March 1, 2024
NTIF, which stands for Network Threat Intelligence Feed, represents a formidable detection and mitigation tool integrated within Nexusguard’s array of DDoS protection tools. Designed to bolster defenses, NTIF efficiently blocks known malicious IP addresses without the need for extensive analysis.
As an advanced detection tool, NTIF promptly triggers a DDoS alert whenever the traffic originating from botnet IPs exceeds the defined detection threshold. Moreover, NTIF boasts a range of pre-configured policies that provide Security Operations Centers (SOCs) with exceptional flexibility and adaptability to effectively respond to various attack scenarios across eight distinct categories, as outlined in Table 1 below:
Each NTIF detection policy operates autonomously, allowing for individual enablement or disablement along with distinct threshold values.
Similarly, the mitigation counterpart of NTIF operates in a comparable manner. Each attack category can be configured independently, enabling the SOC team to set the operation mode as OFF, Monitor, or ON according to the specific requirements of various attack scenarios.
Nexusguard's multi-tenant portal empowers customers with comprehensive visibility into the precise attack traffic that is effectively mitigated across each category, while also providing crucial information about the IP addresses of the blocked hosts.
Nexusguard employs a rigorous process to ensure accurate blocking of malicious IP addresses. To achieve this, our proprietary IP blocklist is meticulously cross-checked with reputable third-party IP reputation databases that Nexusguard subscribes to. This comprehensive verification involves assigning a score to each IP address in the database, considering factors such as category, source, time of occurrence, frequency, contribution to attack events, and other relevant indicators.
Through a sophisticated weighting system, these factors are scrupulously evaluated, and the final score is calculated by aggregating the weighted values and sorting them accordingly. The higher the score, the greater the likelihood and impact of the IP being associated with an attacker. Subsequently, NTIF's filtering mechanism effectively blocks these identified malicious IPs, bolstering network defenses.
To ensure the ongoing relevance of the information, the IP reputation database undergoes daily updates using the aforementioned methodology. This commitment to regular updates guarantees that networks remain protected with the latest and most accurate threat intelligence.
NTIF encompasses a wide array of essential features and capabilities that establish it as an influential and all-encompassing solution for network security. These include:
NTIF, Nexusguard's leading-edge solution, offers a seamless deployment process. It functions as a comprehensive list of identified malicious IP addresses, which, when enabled, completely blocks their access to protected resources. With NTIF, there is no need for further analysis or fine-tuning by the SOC team. Each IP address entry undergoes internal verification and is cross-referenced with multiple reputable third-party IP reputation databases.
NTIF proves effective in various attack scenarios, including zero-day attacks and carpet bombing attacks. In the case of zero-day attacks, where the attack pattern or method is not fully exposed, traditional signature-based detection methods face challenges. However, NTIF overcomes this by triggering an alert when the traffic level of any NTIF category surpasses the detection threshold, ensuring that attacks are not missed.
Regarding carpet bombing attacks, where the attack size typically falls below the detection threshold, NTIF excels in detecting such threats. As these attacks often originate from well-known botnet IPs, NTIF effectively detects them based on aggregated source traffic.
The automated filtering capabilities of NTIF significantly reduce the need for SOC intervention, enabling the swift identification and blocking of DDoS attacks within seconds. This represents a notable improvement over traditional manual traffic analysis methods, which can take up to 30 minutes or longer. By swiftly and decisively filtering out attack traffic while allowing legitimate traffic to continue uninterrupted, NTIF not only saves time and cost in the remediation process but also ensures an uncompromised user experience for customers, even during an ongoing attack.
NTIF is now available to customers using our Application Protection and Origin Protection service. For further information, please read about Nexusguard’s Application Protection and Origin Protection.
Nexusguard's NTIF offers an integrated methodology for deploying rapid, cost-effective, and real-time protection against DDoS attacks.
