Introducing UltraAPI: Bash bots and secure APIs.

DDoS Mitigation Technologies Part 3: Third-Party Solutions

DDoS Mitigation Technologies Part 3: Third-Party Solutions

DDoS (distributed denial of service) attacks are a serious and persistent threat to every network. This series highlights the six widely-accepted technologies and architectures that you can employ to protect your assets.

These are:

For more detailed information, read our whitepaper, Building Better DDoS Mitigation.

In my first post I discussed on-premise solutions for DDoS mitigation, and the second covered ISP Scrubbing Centers, a mitigation technology with a considerably larger capacity. This post covers the technologies that offer the greatest capacity, capable of mitigating the largest DDoS attacks: Third-Party Cloud Scrubbers and Cloud Web Application Firewalls (WAFs).

Third-Party Cloud Scrubber

This solution involves contracting with a dedicated cloud-based DDoS mitigation specialist that operates a massively scaled scrubbing center—typically 3-15 Tbps of dedicated capacity, built with mitigation appliances and other networking gear. Your business routes traffic to the scrubbing center using diversion or BGP (border gateway protocol), and the traffic is returned via a generic route encapsulation (GRE) tunnel, fiber or copper direct connect, or Software Defined Networking (SDN).

For large global enterprises – or any business that faces the prospect of significant DDoS attacks – the ability to mitigate the largest attacks is critical. This solution offers a much greater capacity than the first three technologies. Moreover, leading providers continually upgrade their capacity to keep pace with the ever-increasing maximum size of the biggest attacks.

For on-demand mitigation, traffic is routed to the front of the scrubber using BGP, which does require time to propagate. Clean traffic is routed back to your network using GRE tunnel, fiber direct connect or SDN (software defined networking). Some providers own IP addresses on network segments that are always routed through mitigation, allowing traffic for individual host names to be routed to their platform using Domain Name System (DNS) records.

Some scrubbers offer an always-on service option, in which traffic is always routed through their mitigation platform to provide virtually hands-off protection. Most providers offer a high degree of redundancy, obtaining bandwidth from multiple ISPs and maintaining multiple global points-of-presence, ensuring continuing access even during an attack, and also helping to minimize the potential effects of latency.

Cloud WAFs

To implement this solution, you contract with a third-party provider of a cloud-based WAF service. The WAF protects HTTP and HTTPS websites while also providing protection from web application attacks of all kinds.

Functionally, a cloud-based WAF acts like a distributed reverse web proxy. Web (HTTP/HTTPS) traffic is routed via DNS to the WAF’s global points of presence. The cloud-based WAF counters application-layer DDoS attacks by counting requests and cutting off “greedy” source IPs. Clean traffic is forwarded back to your applications, wherever they are hosted.

Most cloud-based WAFs have a mitigation capacity (>10 Tbps) that equals or exceeds any other solution. They also provide some passive DDoS defense by dropping non-HTTP/HTTPS traffic. Importantly for many enterprises, they protect against numerous non-DDoS application layer attacks like SQL injection (SQLi) and Cross-Site Scripting (XSS) threats.

However, a WAF only protects web traffic (HTTP/HTTPS), so other public-facing services such as SMTP and VPN hosted on the same network need a different solution to protect them. In addition, cloud-based WAFs can be bypassed by an attack directed at the hosting platform, which is why most providers provide an IP network list that you can use to only allow them to pull web content from your web servers. An effective DDoS strategy often involves multiple mitigation technologies. Both UltraDDoS Protect, our massively scaled DDoS solution, and UltraWAF, our advanced Web Application Firewall, work effectively with other technologies to provide the highest level of protection.

We’d be happy to discuss your DDoS strategy and look for solutions that could strengthen your security posture. Contact us today for a consultative discussion of your strategy and options.