You are on page 1of 11

Information Security Services

Understanding and Combating DDoS Attacks:


A Threat Analysis produced by CTU Researcher Don Jackson

Executive Summary
In the confidentiality, integrity, and availability metrics of information security, also known as the CIA
Triad, denial-of-service (DoS) attacks impact availability. In a broad context, the term 'denial-ofservice' has a general definition covering many types of attacks. This analysis focuses on the types of
attacks generally referred to as distributed denial-of-service, or DDoS, attacks. DDoS attacks are most
often used to extort or damage businesses whose websites or online assets are a major source of
revenue, are an indicator of brand value, or are critical to operations. Although major DDoS attacks are
a rare occurrence for most organizations, they can have devastating effects. Anyone can become a
victim at any time, so it's important to implement mitigations and practice DDoS incident response
plans prior to a DDoS event.

A Practical Introduction to DDoS attacks


In practical terms, DDoS attacks are Internet-based attacks on a specific target, usually a visible public
target such as an organization's primary website, from a number of sources distributed across multiple
networks. Targets like web servers can be specified by IP address or domain name. In a similar type of
attack, attackers target the DNS (Domain Name System) server that translates a domain name
(www.example.com) to an IP address (172.16.1.20) instead of the web server. Because DNS provides
the initial Internet address of the target, if other systems on the Internet become unable to locate the
target, then a DNS DDoS attack effectively renders the target unavailable without impacting the actual
operation of the website. More often, however, attackers use a variety of techniques to directly target
the web server, knocking the website offline or unavailable to normal users.

Types of DDoS Attacks


Most modern DDoS tools default to using basic "flood" attacks designed to use up all available
bandwidth or input/output (I/O) resources. Floods send a large number of packets of information
using various Internet protocols such as User Datagram Protocol (UDP), Internet Control Message
Protocol (ICMP), and Transmission Control Protocol (TCP). In addition to flood attacks, some network
layer attacks fragment or craft packets in ways designed to hang or crash network devices. Modern
tools also incorporate application-layer attacks using the protocols associated with DNS or web
technologies.
UDP is stateless, with low overhead. It can be used to quickly send a lot of data to overwhelm UDP
services. DNS servers often use UDP port 53, for example. A UDP flood sends many packets to ports
on which no application is listening, causing most systems to also generate an ICMP "Destination
Unreachable" message to the source of the UDP traffic, adding yet more packets to the network under
attack. Attackers can spoof the source IP address in UDP packets, causing the resulting ICMP packets
to be sent elsewhere and possibly back to the target(s), causing the target to flood itself or other
targets.
ICMP packets can also be used to flood networks. The most common of these attacks are "ping
floods" (ping being a common ICMP service). Attackers may also spoof IP addresses with ICMP. If
misconfigured network devices respond to ping packets sent to network broadcast addresses, the
result can be a flood of additional ping reply packets sent to all devices on the network in what is
known as a "smurf attack." Smurf attacks are an example of the concept of DDoS amplification,
wherein a small amount of input from the attacker generates a large amount of output.

A SYN flood is a common TCP protocol-layer attack. A SYN packet represents the first part of the
connectivity handshake that must occur before a TCP connection can be established. The server
responds with a SYN+ACK packet to the client, the source of the original SYN packet, as an
acknowledgement. In a normal TCP handshake, the server waits to receive a final ACK packet from the
client before establishing a data connection. For a successful handshake, the client's IP address must
be correct. A SYN flood attacker acts as the client and the server is the target. The attacker sends SYN
packets. Because the attacker does not reply to the resulting SYN+ACK packets, or because the
SYN+ACK packets are sent to spoofed IP addresses of bogus or unresponsive destinations, the target
must wait for some predetermined time for the final ACK packets before giving up. Because network
devices have practical limits on the number of TCP connections they can accept, sending enough SYN
packets before that timeout is reached can exhaust all available connections. The result is that the
server will deny additional connection attempts.
SYN floods can be used to deny connections to common public-facing TCP protocol services like web
servers (HTTP), email (SMTP, POP3), and file transfer (FTP). These services use application-layer
protocols built on top of TCP. Modern DDoS tools also incorporate specific attacks to flood these
services with application-specific commands or requests designed to exhaust server resources. The
most common examples are web attack tools that send floods of malformed, difficult to service, or
bogus HTTP requests that occupy web server resources and deny availability of the targeted website
to legitimate users.

Common Tools and Tactics


The first widely available tool for launching DDoS attacks was called Trin00 (or "trinoo"). It is similar to
Tribal Flood Network (TFN), another tool developed around the same time. These tools performed
lower-level networking layer attacks like SYN floods and smurf attacks. Trin00 was first used in 1999
when it was installed on a large number of hosts compromised through exploiting vulnerabilities in
networking services. It employed a "master and slave" configuration in which a single server could
command and control multiple, distributed clients. Although Trin00 was designed for UNIX systems
and was first discovered in 1999, virtually all modern DDoS botnet attack architectures can trace their
basic design to Trin00.
Modern DDoS tools typically include the most refined forms of network layer attacks that are still
effective. Smurf attacks are no longer practically effective because for years, network devices are
shipped with the configuration option to respond to ping requests sent to broadcast addresses either
off by default or completely disabled. However, SYN floods are still moderately effective and are widely
used. The effectiveness of some attacks has decreased over time in response to changes in
technology and countermeasures built into networks, network defenses, network devices and hosts.
Modern DDoS tools such as Slowloris work only at the application layer. Slowloris sends web servers
HTTP requests that take a long time to complete or reassemble. It's a popular tool that can be adapted
to distributed attacks for attacking websites. Because application layer attacks usually require working
TCP connections, IP addresses of attack sources cannot be spoofed. Therefore, attackers may employ
proxies or bots to mask the original source of the attack and rotate to new proxies or bots in the event
these disposable attack sources are identified and blocked by IP address.
Because DDoS is a distributed attack, multiple sources are required. Botnets, a collection of computers
under the control of a central operator, provide a ready solution. Indeed, botnets have become the
standard operations platform for DDoS attackers. Botnets may be created by surreptitiously installing

clandestine DDoS trojans with built-in command-and-control (C2) functionality that automatically
enlists them in an army of similar bots under the control of one or more C2 server operators. Trojan
installation is typically accomplished through social engineering and the exploitation of software
vulnerabilities. Existing botnets can also be commanded to add DDoS capabilities by downloading
additional DDoS tools or modules using the original bot's downloader functionality. DDoS bots
generally hide their presence and are controlled remotely over a network via Internet Relay Chat (IRC),
HTTP, or a proprietary protocol.
"Darkness" and BlackEnergy 2 are examples of fully-featured DDoS botnet kits. Operators use these
tools to create large botnets that are often sold as a commercial service to perform DDoS attacks for
hire, such as the GhostMarket.net service or the China-based IM DDoS service. A typical price for the
daily rental of 10,000 DDoS bots is between $100 and $300 USD, typically paid for via non-reversible
wire or cash transfer services or in virtual electronic currencies with real-world analogs or value. The
price may vary considerably based on the physical or logical location of the bots. Bots in the same
country as the target, or fewer network "hops" away from the target, are generally worth more to an
attacker because defenders may block traffic from entire countries or continents or use a
geographically distributed content delivery network. Price is also affected by the upstream bandwidth
available to each bot. A bot with a faster fiber-optic connection would be worth more than a bot on a
slower cable modem or ADSL line, for example.
An approach becoming more popular among cyber terrorists and activists who attack targets for
social or political motives is the voluntary installation of DDoS attack tools by supporters who
sympathize or mobilize around a particular cause. Often these tools can be operated by the individual
at the computer. Tools such as E-Jihad 3.0 and Low Orbit Ion Cannon (LOIC) provide state-of-the-art
DDoS capabilities combined with a user-friendly graphical user interface (GUI) for local configuration
and operation. Operational parameters such as target list and attack types are coordinated out-ofband, via posts to Internet forums, chat rooms or social networking sites by an operational leader for
the cyber attack, and the leader is often in the inner circle of the supporters for a cause or movement,
his or her authority emerging from a consensus of supporters. These tools can also be configured to
voluntarily turn remote control over to an operational team under the direct command of a leader.
This all-volunteer botnet allows easy use of donated computers and bandwidth to attack targets in a
very coordinated fashion using centralized C2 (typically over IRC or HTTP) without further active
participation by supporters. There is also evidence of DDoS tools configured with remote control
enabled and installed on compromised hosts without the owner's permission, in the same fashion as
traditional DDoS bots such as BlackEnergy. DDoS tools designed for volunteer use are developed and
provided free of charge.
Some tools are designed for security assessments or testing DoS attacks. Packet injectors and tools
like hping and httping are often used by authorized testers, but they can be used for malicious
purposes and adapted to distributed attacks.

DDoS Activity Trends


Inasmuch as the Internet lives up to its promise as the great equalizer, the attackers and targets in
cyberspace are on a relatively level playing field. Instead of a few picketers at a physical location with
dozens of security guards, police, and supportive passers-by, there may be dozens or hundreds of
attackers controlling tens of thousands of sources attacking a single target. Both can be reduced to IP
(Internet Protocol) addresses with various amounts of bandwidth. The attackers have many sources

versus the target's single domain name and limited number of IP addresses. The physical and
geographical limitations on mobilization are also removed. These factors amplify the effectiveness of
asymmetric attacks.
Although hacktivists - attackers who choose a target to exact revenge, punish, or make a point related
to the target's role or stance in regards to certain social or political issues - make headlines, their
activity may not be as common as that of commercial DDoS botnet operators. Commercial DDoS
operators typically launch attacks that are as efficient and effective as possible against targets that
attract as little attention or compassion as possible. Commercial DDoS targets are not linked to any
hot-button issues and are often not the type of victim that makes headlines.
Hacktivist DDoS is the quintessential Internet-age manifestation of civil disorder. Only today, the social
or political issues typically don't have to matter to a large part of the public in order to elicit a
significant disruptive response. In recent cases, websites with national visibility have been knocked
offline over issues as petty as bumper stickers. DDoS activity perpetrated by hacktivists is not new, and
it's always been a part of the Internet landscape. DDoS activity in general is following the same natural
growth curve as Internet adoption by the general public. Despite a public perception anecdotally
reinforced by attacks on Estonia, Lithuania, and Kyrgyzstan by large, self-mobilized, "cyber militias", the
severity of hacktivist activity seems to track the availability of Internet bandwidth. That is, there appears
to be nothing special about the current environment that has led to increased activity or adoption
trends compared to historical averages.
That said, attacks can be very different in motive and severity, even among different attacks on the
same target. What has "changed" in recent attacks is the degree of awareness - the level to which the
issues, the perpetrators, and the targets have become part of the public consciousness. When DDoS
attacks were launched in conjunction with a Russian military strike on the country of Georgia, cyber
warfare became front page news.

Attacker Motives and Goals


Because many organizations' primary websites are direct revenue generators, host a revenuegenerating service, or provide a business portal, attacks targeting availability can have a direct impact
on an organization's financial bottom line. It is possible to measure the impact in concrete terms, and
the impact may be worse on businesses whose models are supported by low margin, high
transactional volume operations. Depending on the target and its network architecture, DDoS attacks
on web servers can overload networks that deliver essential services such as email and phone to other
revenue generating business units. Loss of revenue that is directly attributable to the attacker is the
desired effect of those who attempt to extort the targeted organization with the promise of stopping
the attacks. The extortionists commonly employ the services of commercial for-hire DDoS botnet
operators.
Less often, DDoS may be used as a tool by unscrupulous businesses to gain advantage by driving
business away from a competitor's site. While the competitor's service is unavailable, customers will
seek alternatives, perhaps driving business to the site operated by the party directing the DDoS attack.
This tactic is more common outside of mainstream industry verticals, among dubious or disreputable
players in online gaming and adult entertainment sites.

Because an organization's domain name and primary website are integral to its brand, attacks affecting
the website's availability can have significant effects on brand value, public perception, and reputation.
This damage may be more difficult to measure quantitatively.
Both revenue and reputation can be targets of DDoS attacks by hacktivists. It's often difficult to predict
what qualities about an organization's business attract the attention of a hacktivist group, and in some
cases, attack targeting is based on abstract linkages or erroneous attributions by the attackers. When
DDoS attackers take aim at each other, one side will often attempt to subvert the other's target list,
sometimes with innocent bystanders' IP addresses and domain names. Participants in a DDoS battle
might update their DNS with IP addresses of third-parties to deflect an attack. Other times, a
misunderstanding (easyDNS instead of EveryDNS) or a simple typographical error (".es" instead of ".se")
can result in an inadvertent attack on the wrong target.
Attacks can and often do cause collateral damage. An organization that has shared network, data
center, or server infrastructure with a target may also be affected. In the instance where a business
relies on cloud services, the shared resource architecture exposes the business to collateral damage
from DDoS attacks, and mitigation depends almost entirely on the cloud computing provider's
capabilities. From a business risk management perspective, a DDoS attack on critical-path cloud
services becomes a supply chain attack. An organization can be completely neutral and still become a
victim.

Don't Fail to Plan


It's impossible to completely defend against a determined and resourceful DDoS attacker. There is no
"silver bullet." However, best practices, modern controls, modern network service architectures, and
well-planned incident response can effectively mitigate large-scale DDoS attacks.
Perhaps because of the cost of acquiring and managing DDoS attack resources compared to the
return on investment, significant DDoS attacks happen to relatively few targets compared to attacks
that employ SQL injection (SQLi), remote file inclusion (RFI), client-side exploitation, and other
vulnerabilities. Certain factors such as brand awareness, public reputation, company size and valuation
may increase the chances that an organization will be targeted with a DDoS attack. However, some
factors are unpredictable and beyond the organization's control. Significant attacks are generally few
and far between, but organizations should not wait until they are attacked to develop an incident
response plan for DDoS attacks. Effective mitigating responses may require relatively specialized
planning and controls.
Many of the DDoS attack payloads have been studied for more than a decade. In that time, new attack
payloads have emerged that have been researched and directly combated. Leaders responsible for the
security posture of an organization in the face of DDoS attacks should be familiar with both the
traditional countermeasures and newer architectures that are more resilient to DDoS attacks.

Basic DDoS Preparation


Best practices in network architecture and deployment of controls are the place to start. Network
segmentation design that provides for proper placement and granular configuration of controls to
enforce ingress and egress policies for network traffic will mitigate the effects of flood attacks and
some amplification attacks. Organizations should evaluate the effectiveness of network layer controls
such as firewall policies and routing configurations in the context of specific DDoS conditions such as
SYN floods, UDP floods, ICMP backscatter and ping floods.

Appliances, tools, and services can be used to assess the performance of network devices, network
services and applications under load.
Network devices and system networking protocol stacks should be tested for performance under load.
The performance of network devices and host interfaces is often overlooked when handling
fragmented, nonstandard (too large or small, or irregular structures), specially crafted (unusual
combinations of flags, options, source or destination addresses or ports) network packets and streams.
Load testing applications is an important part of the quality assurance phase of software engineering
lifecycles. Applications often fail before bandwidth is exhausted. Transactional integrity for databases
and graceful degradation of applications should be part of design requirements. This testing can be
critical to quick recovery by preventing attack-related corruption of data.
Because DDoS attacks have network vectors, organizations should discuss DDoS contingencies with
network and internetworking service providers, including those responsible for network peering and
upstream and downstream transit.

Basic Network Layer DDoS Countermeasures


The degree to which an organization depends on external providers for internetwork, data center
capacity, and server co-location or hosting infrastructure will have an effect on how much control it
has over implementing DDoS countermeasures. However, any organization should be aware of
common countermeasures.
Virtually all routers and common brands of managed switches incorporate basic access control lists
(ACLs) and rate-limiting technologies. Some devices offer anti-DDoS settings as an easily-applied bank
of settings or as a device profile.
Because popular TCP services must be exposed to public networks from which DDoS attacks might be
launched, SYN floods are still a popular and relatively effective attack method.
Many tools and bots default to a SYN flood attack type. At the very least, network architectures should
allow an organization to easily flip a (virtual) switch that enables "SYN cookies", chosen sequence
numbers in TCP packets that are checked by the server when establishing a connection. For reliability
and integrity reasons, TCP packets occur in a specific sequence, and SYN cookies are an easy,
compatible, and simple way to use special initial TCP packet sequence numbers to mitigate small to
moderate SYN floods that commonly impact public-facing servers. There are a couple of minor
technical drawbacks, therefore SYN cookies are typically enabled only after an attack has been
detected.
TCP Cookie Transactions (TCPCT) is a mechanism designed to combat SYN floods while overcoming
the drawbacks of SYN cookies. Its disadvantage is that it can break standard TCP networking
implementations as both endpoints must support TCPCT.
TCP connection splicing (also known as delayed binding) is also very useful in mitigating SYN flood
attacks. Upstream providers and "cleaning center" or "packet scrubbing" service providers may provide
services via a proxy or in the cloud that offers effective protections based on these and other
specialized network attack mitigation technologies.

Modern Network-based DDoS Countermeasures


Features supporting Quality of Service (QoS) standards can help manage network traffic under load
and DDoS conditions if they are properly configured, a task that may require manual tuning for a
particular environment.
Many providers offer bandwidth management solutions based on a variety of advanced protocols and
algorithms for bandwidth shaping, rate limiting, bandwidth reservation, scheduling, and congestion
avoidance. Hardware acceleration and ASIC-based (Application-Specific Integrated Circuit) systems
provide the performance that enables effective bandwidth management and DDoS mitigation via
specialized network Intrusion Prevention Systems (IPS) that detect patterns indicating attack traffic.
Rate-based IPS (RBIPS) and IPS operating based on statistical anomalies in traffic patterns (including
rate anomalies) are specialized controls with the hardware acceleration capabilities necessary to
provide effective DDoS countermeasures. General-purpose IPS systems do not typically possess the
processing power to be useful in combating DDoS attacks.
For large organizations with potential DDoS targets in critical business paths, globally distributed
network architectures such as those based on a routing technology called "anycasting" and which
support large content delivery networks (CDNs) offer a different type of mitigation strategy. However,
private CDNs can be difficult to implement and costly to manage. An organization may instead choose
to use a third-party CDN provider for distributed hosting of content and applications. Using CDN
technology, DDoS attacks are geographically constrained, diluting the impact on service in any given
part of the world. For example, globally distributed attack sources will have separate smaller, perhaps
insignificant, effects on several equally distributed website mirrors; or an attack originating from
sources distributed primarily within one specific country would only impact the website mirror serving
that particular part of the world.
Likewise, distributed DNS services can be used to mitigate the global availability impact of attacks on
DNS services that are essential in locating an organization's key public network services such as
websites and email gateways.
Hosting services in the cloud may allow an organization to easily distribute or change the IP addresses
and geographic areas in which services are hosted.
In the situation where DDoS targets, including DNS, are externally hosted, an organization may want to
consult with service providers regarding the availability of these types of advanced countermeasures.
Failure to coordinate plans and countermeasures with service providers exposes a business
organization to supply-chain attacks.

Blackholing and Sinkholing


Blackholing involves routing traffic destined for a particular target to a destination that either does not
exist or that has an interface that simply drops all network traffic. This technique can spare the target
of the attack from the effects of a direct onslaught, but unless blackholing is combined with other
actions, the target will be unavailable at its known name or IP address for the duration of the attack.
For targets resolved by hostname, organizations need to plan the blackholing process with registrars
and internal or external DNS service providers. Blackholing based on IP requires working with the
organization's Internet Service Provider (ISP) according to a process planned out in advance.

Sinkholing reroutes attack traffic to a destination where it can be analyzed. Sinkholes may reroute
known-good traffic, block traffic identified as malicious, and provide intelligence such as IP addresses
(if they are not spoofed) for source blocking by upstream network providers. Sinkholes are subject to
the effects of the volume of traffic redirected to them and may not operate effectively under large
scale attacks.
Upstream network providers and registrars may provide or partner with providers of specialized
blackholing, sinkholing services, and packet scrubbing services designed for large-scale DDoS attack
mitigation.

Limit Participation Liabilities


Organizations should protect themselves against liability from unwittingly participating in a DDoS
attack.
Utilize a modern antivirus product and monitor the alerts. Most antivirus solutions will flag tools used
by volunteer hacktivists and even authorized testers as "hacktools", security risks, or potentially
unwanted programs (PUPs). The reported names may not always match the DDoS tool in use. For
example, Low Orbit Ion Cannon (LOIC) is detected by Microsoft as "Oylecann.A".
Network traffic egress policies, ACLs on firewalls, centrally managed web proxies and content filtering
gateways, and network IDS/IPS may detect and prevent DDoS activity originating from an
organization's network, whether it occurs unwittingly through remote compromise or as the result of
employees or other authorized network users installing tools in violation of policies or in support of
hacktivist attacks.

Legal Recourse Issues


Under the United States criminal code, DDoS attacks may be classified as violations of the Computer
Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996. Either
violation can carry large fines or years of imprisonment. Under the United Kingdom's Police and
Justice Act 2006, denial-of-service attacks are specifically outlawed and violators may suffer a
maximum penalty of 10 years imprisonment. Other countries have similar laws. However, some issues
can make legal recourse slow, unlikely, or virtually impossible.
The availability and effectiveness of legal recourse depends on many factors. Criminal prosecution
depends on establishing jurisdiction, identifying which charges to pursue, identifying the key players
who would have the most deterrent effect, and - often the hardest part - collecting evidence that
concretely illustrates the elements of the crime and attributes the findings to the person charged in a
manner that the law recognizes and that will be admissible in court. Civil action might be preferred
because the damage is obvious and different rules of admissibility and burden of proof might apply.
The one recourse that must be off-limits is "hacking back," or adopting the same tactics as the
attackers. Although the legal landscape may be changing in that regard, currently such actions would
remove the victim's grievances, lend an air of legitimacy to the attackers and justify the attacker's
methods, even among those who oppose their views. Retaliation erodes the support for a civilized and
orderly debate and treatment of the issues at hand. This legitimacy is especially relevant to recent
hacktivist attacks, which are primarily a battle of messaging regarding who is right when it comes to
interpreting - when two or more parties' rights are in conflict - where one party's rights end and the
other's rights begin.

In dealing with attacks across national and political borders, every legal system is different. Even where
the foundational legal doctrine is similar, case law and public trust issues will impact how, and even if,
some parties will be charged and successfully prosecuted. Jurisdiction is usually determined by the
place where the act was committed. This concept presumes that a criminal act is committed by some
person, so the location of that person usually decides jurisdiction. However, this is not always the case
with all crimes under all circumstances, and there may be different rules in play if the actual location is
indeterminate or - as with many cyber attacks - unclear under current legal notions of what defines a
"location" in cyberspace. Some legal systems may operate under additional stipulations, such as the
jurisdiction must take into account the location or nationality of the victim or complainant. These
factors are often major hurdles, even when criminal activity has been concretely linked to the suspect
individual or party. In some recent cases, political and diplomatic roadblocks will likely play a larger
role than in the past.
In the United States, there is a movement toward classifying some incidents under the military
definition of an attack and putting a framework in place where the military could be authorized to
launch a counter-attack and the President would be empowered to order U.S. networks isolated from
foreign attacks to protect critical national infrastructure. Banking and finance are a critical national
infrastructure sector as defined by the U.S. national Critical Infrastructure Protection (CIP) program
and are the most common targets of DDoS attacks. However, in recent cases, DDoS attacks focus on
distractions or media battles, and are not attacks primarily intended to destroy or deny the use of
critical infrastructure.
In the current threat landscape, law enforcement organizations are ultimately responsible for
enforcing laws related to digital crimes. Impacted organizations are ultimately responsible for their
security posture. Perpetrators of computer crimes are ultimately responsible for the consequences of
their actions.

DDoS Incident Planning Considerations and Responsibilities


DDoS attacks should be part of the standard table-top scenarios specifically addressed by any incident
response, crisis response, and business continuity plan. Successful attacks on common targets can
have an impact on multiple online business units, operations, risk management, marketing, and public
relations. Business owners and stakeholders need to be made aware of the consequences of DDoS
attacks and included in the planning process to ensure their interests are properly represented and
protected. Typically, an organization's CSO, CISO, or Risk Management officer will ultimately be
responsible for ensuring this representation happens, and in the event of an attack that significantly
impacts multiple business areas, will likely be the one ultimately held accountable for the outcome.

Recommendations for Business Leaders


DDoS attacks cannot be prevented, but organizations can become aware of the threat and work
proactively to establish countermeasures and incident response plans to mitigate and minimize the
potentially devastating impact of a determined and well-resourced attacker. Understanding the
adversary's tactics, techniques, and procedures (TTP) and the options available for mitigating the
effects of various TTP combinations is vital to establishing a strong security posture and planning an
effective response.

Learn More
Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and
business solutions they trust and value. Recognized as an industry leader by top analysts, Dell
SecureWorks provides world-class information security services to help organizations of all sizes
protect their IT assets, comply with regulations and reduce security costs. For more information, visit
www.secureworks.com.

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY AND MAY CONTAIN
TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS
PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

Availability varies by country. 2011 Dell Inc. All rights reserved.


Dell and the Dell logo, SecureWorks, Counter Threat Unit (CTU), iSensor, iScanner, Sherlock, Inspector and LogVault are either registered trademarks or service marks, or
other trademarks or service marks of Dell Inc. in the United States and in other countries. All other products and services mentioned are trademarks of their respective
companies. This document is for illustration or marketing purposes only and is not intended to modify or supplement any Dell specifications or warranties relating to these
products or services. February 2011.

You might also like