DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
The landscape of DDoS attacks is constantly evolving. Gone are the days of simple bandwidth floods. Today’s attackers employ sophisticated tactics, making DDoS protection a complex yet crucial undertaking.
In my previous blog post, A Guide to Building Modern Approaches to DDoS Protection, I talked out the core fundamentals for building a robust DDoS defense strategy. Here we delve deep into dedicated DDoS protection solutions, exploring the techniques and strategies for effectively defending against modern DDoS attacks.
Legacy DDoS protection solutions often struggle with modern attacks due to limitations in both detection and mitigation.
Flow-based detection relies on accuracy of baselining and granularity of threshold setting. Manual baselining and configuration can lead to false alarms or may miss the attack due to seasonality or outdated baselines.
Due to nature of flow-based detection, some attack types such as short bursts or novel attack vectors may be missed if the scope of monitoring is the wider network and subnets. These attack types, may instead, target a particular service or system thus total volume might not be high. Conversely, carpet-bombing attack is another difficult attack type, especially when monitoring traffic against individual IP address. Dispersing malicious traffic across numerous IPs (within a specific victim network) makes traffic volume appear to be low against an individual IP, thus evading detection.
Traditional solutions might miss complex attacks and have trouble fighting against multi-vector DDoS attacks. As you know, different DDoS attacks require specific countermeasures to mitigate their impact. For example, protocol anomaly check works great for simple flood attacks, such as TCP XMASS attack, SYN-FIN attack and ping of death (PoD) attacks. However, it won’t work against TCP RST flood and UDP flood attacks. Then, SYN cookie and spoof detection techniques are active countermeasures and validate source/sender and can mitigate TCP RST flood, UDP flood and similar flood attacks but HTTP floods may be able to sneak through the validation. L7 application DDoS attacks including HTTP flood and slow-and-low attacks require deep protocol inspection that is CPU and memory resource-intensive on the mitigation system. This is further complicated when protecting diverse services like DNS or SIP servers.
In addition, there is a simple and commonly used countermeasure – rate limiting. It does work just to keep services up. However, it inadvertently results in dropping exceeded traffic which could potentially include legitimate traffic.
So, the question is how do you apply all these countermeasures without impacting services and degrading system performance?
The previous post described a few modern DDoS mitigation approaches and techniques. Here are more details of those techniques.
As explained above, multiple different countermeasures are required to combat modern and multi-vector attacks. Wouldn’t it be ideal to apply these countermeasures in phases according to the mitigation status?
A collection of mitigation policies is configured in multiple stages based on severity and complexity/difficulty levels. For example, starting with packet anomaly check, protocol misuse check, and then source verification (spoof detection). If the forwarded (get-through) traffic is still higher than the baseline, further apply sophisticated mitigations such as L7/application-level filters and rate limiting and so on. Once the get-through traffic volume gets settled at normal levels, the mitigation stage should stay there, and no new policies should be applied. Most importantly, a series of such operations needs to be done automatically as they are very time-consuming processes and prone to errors/mis-operation.
This allows for a gradual response, applying increasingly powerful countermeasures as the attack intensifies.
Organizations need to be prepared for fighting against zero-day attacks. Just like a rate-limiting, packet filtering is a very common and solid countermeasure to protect services, but it may affect legitimate users if the scope and condition are not defined precisely. If the filter is ambiguous, there is a huge risk to impacting service by dropping legitimate user traffic. With machine learning/AI technology for analyzing attack traffic patterns, accurate and reliable filters can be generated in an instant and neutralize even novel DDoS attacks in real-time.
Real-time threat intelligence feeds keep your defenses informed about the latest attack vectors and vulnerabilities. The feeds often provide IP lists containing suspicious IPs, known botnets, and open servers that are vulnerable as DDoS weapons. By applying the list as blacklist on your network device or dedicated DDoS protection, it will be efficient protection and a first line of defense allowing you to save bandwidth and CPU resource for more complicated attack traffic. Since threat intel IP lists can be quite large, tens of thousands or even millions, make sure your device can hold such a blacklist without affecting its performance while also having the capability to run periodic updates of the list.
No organization has unlimited trained personnel or resources during real-time DDoS attacks. By implementing a multi-layered approach with A10 Defend, organizations can build a robust and efficient DDoS protection solution, ensuring their critical services and operations remain secure.
A10 Defend provides a holistic DDoS protection solution that is scalable, economical, precise, and intelligent for a modern DDoS protection, consisting of four major components:
