.
M
Maximum Transfer Unit (MTU)
The largest frame size that can be transmitted over the network. Messages longer than the MTU must be divided into smaller frames.
N
Network Time Protocol (NTP)
A protocol for synchronizing the Guard with a Time Synchronization Server.
No strong concurrent connections
This policy template produces a group of policies related to TCP connection characteristics. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
No strong tcp outgoing
This policy template produces a group of policies related to TCP connections initiated by the zone. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
No strong tcp services
This policy template produces a group of policies when TCP services on especially dedicated ports (6660 to 6670, and ports 21 to 23) are traced. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
Non-spoofed attack
A DDoS attack coming from a valid IP address host.
O
On-Demand Protection
This protection is activated in a situation when the zone is attacked while the Guard has not completed its learning phases. As a result the Guard has not adopted its protection policies to the zone traffic requirements.
Other protocols
This policy template produces a group of policies related to protocols untreated by other policy templates.
P
Policy Construction Phase
In this phase the Guard, based on the zone traffic characteristics, produces the policies with the aid of the policy templates.
Policy Templates
The policy templates are a collection of policy constructing guiding rules and the output of each template after concluding the policy construction phase is a group of policies.
Policy
The policies are the mechanisms that measure a particular traffic flow and take an action against the flow as a result of a threshold violation. A policy may, for example, direct the Guard to produce a Dynamic filter.
R
Rate-Limiter
A Guard module that limits the rate of the traffic the Guard forwards to the zone.
Recognition Module
A Guard module that receives input from a sampling unit and analyses the zone traffic. Based on its recommendations, the Guard constructs its protection measures.
S
Sampler
A Guard module that samples all traffic for the Guard Recognition module to configure protection measures.
Spoofed attack
A DDoS attack coming from a faked transmission address.
Strong Module
This module is active during the Guard Protection mode of operation. When a DDoS attack strengthens and the Guard analyses the current anti-spoofing mechanisms to be insufficient it directs the diverted zone traffic to the Strong protection module. This module has more severe anti-spoofing mechanisms. In case of a further escalation the Guard operates the Drop protection module.
T
Tcp not auth
This policy template produces a group of policies related to TCP connections that haven't been authenticated by the Guard anti-spoofing mechanisms.
Tcp outgoing
This policy template produces sets of policies related to TCP initiated by the zone.
Tcp services
This policy template produces a group of policies related to TCP services on ports other than HTTP and other policy template related.
Threshold Tuning Phase
This is the stage in which the Guard further analyses the zone traffic and defines threshold for the policies constructed in the policy construction phase.
Traffic Diversion
The Guard operates diversion techniques to direct the zone traffic to pass through its protection mechanisms for traffic learning and malicious traffic filtering. The traffic is then injected back to continue its path to the zone.
U
Udp services
This template produces a group of policies related to UDP services.
User filter
A user-customized filter that enables you to set guiding rules to handle desired traffic flows when an attack is suspected. You can configure anti-spoofing mechanisms or decide to drop a specific traffic flow.
Z
Zombie
A device that acts as an unaware participant in a distributed Denial of Service (DDoS) attack.
Zombie attack
A zombie attack is a type of attack that uses unaware participant machines to launch a DDoS attack. The attacker first spreads a Trojan to unsuspecting users that are not the final target, and may later instruct the Trojan to perform legitimate connections to the zone. This makes it difficult to identify the original source of the attacks.
Zone
The protected network element. Also, a Guard file with all data relating to the protected zone such as configurations, policies and filters.
