You’ve got a web application firewall (WAF) and a content delivery network (CDN) with DDoS scrubbing capabilities to protect your website from DDoS attacks. You’re probably thinking that your site is well protected. And with respect to the majority of DDoS attacks, chances are you’re right. But what you might not realize is that the identity of your website may still be exposed to ruthless DDoS hitmen.
Even the Witness Protection Program Isn’t Foolproof
Protecting your website from DDoS attacks with a cloud-based WAF service is comparable in many ways to entering the witness protection program. As you can see, we are fans of the classic TV show Sopranos at the office and are taking the opportunity to use the world of Sopranos to illustrate the analogy. Say you’re running from the mafia, and the FBI set you up in a sweet cabin in the woods with a PO Box. They give you a new identity and put your new name on the door. Your relatives know how to reach you, and you even have a security guard on duty 24×7 examining all incoming packages and letters, letting only the good stuff through.
Your new home in the woods is similar to what happens to your website when you subscribe to a CDN + WAF service. Your website gets a new CNAME (i.e. identity) which serves as your PO Box. Your visitors and users (i.e. relatives) know how to find you through a simple DNS redirection, while your incoming traffic is inspected and scrubbed by the WAF and DDoS mitigation components (i.e. security guard) before it ever reaches your website. All potentially harmful traffic is dropped and only the friendly traffic is allowed to pass through.
This seems like the perfect setup, right? However it isn’t foolproof. That’s because in certain cases the true IP address of your origin server can still be found by attackers, who can use it to bypass your security measures and attack your origin directly. Consider, for example, the fairly common scenario where your HTTP and non-HTTP (e.g. SMTP, FTP) services reside on the same server. Since the CDN only handles HTTP/HTTPS traffic, all non-HTTP based protocols bypass the CDN-WAF service by directly sending your IP to clients (users). This means that all the attacker needs to do to get your web server’s IP is to perform a simple DNS lookup on the non-HTTP service. In the case of SMTP traffic, the metadata for each email includes the server IP. This leaves the door wide open for a targeted, direct-to-origin DDoS attack.
This is the equivalent of sending a postcard from your hidden cabin with your exact location stamped on the back. While this may sound like a careless thing to do, this is exactly what’s happening with your IP address when non-HTTP services, such as email or FTP, are being used on your domain.
Hide Your IP Address with Incapsula IP Protection
Incapsula IP Protection is a unique service that eliminates the threat of exposing your IP to wily DDoS attackers, providing always-on origin protection for websites serving non-HTTP traffic.
Here’s how it works. Subscribers to this service are assigned a new protected IP address from the Incapsula network IP range. A GRE tunnel is established between the origin server and the Incapsula network, so that your true IP address is only known to you and Incapsula. You then advertise the new IP address to your users through a simple DNS change that points all services to the new protected IP address.
Incapsula anycasts this new IP from its global network (29 data centers worldwide), enabling users to be served from the closest data center. This gives you the added benefits of reduced latency and enhanced redundancy. From this point on, all traffic routed to this new IP is scrubbed by Incapsula for any network-level DDoS attacks, and only clean traffic is forwarded through the GRE tunnel to your server.
With this complete 24/7 solution in place, organizations avoid the costs and effort of maintaining a NOC team for traffic monitoring and rerouting when under DDoS attack. IP Protection supports any network protocol and can be combined with other Incapsula services, such as Name Server Protection, WAF or Infrastructure Protection.
Here’s a look at what the traffic flow and redirection looks like before and after IP Protection is in place. In the first image the origin server is still visible.
After IP Protection is in place, all origin servers are hidden behind the Incapsula cloud.
IP Protection Use Cases
The use case described above is relevant for customers already using the Incapsula Website DDoS Protection service who would like to also protect their servers against direct-to-origin attacks.
Some other typical use cases for IP Protection include:
- Organizations without a C-Class range (no BGP capabilities) that wish to protect origin servers such as online gaming companies or Bitcoin/forex companies that use their propriety non-HTTP protocols
- Organizations that are using cloud setups, such as Amazon AWS instances, and want to protect non-HTTP/S-based or DNS-based assets, including chat servers, MX servers, FTP servers, and other cloud-based applications.
- Organizations already using the Incapsula on-demand Infrastructure Protection service that would like to strengthen protection around a few specific critical assets in always-on mode
We’ll write about these use cases in future blog posts.
Have any questions about using IP Protection? Please leave me a comment.