In the first installment of our Foundations of Security blog series, we looked at Border Gateway Protocol (BGP), including how the protocol functions and how it figures into one method of vendor-neutral Distributed Denial of Service (DDoS) mitigation. We also considered the difficulties that certain types of DDoS attacks pose to BGP redirection in an on-demand scenario. In this entry, we’ll turn our attention to another popular mitigation method – the use of proxies.
Proxies work via redirection of traffic from the target site to the security vendor’s scrubbing sites via changes to the Domain Name System, or DNS. To understand the benefits and challenges of this method, it is helpful to first go over how basic DNS functions. Like BGP redirection, proxies that use DNS redirection are an effective, time-tested method to mitigate DDoS, but there are different ways to implement the technology ensure that it is of maximum use.
DNS is the method by which IP addresses are translated into more user-friendly, easily remembered host names displayed as Uniform Resource Locator, or URLs. In addition to the obvious user benefits, DNS serves many additional functions. One such function is to send the user to the most appropriate instance of a domain, because you can have many instances of an application or host behind a single URL, unlike BGP, which points to a single IP address. Via DNS, users can be guided to the most geographically appropriate version of a site or away from an instance that isn’t performing well. In the case of an attack you may need to protect one instance of the application or host from attack while others remain unaffected. Proxies make that simple.
The use of DNS redirection also allows companies to protect applications or hosts that are housed in the public cloud, in cases where the organization does not own the IP address where assets are housed. This makes it easy to provide consistent security while at the same time making the most of a multi-cloud architecture. Moving an asset from one cloud provider to the other while providing consistent protections is as simple as changing a DNS address.
In order to best protect hosts and applications, you must consider how to safely handle encrypted traffic. In June 2020, Google reported that 95% of their sites and services use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) by default1, while other sources report that the proportion of encrypted Web traffic is more than 90%2. The use of SSL Deep Packet Inspection (DPI), once an option, has become increasingly mission critical. With so much encrypted traffic, attacks have inevitably followed course.
The ultimate question when considering DNS redirection/proxy protection for your web-based assets these days is not “if” you will need defense, but “when.” Like BGP redirection, there are several ways to use proxy services, including on-demand or always-on. And just as with BGP, the answer to that question depends entirely upon how valuable the asset is to your business, as well as, the potential side effects of an attack. Many would argue that having traffic run through an always-on proxy adds latency. While there are always a few milliseconds of latency, the degree is largely dependent upon the scale of your security provider and the scope of the peering agreements that the provider enjoys. By optimizing the network side, the result is often net even. A provider with a geographically dispersed footprint, location in third-party cloud and robust, global interconnections can provide valuable peace of mind. In fact, some customer report that any latency introduced with an always-on deployment is offset by the discovery of how much low-level attack traffic is traversing their site on a regular basis! Smaller volume, “under-the-radar” attacks have become increasingly common simply because damage can be perpetrated on the target site without necessarily triggering on-demand defenses.
A final consideration includes the use of real-time application protection via the use of a Web Application Firewall (WAF), which is typically offered only in an always-on scenario. Application attacks like credential stuffing, for example, can be caught and mitigated by using a WAF. These attacks use automated injection of breached usernames and passwords to fraudulently access user accounts and feature a volumetric component that slows down site performance as well as possible compromises to applications or intellectual property. They may not happen constantly, but when attacks like this do occur, they can be devastating.
As with BGP redirection, proxies provide valuable security when you need it. It is vital to ensure that any security vendor you consider must offer that service - along with the flexibility your company needs - to determine the appropriate level of protection for each asset owned.