BlackRidge Defensive Behavior for Common Attack Scenarios

By John Hayes, CTO

BlackRidge products authenticate requests to establish TCP sessions before allowing their establishment, stopping the kill chain for both known and unknown attacks. BlackRidge addresses key aspects of an attack chain, from stopping scanning and reconnaissance to preventing unauthorized access to systems. Further, the first packet authentication of network sessions enables identity attribution prior to allowing access to network resources, providing unique and timely data to SIEM and analytic systems. The following paragraphs describe some common attack types and how BlackRidge blocks or defends against them.

Management and Control Plane Attacks

Management networks and control planes are used to provision, manage and monitor networks and security systems and their component devices such as routers and firewalls. Management networks also perform similar functions for servers and storage. These management networks are exposed to the same advanced threats and attacks as business systems and SDN will exacerbate this exposure. This foundation of IT must remain under IT control and be trusted and available during attacks such that the attack sources can be identified and the attacks themselves mitigated. BlackRidge Transport Access Control (TAC) can be used to authenticate and authorize access to these control networks and systems while stopping port scanning and network reconnaissance, effectively cloaking them. Additionally, both authorized access and unauthorized attempts and their associated identity if present, are logged to SIEM or analytics systems, enabling near real-time behavioral monitoring and forensic analysis.  This is especially useful in monitoring privileged users and accounts.

Network Scanning and Enumeration

BlackRidge protects against network enumeration, network reconnaissance and port scanning by using non-interactive authentication and responding only when a presented identity is authenticated and authorized. BlackRidge specifically protects against SYN scans. BlackRidge can also redirect unidentified or unauthorized traffic to alternate network or resources such as a honey net. Since network scanning and reconnaissance is often part of a security regime, BlackRidge can allow it from an authenticated, authorized identity while blocking scans from unidentified or unauthorized users and devices.

DDoS and Brute Force Attacks

BlackRidge protects resources from DDoS attacks from unidentified and unauthorized identities while continuing to allow access from authorized identities. BlackRidge products are designed to operate at line rate even when under continuous DDoS and brute force attacks. BlackRidge protects directly against specific exhaustion attacks such as SYN and RST flooding, and also against brute force application layer attacks by unidentified or unauthorized users.

Lateral Movement and Malware Attacks

BlackRidge protects against the lateral movement of malware by segmenting network topologies into enclaves requiring authorized identity to enter or leave. The enclave boundaries can be arbitrary with respect to the network infrastructure, enabling users on a shared VLAN or subnet different authorities based on their identity. Network segmentation is one of the most common deployments for BlackRidge. Similarly, BlackRidge protects users from phishing attacks when all network resources are protected by TAC. In addition to First Packet Authentication, TAC provides mutual authentication, which provides authentication of the protected resource to the requestor. When only protected resources can be accessed, those resources can be authenticated using BlackRidge and mutual authentication, protecting them from phishing attacks. Mutual authentication is not available for unprotected resources, leaving them vulnerable to phishing attacks.


In summary, BlackRidge TAC protects against a number of threats and attacks, is interoperable with network and security equipment from multiple vendors, provides centralized or distributed policy, supports and spans multiple simultaneous administrative domains and provides strong, authenticatible identity and attribution in all deployments.