Incapsula Guide to Selecting a DDoS Solution WHITE PAPER

Similar documents
Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

Imperva Incapsula Product Overview

Imperva Incapsula Website Security

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Global DDoS Threat Landscape

AKAMAI CLOUD SECURITY SOLUTIONS

WHITE PAPER Hybrid Approach to DDoS Mitigation

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Arbor White Paper Keeping the Lights On

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

A GUIDE TO DDoS PROTECTION

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Securing Your Microsoft Azure Virtual Networks

A10 DDOS PROTECTION CLOUD

DDoS MITIGATION BEST PRACTICES

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

CLOUD-BASED DDOS PROTECTION FOR HOSTING PROVIDERS

SUPERCHARGE YOUR DDoS PROTECTION STRATEGY

Enterprise D/DoS Mitigation Solution offering

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

A Top US Bank Trusts Neustar SiteProtect for Reliable DDoS Protection Depth

DDoS Detection&Mitigation: Radware Solution

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Cloudflare Advanced DDoS Protection

Securing Your Amazon Web Services Virtual Networks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Arbor Solution Brief Arbor Cloud for Enterprises

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Comprehensive datacenter protection

Express Monitoring 2019

Imperva Incapsula DDoS Protection

Internet2 DDoS Mitigation Update

Delivering Cyber Security Confidence for the Modern Enterprise

Preparing your network for the next wave of innovation

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Arbor White Paper. DDoS: THE STAKES HAVE CHANGED. HAVE YOU? REVEALED: 3 dangerous myths about DDoS attacks

DDoS Managed Security Services Playbook

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

Imperva Incapsula DDoS Protection

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Imperva CounterBreach

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

McAfee Total Protection for Data Loss Prevention

Trend Micro Deep Discovery for Education. Identify and mitigate APTs and other security issues before they corrupt databases or steal sensitive data

Neustar Security Solutions Overview

Intelligent and Secure Network

Large FSI DDoS Protection Reference Architecture

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

The Imperva Incapsula DDoS Response Playbook

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

SIEM: Five Requirements that Solve the Bigger Business Issues

DDoS Introduction. We see things others can t. Pablo Grande.

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

WHITE PAPER. Attackers Use DDoS Pulses to Pin Down Multiple Targets, Send Shock Waves Through Hybrids

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Ensuring the Success of E-Business Sites. January 2000

Global DDoS Threat Landscape

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

Automating the Top 20 CIS Critical Security Controls

The Interactive Guide to Protecting Your Election Website

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Downtime by DDoS: Taking an Integrated Multi-Layered Approach. Arbor Solution Brief

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Cyber Security Guidelines Distributed Denial of Service (DDoS) Attacks

NINE MYTHS ABOUT. DDo S PROTECTION

Services solutions for Managed Service Providers (MSPs)

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Imperva Incapsula Load Balancer

DNS SECURITY BEST PRACTICES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

haltdos - Web Application Firewall

Transcription:

The Practical Guide to Choosing a DDoS Mitigation Service From massive volumetric attacks to sophisticated application layer threats, DDoS attacks are bigger, smarter and more dangerous than ever. Given today s threat landscape and the availability of inexpensive, Do It Yourself DDoS tools, online businesses need to take DDoS mitigation seriously. These attacks can cripple a website or online application in minutes, resulting in lost revenues, reputation damage and reduced customer confidence. This white paper provides online businesses of all sizes with practical guidelines for choosing a DDoS mitigation solution. It outlines several important considerations, useful tips and key requirements to be used for evaluating potential solutions. The document includes an overview of Imperva Incapsula DDoS Protection solution, showing how it helps online businesses mitigate highvolume and sophisticated DDoS attacks without disrupting the user experience. DDoS: Who s at Risk? The answer to the question of who s really at risk from a DDoS (Distributed Denial of Service) attack is quite simple: any business with a web presence. DDoS attacks today target both large and small companies, organizations, government offices, and even individuals with a prominent web presence. The Incapsula 2013-2014 DDoS Threat Landscape Report, points to a 240% increase in DDoS botnet activity over the space of one year. Among the driving forces behind the proliferation of DDoS are the simplicity and low cost of putting an attack in motion, and the relative impunity attackers enjoy. Simple, low-cost DDoS toolkits, such as Dirt Jumper and its variants, leave no website or network safe. While hacktivist attacks, such as those perpetrated by the QCF against leading US banks in 2012-2013 often get the most headlines, the majority of DDoS attacks are executed by criminal botnet services. Botnets-for-hire, composed of thousands of compromised devices, are readily available on the Internet and provide the foundation for launching devastating attacks against online businesses. The fees for these services start at $50 for small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners advertise their services in underground forums and mailing lists. Another trend ratcheting up the risk to commercial sites is the fact that DDoS attacks are increasingly being used as a competitive business tool, designed to create chaos and level damage to competitors sites. As such, DDoS attacks, which used to focus mainly on high-profile websites, now also target mid-sized enterprises and SMBs. 2

Preliminary Precautions Given today s threat landscape, any business owner with a website should take DDoS mitigation seriously. In particular, organizations with significant online financial or reputational assets should take immediate action with respect to implementing a DDoS mitigation solution. Even those still considering their DDoS mitigation options should at the very least conduct ongoing monitoring to be aware of threats, and have an idea of possible remedies. This means that today you should: Conduct online reconnaissance Take note of online buzz about your organization, and look for hints of budding hacktivism focus. Subscribe to free security assessment reports that cover DDoS incidents and emerging DDoS techniques. Understand the basics of mitigation Once you know of relevant threats, take note of basic mitigation recommendations like implementing content filtering rules or modifying your firewall settings. In the event that you are attacked, prepare a communications strategy in advance that will let your customers know what s going on, and what you re doing about it. Evaluate alternatives to absorb DDoS bandwidth peaks Over-provisioning Internet bandwidth is one of the most common measures to alleviate DDoS attacks, but it is also probably the most expensive, especially since DDoS attacks can be 10 times or even 100 times greater than standard Internet traffic levels. An alternative is to use a security service that scales on-demand to absorb and filter DDoS traffic. DDoS protection services are designed to stop massive DDoS attacks without burdening businesses Internet connections. Know where to get help You should at least know how to find a DDoS mitigation service, if you re under attack and need a quick remedy. Services like Incapsula can deliver reasonablypriced protection in just minutes keeping your site from crashing in the event of an attack, or at least minimizing downtime. 3

Choosing a DDoS Mitigation Solution Practical Tips Once you re ready to get serious about implementing DDoS mitigation, you ll need to delve deeper into the nature and types of solutions out there. The DDoS threat has pushed vendors to the limits of their creativity. As a result there s good news and bad news. The good news is that there ARE good solutions, technologies, and ideas out there; the bad news is that there are A LOT OF THEM to choose from, each representing a different approach to protection. Some notable approaches include: Appliances deployed within the data center Hardened hosting platforms Cloud-based DDoS mitigation services Regardless of the approach, when choosing a DDoS mitigation solution, you should make sure the solution adheres to the following fundamental guidelines. Transparent Mitigation Your users don t need to know and don t care that you are under attack. People should be able to access your site without delay, without being sent through holding areas or splash screens, and without receiving outdated cached content. Find a solution that protects your realm invisibly, yet effectively. Absorb Volumetric Network DDoS Attacks Network (Layers 3 & 4) DDoS attacks continue to grow in size. These types of attacks, the largest of which have exceeded 200 Gbps, are growing at a rapid pace, fueled in part by the widespread availability of cloud infrastructure. Amplification-based attacks are popular with attackers because they can deliver a massive flood of data at the target while requiring only a relatively small output from the source. You need to be able to absorb arbitrary yet massive - amounts of traffic. Service providers do this by building large 20 gigabyte data centers and distributing traffic among them, when possible. Appliance vendors deal with it by stacking and cloudifying their appliances. Find the path to absorption that works best, and is most cost-effective, for your needs. 4

Identify Sophisticated Application (Layer 7) DDoS Attacks Application (Layer 7) DDoS attacks typically mimic legitimate user traffic to evade an organization s common security measures (including barebone anti-ddos solutions). Application attacks are dangerous because they don t require high volumes to succeed. It takes no more than 50-100 targeted requests per second to bring down a mid-sized server. Most importantly, because application layer DDoS relies on humanlike bots and (in some cases) actual browsers, they re much harder to mitigate even once detected. To mitigate Layer 7 attacks, you need a solution with the brains to profile incoming traffic and distinguish between humans and bots. Leave a Path to Redemption One of the ke challenges in mitigating applicative DDoS attacks is minimizing falsepositives and business disruption. Legitimate visitors to your site should never be shut out without the possibility of redemption. What if they were wrongly accused of being a bot? As a last resort, legitimate users should be given a chance to prove they are human by filling out a CAPTCHA. Find a solution that ensures the best possible user experience. Preserve the User Experience Even when struggling to prevent DDoS attacks, remember that indiscriminately blocking all bot traffic can have serious repercussions for your business. For example, blocking Googlebot or McAfee ScanAlert bot can harm your site in the short and long term. Effective DDoS protection should revolve around pinpoint-accurate identification. Your DDoS protection solution should recognize and respect good bots, allowing them continuous and uninterrupted access to all areas of your site. Always On Protection In a global economy, your online business never shuts down, which means that your DDoS protection strategy must be based on accurate 24x365 monitoring. This is something that human operators should support but, in practice, simply cannot deliver reliably. Moreover, hit & run attacks can wreak havoc with DDoS mitigation solutions that need to be manually turned on and off at every burst. Find a solution that protects you automatically, without the hassles and risks of manual activation. Monitor Application and Network Traffic Monitoring application and network traffic provides IT security administrators with instant visibility into DDoS attack status. Security administrators should be able to review traffic levels, application performance, anomalous behavior, protocol violations and Web server error codes. Real-time traffic monitoring enables datadriven response to DDoS threats and any other unwanted scenarios. 5

A Parting Thought DDoS is a reality that your business needs to face. When choosing a DDoS mitigation service, following the guidelines above can help your business not only weather the flood of DDoS attacks, but even survive and thrive in the dangers of the virtual jungle. Imperva Incapsula Cloud-Based DDoS Mitigation Service Incapsula is a cloud-based service that stops all types of DDoS threats, including network, protocol and application level (Layers 3, 4 & 7) attacks with minimal business disruption. Leveraging a high-capacity global CDN, Incapsula always on DDoS mitigation service scales on demand to stop multi-gigabit attacks without requiring businesses to purchase expensive Internet connections or deploy additional networking equipment. DDoS Protection can be rolled out without the need for hardware, software, integration or web application code changes. Customers can provision this service simply by changing their website s DNS setting. The service detects and mitigates advanced attacks that exploit applications, web server, and DNS server vulnerabilities. Ironclad network defenses detect network attacks like SYN floods and DNS amplifications. Incapsula detects sophisticated application-layer attacks that bypass traditional DDoS security services by implementing advanced and progressive challenge mechanisms. These defenses differentiate between bots and legitimate application users by validating whether the client browser can execute JavaScript, store cookies and perform other basic browser functions. How It Works 40Gbps data center DDoS Rule Engine 40Gbps data center On-Edge Packet Analysis Web Application Firewall (WAF) Rate rules Generic rules Custom rules Client classification Application awareness Behavioral analysis Progressive Challenges... CDN distributes traffic between Incapsula scrubbing centers Dedicated hardware and software blocks network DDoS threats Security engine protects from web application and server vulnerabilities Visitors are assigned a risk score and their actions are put into context A set of challenges allows for granular and transparent mitigation 6

Key Features & Benefits Comprehensive DDoS Protection Incapsula protects your website against all types of DDoS threats, including networkbased attacks, like Sloworis, ICMP or TCP & UDP floods, and application layer attacks, such as GET flood, that attempt to overwhelm server resources. The service detects and mitigates advanced attacks that exploit application, Web and DNS server vulnerabilities, hit-and-run DDoS events and large botnets. High-Capacity Network As the size of network DDoS attacks, such as SYN flood and DNS amplifications, continues to increase, organizations require robust network capacity to mitigate any threat that might come its way. Incapsula global CDN offers high capacity to thwart the largest volumetric DDoS attacks. Zero Business Disruption Incapsula protects your site not only from complete denial of service, but also from disruptions related to DDoS attacks, mitigation false-positives, etc. We offer transparent mitigation with less than 1% false positives, and without degrading the normal user experience in any way. This lets you enjoy true DDoS protection, even from lengthy attacks, without affecting legitimate users. Infrastructure Protection Infrastructure Protection lets you protect core infrastructure (e.g., web, email, FTP servers) on demand across entire subnet ranges. In the event of an attack, traffic is re-routed through Incapsula scrubbing centers using BGP announcements. From this point on, Incapsula acts as the ISP and advertises all protected IP range announcements. All incoming network traffic is inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise network via GRE tunneling. 24x7 Managed Security Service Incapsula dedicated team of SOC engineers monitors your attacks and is available before, during or after attacks to ensure your site is up and running and performing optimally. Collaborative Security Incapsula protects websites using collective knowledge about security threats, including new and emerging DDoS attack methods. Using crowd-sourcing techniques, new security information is aggregated across the entire network and new mitigation rules are applied in real-time, across all protected websites. Affordable, Pay as you Go/Grow Service With Incapsula you don t incur any CAPEX in purchasing expensive equipment. We offer cost effective, monthly subscriptions with on-demand upgrade options. 7

Data Protection for Philippines Information Security Breaches Guide About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Over 3,500 customers in more than 90 countries rely on our SecureSphere platform to safeguard their business. Imperva is headquartered in Redwood Shores, California. Learn more at www.imperva.com. 2017, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, ThreatRadar, Skyfence and CounterBreach are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. DS_Incapsula_Guide_To_Selecting_A_DDoS_Solution imperva.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback