We’ve released Imperva Incapsula IP Protection, and the results of our beta program are clear. This unique service is an ideal solution for DDoS protection scenarios that were previously underserved or not served at all.
In this post, we write about the first of these scenarios: blocking sneaky direct-to-origin attacks. We’ll assess how IP Protection completes your DDoS security strategy and protects your entire infrastructure against these attacks.
What Is a Direct-to-origin Attack?
Cloud-based solutions are ideally suited to protect networks that are spread across multiple clouds and physical data centers. Like you, many organizations have turned to CDN-based platforms to protect their web assets against DDoS and OWASP top 10 attacks. But many of these CDN-based solutions are still vulnerable to a determined attacker.
To recap briefly, when you configure a site to a CDN-based web security platform, you make DNS changes to point all web traffic to the CDN IP (or CNAME)—the CDN then acts as a HTTP/S proxy for all your web traffic. Unfortunately, this proxy cannot serve all of your non-HTTP/S traffic. So your FTP, SMTP, MX, and basically all other non-web DNS records remain pointed at your origin—and remain vulnerable to attack.
A sophisticated attacker can quickly dig to uncover your origin IPs and launch a DDoS attack directly at them. Changing your firewall rules will not block the attack since a network layer attack, like a UDP flood, will clog your pipes, or even take down your ISP, ensuring the attack will never even reach your firewall.
While these types of attacks are less common than web site attacks, they still happen. In fact, CERT has warned that the Armada Collective is back, and they are advising organizations to protect their infrastructure as well as their web sites.
What Are My Options?
So, what steps should you take to protect your infrastructure?
First, always switch IP addresses before onboarding the CDN-based DDoS service. This will help reduce the likelihood of an attack. But it isn’t foolproof. Uncovering the origin IP can still be as simple as looking up the DNS records of non-HTTP/S services.
One way to minimize direct-to-origin DDoS attacks is to use a completely different set of IPs for web services than those used for other services, preferably from completely separate C-Class ranges. However, if both web and non-web services reside on the same infrastructure and use the same network drops, then this still presents an issue. The attackers can target the IPs of the non-web services and take down the entire infrastructure.
Another option is activating an on-demand infrastructure (BGP) DDoS protection service when under attack. In this case a provider advertises your prefixes during an attack, mitigating the attack upstream. If you own an entire C-class IP range, have equipment that supports BGP, as well as a capable networking team, this could be a viable option.
The third infrastructure protection option is to use a proxy-based solution to protect against direct-to-origin attacks. A proxy-based service acts as a TCP/UDP proxy and mitigates network-layer DDoS attacks against the infrastructure. But this option can introduce two issues—besides passing all your traffic through another hop and adding latency, it completely hides source IP addresses. As a result, firewalls are ineffective as they can only see the proxy IP as the source IP. Also, many applications are unavailable if they can’t detect the source IP address.
There is now a fourth option. Adding protection for single IPs to a web protection service allows you to completely hide the origin IP address, while not adding any significant latency nor altering packets (and source IP addresses) in any way.
How Does IP Protection Work?
As part of the set up process, we provide you an IP address from one of our ranges. You then advertise the Incapsula IP to all users by pointing all services to the assigned IP address:
Your infrastructure IP addresses are now hidden and a dig will only show the protected IP address provided by Incapsula.
Clean traffic is routed to the origin and back via a GRE tunnel that is established between the Incapsula network and your origin, and the tunnel can be terminated on any kind of equipment that supports GRE tunneling, including routers, firewalls and even Linux servers.
When implementing IP Protection, you should expect to take the following steps:
- acquire a new set of origin IPs
- establish GRE tunnels to those IPs
- switch your DNS records to point to the Incapsula IP
Incapsula leverages our global network to support IP protection offering worldwide support with minimum latency.
Several different new patent-pending technologies have been developed specifically to support this new service, some of which we will discuss in future blog posts.