Distributed Denial of Service (DDoS) attacks have entered the 1 Tbps DDoS attack era. However, Radware research shows that DDoS attacks are not just getting bigger; they’re also getting more sophisticated. Hackers are constantly coming up with new and innovative ways of bypassing traditional DDoS defenses and compromise organizations’ service availability.
Online security providers are similarly stepping up their game, coming up with new technologies to hold-off attackers. However, not all DDoS protections are created equal. DDoS protection services vary greatly in terms of quality and protections offered.
In order to make sure you are protected against the latest and most potent DDoS attacks, you need to make sure that your security provider offers the right tools and technologies to deal with the latest threats.
Here are five must-have capabilities that you need for modern DDoS protection:
Must-Have #1: Application-Layer DDoS Protection
Application-layer (L7) DDoS attacks have overtaken network-layer (L3/4) attacks as the most widespread attack vectors. According to Radware’s 2017-2018 ERT Report, 64% of organizations faced application-layer attacks, compared to only 51% who faced network-layer attacks.
In fact, according to the ERT Report, HTTP floods were the #1 attack vector across all attack types (both network-layer and application-layer). In addition, SSL, DNS and SMTP attacks were other common types of application-layer attack.
Many online security services promise L7 DDoS protection through their WAF. However, this usually requires subscribing to pricey add-on WAF services, on-top of DDoS protection mechanisms.
The implication of these trends is that modern DDoS protection, it is no longer enough to be protected only against network-layer DDoS attacks. Modern DDoS protection must include built-in defense against application-layer (L7) attacks in order for organizations to be fully protected.
Must-Have #2: SSL DDoS Flood Protection
Encrypted traffic now accounts for the majority of internet traffic. According to Mozilla’s Let’s Encrypt project, over 70% of web sites globally are delivered over HTTPS, with some markets such as the US and Germany achieving ever higher rates. These findings are reflected by Radware’s latest ERT Report, with 96% of businesses now using SSL to some extent, and 60% attesting that the majority of their traffic is encrypted.
This rise, however, also creates significant security challenges: an encrypted request can require up to 15 times more server resources than a regular request. This means that sophisticated attackers can cripple a website even with a small amount of traffic.
Due to the potency of SSL-based DDoS attacks, high-level protection against SSL DDoS floods is a must-have for organizations who want to be fully protected.
Must-Have #3: Zero-Day Protection
Attackers are constantly finding new ways of bypassing traditional security mechanisms and hitting organizations with attack methods never seen before. Even by making small changes to attack signatures hackers can craft attacks that are not recognized by manual signatures. Such attacks are commonly known as ‘zero-day’ attacks.
According to Radware’s 2017-2018 ERT Report, 42% of organizations have been hit by a burst attack, and 40% reported experiencing an amplification DDoS attack. These trends illustrate the need for zero-day protection capabilities in modern DDoS protection mechanisms.
Must-Have #4: Behavioral Protection
As DDoS attacks become more sophisticated, it is becoming increasingly more difficult to distinguish between legitimate and malicious traffic. This is particularly true for application-layer (L7) DDoS attacks, which mimic legitimate user behavior.
A much more effective method of detecting and blocking attacks, however, is using behavioral technologies that learn what constitutes normal user behavior and block all traffic that does not conform to this behavior. Not only does this provide a higher level of protection but will also result in fewer false-positives and will not block legitimate users in times of peak traffic.
Therefore, using DDoS protection based on behavioral detection (and mitigation) is a must-have for effective DDoS protection.
Must-Have #5: Detailed SLA
Your Service Level Agreement (SLA) is your contractual guarantee to what your security provider is committed to give you. It is no exaggeration to say that your security is only as good as your SLA.
Many security vendors make expansive marketing claims about their capabilities, but their claims vaporize into thin air once it comes to making actual commitments to these claims.
Failure by your security provider to provide such commitments should cast doubt on your vendor’s ability to provide high-quality protection against DDoS attacks. This is why a granular SLA is a must-have for modern DDoS protection.
By: Nikhil Taneja, Managing Director-India, SAARC & Middle East, Radware