Skip to main content Skip to search
Start Your Free Trial
Blog

Approaches to Efficient Multi-layered DDoS Protection

The landscape of DDoS attacks is constantly evolving. Gone are the days of simple bandwidth floods. Today’s attackers employ sophisticated tactics, making DDoS protection a complex yet crucial undertaking.

In my previous blog post, A Guide to Building Modern Approaches to DDoS Protection, I talked out the core fundamentals for building a robust DDoS defense strategy. Here we delve deep into dedicated DDoS protection solutions, exploring the techniques and strategies for effectively defending against modern DDoS attacks.

Traditional Protection Falls Short

Legacy DDoS protection solutions often struggle with modern attacks due to limitations in both detection and mitigation.

Detection Accuracy

Flow-based detection relies on accuracy of baselining and granularity of threshold setting. Manual baselining and configuration can lead to false alarms or may miss the attack due to seasonality or outdated baselines.

Due to nature of flow-based detection, some attack types such as short bursts or novel attack vectors may be missed if the scope of monitoring is the wider network and subnets. These attack types, may instead, target a particular service or system thus total volume might not be high. Conversely, carpet-bombing attack is another difficult attack type, especially when monitoring traffic against individual IP address. Dispersing malicious traffic across numerous IPs (within a specific victim network) makes traffic volume appear to be low against an individual IP, thus evading detection.

Mitigation Precision

Traditional solutions might miss complex attacks and have trouble fighting against multi-vector DDoS attacks. As you know, different DDoS attacks require specific countermeasures to mitigate their impact. For example, protocol anomaly check works great for simple flood attacks, such as TCP XMASS attack, SYN-FIN attack and ping of death (PoD) attacks. However, it won’t work against TCP RST flood and UDP flood attacks. Then, SYN cookie and spoof detection techniques are active countermeasures and validate source/sender and can mitigate TCP RST flood, UDP flood and similar flood attacks but HTTP floods may be able to sneak through the validation. L7 application DDoS attacks including HTTP flood and slow-and-low attacks require deep protocol inspection that is CPU and memory resource-intensive on the mitigation system. This is further complicated when protecting diverse services like DNS or SIP servers.

In addition, there is a simple and commonly used countermeasure – rate limiting. It does work just to keep services up. However, it inadvertently results in dropping exceeded traffic which could potentially include legitimate traffic.

So, the question is how do you apply all these countermeasures without impacting services and degrading system performance?

Solution: A Multi-layered Defense with Adaptive Policies

The previous post described a few modern DDoS mitigation approaches and techniques. Here are more details of those techniques.

Adaptive Mitigation Policies with Automatic Escalation

As explained above, multiple different countermeasures are required to combat modern and multi-vector attacks. Wouldn’t it be ideal to apply these countermeasures in phases according to the mitigation status?

A collection of mitigation policies is configured in multiple stages based on severity and complexity/difficulty levels. For example, starting with packet anomaly check, protocol misuse check, and then source verification (spoof detection). If the forwarded (get-through) traffic is still higher than the baseline, further apply sophisticated mitigations such as L7/application-level filters and rate limiting and so on. Once the get-through traffic volume gets settled at normal levels, the mitigation stage should stay there, and no new policies should be applied. Most importantly, a series of such operations needs to be done automatically as they are very time-consuming processes and prone to errors/mis-operation.

This allows for a gradual response, applying increasingly powerful countermeasures as the attack intensifies.

ML/AI-Powered Protection Mechanisms

Organizations need to be prepared for fighting against zero-day attacks. Just like a rate-limiting, packet filtering is a very common and solid countermeasure to protect services, but it may affect legitimate users if the scope and condition are not defined precisely. If the filter is ambiguous, there is a huge risk to impacting service by dropping legitimate user traffic. With machine learning/AI technology for analyzing attack traffic patterns, accurate and reliable filters can be generated in an instant and neutralize even novel DDoS attacks in real-time.

Actionable Threat Intelligence

Real-time threat intelligence feeds keep your defenses informed about the latest attack vectors and vulnerabilities. The feeds often provide IP lists containing suspicious IPs, known botnets, and open servers that are vulnerable as DDoS weapons. By applying the list as blacklist on your network device or dedicated DDoS protection, it will be efficient protection and a first line of defense allowing you to save bandwidth and CPU resource for more complicated attack traffic. Since threat intel IP lists can be quite large, tens of thousands or even millions, make sure your device can hold such a blacklist without affecting its performance while also having the capability to run periodic updates of the list.

How A10 Defend Can Help

No organization has unlimited trained personnel or resources during real-time DDoS attacks. By implementing a multi-layered approach with A10 Defend, organizations can build a robust and efficient DDoS protection solution, ensuring their critical services and operations remain secure.

A10 Defend provides a holistic DDoS protection solution that is scalable, economical, precise, and intelligent for a modern DDoS protection, consisting of four major components:

  • A10 Defend Detector: high-performance flow-based network anomaly with automated traffic baselining and profiling for precise and rapid attack identification. Its smart victim identification technique narrows down the scope of target into IP(s) or a range of subnetwork in real-time.
  • A10 Defend Mitigator: intelligent, automated DDoS mitigation powered by machine learning, leading the industry in precision, scalability, and performance. It’s built with a unique multi-modal and source-based protection strategy, including a massive threat intelligent list capacity (up to 96 million entries), five-level adaptive mitigation policies with progressive auto-mitigation level escalation technique, and automated Zero-day Attack Pattern Recognition (ZAPR), to name a few.
  • A10 Defend Threat Control: Provides actionable DDoS-specific intel and analytics around DDoS threats and weapons such as DDoS botnets including command and control (C&C) and shadow servers, reflectors and many others, enabling proactive defense strategies. Take a Product Tour
  • A10 Defend Orchestrator: A central hub for managing and controlling automated DDoS defense across A10 Defend components. It offers a live DDoS protection dashboard and console and generates incident reports once attacks are over.