Anti-DDoS protection

31k views
EdgeSecDDoSEssentials

What is DDoS

DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.

Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection are used to flood targeted resources with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.

Anti-DDoS Protection Techniques

There are 3 main types of DDoS attacks, each with its own unique protection strategy and tools:

Volume Based Attacks

Volume-based attacks generate a large volume of network-level requests, overwhelming network equipment or servers. These can include UDP floods, ICMP floods, and other attacks with spoofed network packets.

To protect against volume-based attacks, anti-DDoS providers perform large-scale “scrubbing”, using cloud servers to inspect traffic, discard malicious requests and let legitimate ones through. This approach can deal with massive, multi-gigabyte DDoS attacks. This is also known as DDoS deflation.

Protocol Attacks

Protocol attacks generate requests that leverage weaknesses in network protocols. These include SYN floods, fragmented packets, and the Ping of Death.

To protect against protocol attacks, anti-DDoS tools mitigate protocol attacks by blocking bad traffic before it reaches your site. Advanced solutions can analyze traffic and differentiate legitimate users from malicious, automated clients and bots.

Application Layer Attacks

In an application layer attack, attackers generate a large number of requests to web applications or other software applications, which appear to come from legitimate users. These include GET/POST floods, low-and-slow attacks, or specific attacks against Apache or Windows vulnerabilities.

To protect against application-layer attacks, anti-DDoS systems monitor the behavior of site visitors, blocks bad bots responsible for application-layer attacks, and challenges unrecognized visitors using multiple mechanisms, such as JavaScript tests, cookie challenges, and CAPTHAs.

Anti-DDoS Software Solutions

Anti-DDoS software runs over existing hardware, analyzing and filtering out malicious traffic. As a rule, Anti-DDoS software is more cost-effective and simpler to manage than hardware-based solutions.

However, software and script-based solutions can only offer partial protection from DDoS attacks, are prone to false-positives, and will not help mitigate volume-based DDoS attacks. Locally-installed software is easily overwhelmed than appliances or Cloud-based solutions, which are much more scalable in the face of large attacks.

Anti-DDoS Firewall

DDoS attacks attempt to overwhelm the server/firewall by flooding it with a high volume of seemingly legitimate requests.

Traditional firewalls are hard-pressed to effectively block DDoS attacks, often themselves becoming the bottleneck for the massive volume of requests, and making the attack worse.

Some weaknesses of traditional firewalls can be mitigated by adapting network topography and optimizing deployment and configuration of firewalls and intrusion prevention/detection systems (IPS/IDS). But even optimum firewall deployment and configuration cannot eliminate DDoS damage, especially in application layer attack scenarios.

Web application firewalls (WAF) can act as an anti-DDoS firewall, which can intelligently weed out bad requests, are an effective and economical alternative for DDoS protection. WAFs, often deployed in the Cloud, respond to suspicious application requests by sending a cookie or other response – ensuring the user is real and the request is valid, before allowing access into the system.

Anti-DDoS Hardware Solutions

Anti-DDoS hardware is a physical layer of protection between potential attackers and your network. Although anti-DDoS hardware can protect from certain types of attacks – other types, like DNS attacks, are not influenced at all by hardware, as the damage is done before traffic even reaches the device.

Hardware protection can be expensive. In addition to the capital expense of the hardware itself, there are significant operating expenses of the facilities and skilled manpower required to maintain, house, and run the equipment. Additional costs are equipment depreciation and upgrades.

Anti-DDoS Hosting

One common method of mitigating the risks of a DDoS attack involves contracting with a DDoS-ready hosting provider, that already has the equipment necessary to absorb bad traffic in the event of a DDoS attack. However, Anti-DDoS hosting is limited in efficacy and significantly more costly than traditional hosting.

Within the Anti-DDoS hosting ecosphere, there are generally two options available to web site owners:

  • Dedicated hosting – tends to be very costly, and not flexible/scalable.
  • Rented hosting – both costly, and limited by the total capacity of the hosting provider, and the specific capacity of the hosting plan.

However, neither option provides intelligent application layer DDoS mitigation. Moreover, Anti-DDoS hosting is less cost-effective than other options, because absorbing DDoS traffic comes at a cost and does not provide smart behavior/signature-based identification.

In a typical Anti-DDoS hosting scenario, website owners pay on an ongoing basis for bandwidth used to absorb a potential attack – even if no such attack is ongoing. A more cost-effective and flexible choice is to identify attacks, and scale on-demand to respond to them.

Imperva Cloud-Based Anti DDoS Services

Imperva’s unique cloud-based DDoS protection services are rapidly deployed with no hardware or software installation or costly, ongoing maintenance. Imperva protects against all types of DDoS attacks, absorbing even multi-gigabyte attacks. Imperva provides a 3-second mitigation SLA against any DDoS attack.

Imperva addresses each of the three primary types of DDoS attacks:

Volume Based Attacks

Imperva’s global scrubbing center network scales on-demand to absorb multi-gigabyte DDoS attacks. This is often known as DDoS deflation.

Protocol Attacks

Imperva mitigates protocol attacks by blocking “bad” traffic before it reaches your site. Imperva does this by differentiating between malicious or automated clients and legitimate website visitors (human or bot).

Application Layer Attacks

Imperva constantly monitors the behavior of your site visitors, blocks known bad bots, and challenges unrecognized visitors with JavaScript tests, cookie challenges, or even CAPTCHAs.

In any of these scenarios, Imperva DDoS mitigation is managed outside your network. This means that only filtered traffic reaches your hosts – protecting your investment in hardware, software, and network infrastructure, while ensuring business continuity.

Imperva’s extensive DDoS threat knowledge base includes new and emerging attack methods, and is constantly-updated, drawing on information aggregated from thousands of protected organizations. Imperva identifies new threats as they emerge, detects malicious users, and applies remedies in real-time across all protected websites.

In addition, Imperva can protect four types of environments against DDoS attacks:

  • Websites – protection for websites and web applications against application layer and API attacks.
  • Networks – protecting corporate networks or specific subnets against network layer attacks.
  • Individual IPs – protecting websites or services with individual public IPs, whether on-premises or in the cloud.
  • DNS – protecting Domain Name Servers (DNS) against network, application layer, and DNS response acceleration attacks.

See how Imperva DDoS Protection can help you with DDoS attacks.

Imperva DDoS Protection

Imperva provides comprehensive, cloud-based DDoS protection. The solution blocks attack traffic at the edge, ensuring business continuity with guaranteed uptime, and no performance impact. Our multi-layered approach secures all your assets, wherever they are, on-premises or in the cloud – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

In addition to DDoS protection, Imperva protects applications, APIs, and microservices with the industry’s only defense-in-depth approach. The Imperva application security solution includes:

Web Application Firewall – Imperva provides a world-class analysis of web traffic to your applications, enabling you to prevent attacks and ensure business continuity.

Runtime Application Self-Protection (RASP) – Get industry-leading real-time attack detection and prevention, directly from your application runtime environment. Imperva RASP delivers security by default, going wherever your applications go to stop external attacks and injections while instantly reducing your vulnerability backlog.

API Security – Imperva shields your applications from exploitation with automated API protection, enabling you to ensure your API endpoints are protected as soon as your DevOps teams publish them.

Advanced Bot Protection – Gain visibility and control over bot traffic without imposing friction on legitimate users. Prevent business logic attacks from all access points – websites, mobile apps, and APIs – and stop online fraud through account takeover or competitive price scraping.

DDoS Protection – Imperva blocks attack traffic at the edge, ensuring business continuity with guaranteed uptime, and no performance impact. Our multi-layered approach secures all your assets, wherever they are, on-premises or in the cloud – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Proprietary machine learning and domain expertise across the application security stack reveal patterns in the noise and detect application attacks. Imperva ensures complete visibility, enabling you to isolate and prevent enterprise-wide attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and stop client-side attacks like formjacking, digital skimming, and Magecart.