What is DDoS
DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.
Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.
“[03:06:45] what.cd is now being under DDoS attack until I get my invite.
[03:06:51] attack is set to 48hours, be back later I hope I’ll have my invite.
[03:07:15] yeah I want my account backj
[03:07:32] or what.cd will die”
– Quoted from IRC chat-room.
The DDoS attack that followed successfully brought down What.cd, PassThePopcorn.me (PTP), Broadcasthe.net (BTN), HDBits and several other websites.
Anti-DDoS protection techniques
Broadly, there are 3 types of DDoS attacks, each with its own unique protection strategy and tools:
Volume Based Attacks
Incapsula’s global scrubbing center network scales on demand to absorb multi-gigabyte DDoS attacks. This is often known as DDoS deflation.
Incapsula mitigates protocol attacks by blocking “bad” traffic before it reaches your site. Incapsula does this by differentiating between malicious or automated clients and legitimate website visitors (human or bot).
Application Layer Attacks
Incapsula constantly monitors the behavior of your site visitors, blocks known bad bots, and challenges unrecognized visitor with JS test, cookie challenge, or even CAPTCHAs.
Documented Live DDoS Attack
DDoS attacks attempt to overwhelm the server/firewall by flooding it a high volume of seemingly legitimate requests.
Traditional firewalls are hard-pressed to effectively block DDoS attacks, often themselves becoming the bottleneck for requests, and making the attack worse instead of alleviating it. Some weaknesses of traditional firewalls can be mitigated by simply adapting network topography. For example, according to recent market research (Computerworld), DDoS attacks are often exacerbated by traditional firewall and intrusion prevention systems (IPS), when these are deployed in front of servers.
But even optimum firewall deployment and configuration cannot eliminate DDoS damage, especially in application layer attack scenarios.
Web application firewalls, which can intelligently weed out bad requests, are an effective and economical alternative to protect against DDoS attacks. Web application firewalls, often deployed in the Cloud, respond to suspicious application requests by sending a cookie or other response – ensuring the user is real and the request valid, before allowing access into the system.
Anti-DDoS software solutions
Anti-DDoS software runs over existing hardware, analyzing and filtering out malicious traffic. As a rule, Anti-DDoS software is more cost-effective and simpler to manage than hardware-based solutions. However, software and script solutions can only offer partial protection from DDoS attacks, are prone to false-positives, and will not help mitigate volume-based DDoS attacks. Locally-installed software may be more easily overwhelmed than appliance or Cloud-based solutions.
Anti-DDoS hardware solutions
DDoS hardware is a physical layer of between potential attackers and your network. Although DDoS hardware can protect from certain types of attacks – other types, like DNS attacks, are not influenced at all by hardware, as the damage is done well in front of it.
Hardware protection, as a rule, is an expensive proposition. In addition to the CapEx of the hardware itself, there is the significant OpEx of the skilled manpower required to maintain, house, and run the equipment. And equipment depreciation, not to mention recurring costs like upgrades, also cut into hardware ROI.
One common method of mitigating the risks of a DDoS attack involves contracting with a DDoS-ready hosting provider, that already has available the expensive equipment necessary to absorb bad traffic in the event of a DDoS attack. However, Anti-DDoS is limited in efficacy and significantly more costly than traditional hosting.
Within the Anti-DDoS hosting ecosphere, there are generally two options available to web site owners – renting and dedicated Anti-DDoS hosting solutions. Dedicated hosting options tends to be very costly, and not flexible/scalable. Whereas renting both costly and limited by the total capacity of the hosting provider, and the specific capacity of the hosting plan.
However, neither renting nor dedicated Anti-DDoS hosting provides intelligent application layer DDoS mitigation. Moreover, Anti-DDoS hosting is less cost-effective than other options, because absorbing DDoS traffic comes at a cost and without smart behavior/signature based identification in place, you’ll pay this cost in full . In typical Anti-DDoS hosting scenario, website owners pay on an ongoing basis for bandwidth used to absorb a potential attack – even if no such attack is ongoing. A more cost-effective, flexible, intelligent, and proactive choice would identify attacks, and scale to meet the challenge on-demand.
Incapsula cloud-based anti DDoS services
Incapsula’s unique cloud-based DDoS protection services are rapidly deployed with no clumsy hardware or software installation or costly, resource-sapping ongoing maintenance. Incapsula delivers anti DDoS services that protect against all types of DDoS attacks, absorbing even multi-gigabyte attacks.
Incapsula addresses each of the three primary types of DDoS attacks with a unique strategy and powerful toolset, comprehensively yet seamlessly protecting web sites against:
Volume Based AttacksIncapsula’s global scrubbing center network scales on demand to absorb multi-gigabyte DDoS attacks. This is often known as DDoS deflation.
Protocol AttacksIncapsula mitigates protocol attacks by blocking “bad” traffic before it reaches your site. Incapsula does this by differentiating between malicious or automated clients and legitimate website visitors (human or bot).
Application Layer AttacksIncapsula constantly monitors the behavior of your site visitors, blocks known bad bots, and challenges unrecognized visitor with JS test, cookie challenge, or even CAPTCHAs.
In any of these scenarios, Incapsula DDoS mitigation is applied outside your network. This means that only filtered traffic reaches your hosts, in any event – protecting your investment in hardware, software, and network infrastructure while ensuring business continuity. Incapsula’s extensive DDoS threat knowledge base includes new and emerging attack methods, and is constantly-updated, drawing on information aggregated from across our network. Thus, Incapsula identifies new threats as they emerge, detects malicious users, and applies remedies in real-time across all our protected websites.