What is SmartFilter?

 

FlexFilter is a powerful mitigation tool within Netshield that allows organizations to define policies that fit their traffic pattern and security needs. SmartFilter is a special form of FlexFilter that generates mitigation rules automatically based on Nexusguard’s Smart Detection mode that we talked about in our Smart Mode blog post. The auto-generated mitigation rules in SmartFilter adapt to the changes in attack strategy and self-adjust dynamically during an attack.

SmartFilter comes with pre-configured mitigation policies that offer flexibility to SOC’s (Security Operations Centre) adaptation to dynamic attack scenarios. The most distinguished policies of SmartFilter are Amplification Attacks and Threat Intelligence. Used to mitigate reflection and/or amplification attacks, the Amplification Attacks policy is also extremely effective against well-known and zero-day reflection attack signatures. Threat information garnered from newly discovered IP addresses infected by malware and used as ‘zombies’ by botnets is also utilized in combination with Good User database intelligence to help respond to attacks more swiftly.

To achieve optimal mitigation, SmartFilter has a precise modus operandi that employs a feedback mechanism whereby mitigating action is automatically applied when traffic rises above or falls below a clean traffic level baseline. During an attack event, SmartFilter rules self-adjust, dropping traffic when a matching rule set correlates with the rules generated or withdrawing rules to compensate for over mitigation, allowing traffic to pass through, while ensuring an optimal traffic level is maintained all the while.

 

Figure 1 - Actual traffic level compared against attack threshold generated from the Smart Policy auto baselining

 

When your site is under DDOS attack, SmartFilter helps you do the following:

• Analyze attack patterns within the attack traffic in real-time
• Automatically generate FlexFilter rules to the Nexusguard L3 engine to mitigate attack traffic
• Adjust FlexFilter rules as and when required according to changes in attack patterns, attack sources and attack approach

 

Furthermore, Nexusguard’s multi-tenant portal allows customers to view the actual attack traffic being blocked by each of the rules generated by SmartFilter during an attack, as well as detailed logs of SmartFilter's safeguarding actions during the mitigation process.

 

Figure 2 - List of the SmartFilter events

 

Figure 3 - Logs of actions performed by the SmartFilter engine

 

Data sources SmartFilter takes into consideration for rule generation

 

To further increase the accuracy of FlexFilter rules, SmartFilter not only integrates with the IP Reputation Database¹, but also tracks and factors in the following:

1. Latest attack events handled by Nexusguard’s platform
2. Most recent commercial and third party IP Information Database.

The IP Reputation library is updated regularly using the above information to ensure the
Information always stays relevant.

 

Salient Features of SmartFilter

SmartFilter generates appropriate FlexFilter rules to mitigate an imminent DDoS attack rapidly without the need for human intervention. Dynamic in nature, SmartFilter automatically adjusts mitigation policies according to real-time attack traffic to ensure timely and effective mitigation of DDoS attacks.

To ensure the accuracy of FlexFilter rules, SmartFilter leverages big data technology, using historical traffic information collected from our own products, as well as commercial and third party IP knowledge base information.

Automatic filtering through SmartFilter reduces the amount of human intervention and allows DDoS attacks to be identified and blocked in a matter of seconds, which is a considerable improvement over traditional means that rely on manual traffic analysis, which can take up to 30 minutes or longer. By automatically filtering out attack traffic swiftly and decisively while allowing legitimate traffic to continue flowing, SmartFilter not only saves time and cost on the remediation process but also ensures that customers’ user experience is not compromised, even during an attack.

SmartFilter is now available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.

 

__________________________________

 ¹ IP reputation is a tool that identifies IP addresses that send unwanted requests. Using the IP reputation list one can reject requests that are coming from an IP address with a bad reputation.