Corsa Technology has announced a new feature for its Red Armor DDoS mitigation appliance. Called GigaFilter, this feature lets network operators drop connections that come from compromised IPv4 source addresses.
Corsa relies on third-party blacklists and threat intelligence feeds for this feature, which operators can load and update on Red Armor boxes on their own schedules. Corsa does not develop its own blacklists.
During a DDoS attack, GigaFilter serves as a simple pre-inspection mechanism to immediately drop traffic from v4 addresses that are regarded as compromised. Traffic with IPs that aren’t on the prohibited list will then be run through Red Armor’s inspection engines.
Corsa claims GigaFilter can maintain and match against 4 billion IPv4 addresses in a single appliance, while also performing full line rate inspection of up to 100Gbps.
While Corsa doesn’t support blacklists for IPv6 addresses, it does support IPv6-based rulesets in its its analysis and remediation engine.
All The Packets
In the DDoS ecosystem, Corsa specializes in packet header analysis. The company’s appliances target service providers, carriers, and large enterprises
The appliances use FPGAs and merchant silicon to open the header of every packet that comes through the boxes. They then run programmable rules against any combination of header information to separate DDoS traffic from “clean” packets. DDoS traffic can be dropped or rate-limited.
However, the company doesn’t write any of its own detection rules. Rather it relies on third-party rule sets from companies such as Arbor Networks, Kentik, DeepField, and Flowmon. Rules can be programmed on Red Armor devices via BGP Flowspec, REST APIs, or via CLI.
The company says a Red Armor appliance can support hundreds of thousands of rules, and up to 5,000 rules can be updated every second.
The company focuses specifically on network-based volumetric attacks that rely on protocols such as SYN, ICMP, NTP, TCP, and UDP. Corsa does not detect application-based DDoS attacks.
The GigaFilter is a smart addition to a DDoS mitigation product. Being able to quickly drop connections based on a simple list preserves computation resources for more comprehensive inspection of other traffic.
As you might guess, Corsa positions this feature as being very useful for large-scale botnets made up of IoT devices, as well as command and control infrastructure. As the Mirai botnet demonstrated, such network-connected devices can be used to devastating effect.
Even smarter (at least for Corsa) is to keep itself out of the business of trying to verify and maintain reliable lists of compromised IPs. While blacklists are simple, they also have to be updated to reflect newly compromised machines. More importantly, they have to be scrubbed of addresses of machines that have been remediated. Without the scrubbing, organizations that use such lists risk blocking legitimate traffic.
Given the explosion of IoT devices, not to mention regular old PCs, laptops, and other IP-addressable machines, keeping such a list reliable is a lot of work.
Corsa sidesteps list reliability concerns by allowing operators to pick and choose their own intelligence feeds, which they can use at their own peril.
The Corsa appliances promise pretty spectacular performance. It goes without saying (but I’m saying it anyway) that promises need to be tested before any money changes hands. Potential customers should get their hands on a demo unit or two to put them through their paces. Even if you can’t throw 100Gbps at a box, there’s value in getting it in the lab.
Organizations should also get a sense of the programmatic effort involved in linking Red Armor appliances to third-party detection systems, and to understand how well rules are transferred from one vendor to the other, and how accurately applied.
Red Armor appliances are available in 10Gbps and 100Gbps models. The 100 gig model starts at $119,000.
The GigaFilter feature, which is available now, is included with the appliance at no additional cost.