Approaches to Efficient Multi-layered DDoS Protection
The landscape of DDoS attacks is constantly evolving. Gone are the days of simple bandwidth floods. Today’s attackers employ sophisticated tactics, making DDoS protection a complex yet crucial undertaking.
In my previous blog post,?A Guide to Building Modern Approaches to DDoS Protection, I discussed the core fundamentals for building a robust DDoS defense strategy. Here, we delve deep into dedicated DDoS protection solutions, exploring the techniques and strategies for effectively defending against modern DDoS attacks.
Traditional Protection Falls Short
Legacy DDoS protection solutions often need help with modern attacks due to limitations in both detection and mitigation.
Detection Accuracy
Flow-based detection relies on the accuracy of baselines and the granularity of threshold settings. Manual baseline and configuration can lead to false alarms or miss the attack due to seasonality or outdated baselines.
Due to the nature of flow-based detection, some attack types, such as short bursts or novel attack vectors, may be missed if the scope of monitoring is the more comprehensive network and subnets. These attack types may, instead, target a particular service or system; thus, the total volume might not be high. Conversely,?a carpet-bombing attack?is another complex attack type, especially when monitoring traffic against individual IP addresses. Dispersing malicious traffic across numerous IPs (within a specific victim network) makes traffic volume appear low against a particular IP, thus evading detection.
Mitigation Precision
Traditional solutions might miss complex attacks and need help fighting against multi-vector DDoS attacks. As you know, different DDoS attacks require specific countermeasures to mitigate their impact. For example, protocol anomaly check works great for simple flood attacks, such as TCP XMASS attacks, SYN-FIN attacks, and ping of death (PoD) attacks. However, it won’t work against TCP, RST, and UDP flood attacks. Then, SYN cookie and spoof detection techniques are active countermeasures that validate the source/sender and can mitigate TCP RST flood, UDP flood, and similar flood attacks. Still, HTTP floods may be able to sneak through the validation. L7 application DDoS attacks, including HTTP flood and slow-and-low attacks, require deep protocol inspection that is CPU and memory resource-intensive on the mitigation system, which is further complicated when protecting diverse services like DNS or SIP servers.
In addition, there is a simple and commonly used countermeasure – rate limiting. It does work just to keep services up. However, it inadvertently results in dropping exceeded traffic which could potentially include legitimate traffic.
So, how do you apply all these countermeasures without impacting services and degrading system performance?
Solution: A Multi-layered Defense with Adaptive Policies
The previous post described a few modern DDoS mitigation approaches and techniques. Here are more details of those techniques.
领英推荐
Adaptive Mitigation Policies with Automatic Escalation
As explained above, multiple countermeasures are required to combat modern and multi-vector attacks. Wouldn’t it be ideal to apply these countermeasures in phases according to the mitigation status?
A collection of mitigation policies is configured in multiple stages based on severity and complexity/difficulty levels. For example, starting with packet anomaly check, protocol misuse check, and then source verification (spoof detection). If the forwarded (get-through) traffic is still higher than the baseline, sophisticated mitigations such as L7/application-level filters rate limiting and so on should be applied further. Once the get-through traffic volume gets settled at normal levels, the mitigation stage should stay there, and no new policies should be applied. Most importantly, a series of such operations must be done automatically since they are very time-consuming and prone to errors/misoperation, allowing for a gradual response and applying increasingly powerful countermeasures as the attack intensifies.
ML/AI-Powered Protection Mechanisms
Organizations need to be prepared to fight against zero-day attacks. Like rate-limiting, packet filtering is a common and solid countermeasure to protect services. Still, it may affect legitimate users if the scope and conditions are not defined precisely. If the filter is ambiguous, there is a considerable risk of impacting service by dropping legitimate user traffic. With machine learning/AI technology for analyzing attack traffic patterns, accurate and reliable filters can be generated in an instant and neutralize even novel DDoS attacks in real time.
Actionable Threat Intelligence
Real-time threat intelligence feeds inform your defenses about the latest attack vectors and vulnerabilities. The feeds often provide IP lists containing suspicious IPs, known botnets, and open servers vulnerable to DDoS weapons. By Applying the list as a blacklist on your network device or dedicated DDoS protection, it will be efficient protection and a first line of defense, allowing you to save bandwidth and CPU resources for more complicated attack traffic. Since threat-intel IP lists can be pretty significant, tens of thousands or even millions, make sure your device can hold such a blacklist without affecting its performance while also having the capability to run periodic updates of the list.
How A10 Defend Can Help
No organization has unlimited trained personnel or resources during real-time DDoS attacks. By implementing a multi-layered approach with?A10 Defend, organizations can build a robust and efficient DDoS protection solution, ensuring their critical services and operations remain secure.
A10 Defend provides a holistic DDoS protection solution that is scalable, economical, precise, and intelligent for modern DDoS protection, consisting of four major components: