Distributed Denial of Service (DDoS) attacks has entered the 1 Tbps DDoS attack era. However, research shows that DDoS attacks are not just getting bigger; they’re also getting more sophisticated. Hackers are constantly coming up with new and innovative ways of bypassing traditional DDoS defenses and compromise organizations’ service availability.
Online security providers are similarly stepping up their game, coming up with new technologies to hold-off attackers. However, not all DDoS protections are created equal. DDoS protection services vary greatly in terms of quality and protections offered.
In order to make sure you are protected against the latest and most potent DDoS attacks, you need to make sure that your security provider offers the right tools and technologies to deal with the latest threats.
Here are five must-have capabilities that you need for modern DDoS protection:
Application-Layer DDoS Protection
Application-layer (L7) DDoS attacks have overtaken network-layer (L3/4) attacks as the most widespread attack vectors. According to Radware’s 2017-2018 ERT Report, 64% of organizations faced application-layer attacks, compared to only 51% who faced network-layer attacks.
In fact, according to the ERT Report, HTTP floods were the #1 attack vector across all attack types (both network-layer and application-layer). In addition, SSL, DNS and SMTP attacks were other common types of application-layer attack.
Many online security services promise L7 DDoS protection through their WAF. However, this usually requires subscribing to pricey add-on WAF services, on-top of DDoS protection mechanisms.
The implication of these trends is that modern DDoS protection, it is no longer enough to be protected only against network-layer DDoS attacks. Modern DDoS protection must include built-in defense against application-layer (L7) attacks in order for organizations to be fully protected.
SSL DDoS Flood Protection
Encrypted traffic now accounts for the majority of internet traffic. According to Mozilla’s Let’s Encrypt project, over 70% of websites globally are delivered over HTTPS, with some markets such as the US and Germany achieving ever higher rates. These findings are reflected by our latest report, with 96% of businesses now using SSL to some extent, and 60% attesting that the majority of their traffic is encrypted.
This rise, however, also creates significant security challenges: an encrypted request can require up to 15 times more server resources than a regular request. This means that sophisticated attackers can cripple a website even with a small amount of traffic.
As more and more traffic becomes encrypted, SSL DDoS floods are becoming an increasingly popular attack vector for hackers. According to report, 30% of businesses reported suffering an SSL-based attack in the previous 12 months.
Due to the potency of SSL-based DDoS attacks, high-level protection against SSL DDoS floods is a must-have for organizations who want to be fully protected.
Attackers are constantly finding new ways of bypassing traditional security mechanisms and hitting organizations with attack methods never seen before. Even by making small changes to attack signatures hackers can craft attacks that are not recognized by manual signatures. Such attacks are commonly known as ‘zero-day’ attacks.
For example, one common type of zero-day attack is a burst DDoS attack, which use short bursts of high-volume attacks before switching to a different attack vector. These assaults usually combine many different attack vectors, leaving organizations that rely on traditional, manually-tuned, security solutions floundering in the wake of these hit-and-run tactics.
Another type of zero-day attack is an amplification attack. Amplification attacks usually employ communication protocols where there is large asymmetry between request and response packet sizes. Such attacks bounce traffic off 3rd-party servers not involved in the attack, amplifying the amount of traffic and overwhelming the target.
According to our report, 42% of organizations have been hit by a burst attack, and 40% reported experiencing an amplification DDoS attack. These trends illustrate the need for zero-day protection capabilities in modern DDoS protection mechanisms.
As DDoS attacks become more sophisticated, it is becoming increasingly more difficult to distinguish between legitimate and malicious traffic. This is particularly true for application-layer (L7) DDoS attacks, which mimic legitimate user behavior.
One common mechanism by many security vendors is to detect attacks based on traffic volume thresholds and use rate-limiting to cap spikes in traffic. However, this is a very crude way of blocking attacks, since it does not distinguish between legitimate and malicious traffic. This is particularly a problem during times of activity spikes – such as shopping holidays – when there is a significant increase in traffic. Unsophisticated protection mechanisms such as rate-limiting will not distinguish between legitimate and attack traffic and end up blocking valid users.
A much more effective method of detecting and blocking attacks, however, is using behavioral technologies that learn what constitutes normal user behavior and block all traffic that does not conform to this behavior. Not only does this provide a higher level of protection but will also result in fewer false-positives and will not block legitimate users in times of peak traffic.
Therefore, using DDoS protection based on behavioral detection (and mitigation) is a must-have for effective DDoS protection.
Your Service Level Agreement (SLA) is your contractual guarantee to what your security provider is committed to giving you. It is no exaggeration to say that your security is only as good as your SLA.
Many security vendors make expansive marketing claims about their capabilities, but their claims vaporize into thin air once it comes to making actual commitments to these claims.
To make sure that what the brochure says is also what you get – you need to tell your security vendor to put their money where their mouth is, and provide a detailed SLA, with specific commitments to detection, mitigation and availability metrics. The SLA should cover the entire DDoS attack lifecycle, to make sure you’re fully covered against every scenario.
Failure by your security provider to provide such commitments should cast doubt on your vendor’s ability to provide high-quality protection against DDoS attacks. This is why a granular SLA is a must-have for modern DDoS protection.
The author is Managing Director-India, SAARC & Middle East, Radware. Views are personal.