Corero Network Security Adds Real-Time IP Address Blocking to Stop DDoS Attacks

Corero Network Security added reputation scanning and IP address blocking to its line of anti-distributed denial of service appliances.

Dubbed “ReputationWatch“, the new feature will identify known malicious entities in real-time and block access to bad IP addresses, Corero said Tuesday. ReputationWatch uses both reputation and geographic profiles to dynamically change network configurations and block distributed denial of service attacks and other malicious activity. The service will be generally available in the third quarter.

Corero experts would be monitoring the IP addresses to identify bots that fall within the command and control structure or are known to have participated in malicious content attacks in the past. Once identified, ReputationWatch would prevent access and block that traffic from entering the organization’s network. The dynamic analysis capability means the IP address is unblocked when it is not engaged in an attack.

“The launch of ReputationWatch is another key step towards enhancing Corero’s extensible platform to provide a first line of defense to combat threats, protecting IT infrastructure and eliminating costly downtime,” said Ashley Stephenson, Corero’s executive vice president.

IT administrators can proactively enforce security policies by taking advantage of the geolocation technology. Administrators can set access policies for each country and decide whether or not to restrict or block traffic from countries they do not to business with, or are known to host attack traffic. It would also be possible to set exceptions for IP addresses in high-risk countries to allow legitimate business partners and services through.

Reputation scanning is time-sensitive, as sources can be good one day and malicious the next, Stephenson told SecurityWeek. ReputationWatch assigns an expiration date to the IP Addresses, and the site is checked again to see if it is still malicious or if the problem has been cleaned up, Stephenson said.

With ReputationWatch, administrators will no longer have to manually maintain security configurations with automated, threat intelligence feeds. With access to the latest intelligence, organizations can defend against known sources of DDoS attacks, bots that have the IP addresses associated with identified C&C servers, systems delivering specially crafted denial-of-service exploits, known sources of malicious content attacks, phishing, and spam sources, Corero said.

Stephenson described Corero’s virtual patching capability that can protect customer networks before the actual security vulnerability is patched. For example, a security vulnerability in the popular Apache Web server was discovered last year, and the KillApache exploit was observed in the wild. Corero customers received a policy update for their appliance that was capable of recognizing the specially crafted headers and the type of malicious traffic and block it according, Stephenson said. Corero customers were protected before Apache was able to get the patch ready.

While Corero is not recommending that organizations forego patching affected software, virtual patching is a first line of defense that can be applied quickly without disrupting the network environment, Stephenson said.

“By adding this extra functionality to the DDoS arsenal, businesses can continue to attack the threat head on with the knowledge that their network will be automatically updated and configured against the latest malicious threats, saving both time and money for the organization,” Stephenson concluded.

More on ReputationWatch can be found here.

Related Insight: Protecting Your Network From DoS Attacks