A GUIDE TO DDoS PROTECTION

Similar documents
Large FSI DDoS Protection Reference Architecture

Deploying a Next-Generation IPS Infrastructure

Deploying a Next-Generation IPS Infrastructure

A10 DDOS PROTECTION CLOUD

Comprehensive datacenter protection

Protect Against Evolving DDoS Threats: The Case for Hybrid

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Imperva Incapsula Product Overview

Complying with PCI DSS 3.0

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

AKAMAI CLOUD SECURITY SOLUTIONS

Solutions Guide. F5 solutions for the emerging 5G landscape

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Securing the Cloud. White Paper by Peter Silva

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

The F5 Intelligent DNS Scale Reference Architecture

F5 Reference Architecture for Cisco ACI

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Improving VDI with Scalable Infrastructure

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Vulnerability Assessment with Application Security

DDoS MITIGATION BEST PRACTICES

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

F5 and Nuage Networks Partnership Overview for Enterprises

Protecting Against Online Banking Fraud with F5

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Enabling Long Distance Live Migration with F5 and VMware vmotion

Deploying the BIG-IP System v11 with DNS Servers

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

Securing Your Microsoft Azure Virtual Networks

Arbor White Paper Keeping the Lights On

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Securing Your Amazon Web Services Virtual Networks

IBM Cloud Internet Services: Optimizing security to protect your web applications

Enhancing VMware Horizon View with F5 Solutions

Herding Cats. Carl Brothers, F5 Field Systems Engineer

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

The Programmable Network

Geolocation and Application Delivery

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

The F5 Application Services Reference Architecture

Cookies, Sessions, and Persistence

Data Center Virtualization Q&A

Key Considerations in Choosing a Web Application Firewall

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Simplifying Security for Mobile Networks

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Downtime by DDoS: Taking an Integrated Multi-Layered Approach. Arbor Solution Brief

Prompta volumus denique eam ei, mel autem

Best Practices in Securing a Multicloud World

Enterprise D/DoS Mitigation Solution offering

Advanced Techniques for DDoS Mitigation and Web Application Defense

DDoS: STRATEGIES FOR DEALING WITH A GROWING THREAT

Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Cyber War Chronicles Stories from the Virtual Trenches

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

The Interactive Guide to Protecting Your Election Website

Load Balancing 101: Nuts and Bolts

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

F5 Synthesis Information Session. April, 2014

Arbor Solution Brief Arbor Cloud for Enterprises

Distributing Applications for Disaster Planning and Availability

Securing LTE Networks What, Why, and How

Unified Application Delivery

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Cloudflare Advanced DDoS Protection

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Deploying the BIG-IP System with Oracle Hyperion Applications

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

CYBER SECURITY FOR BUSINESS COUNTING THE COSTS, FINDING THE VALUE

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

A Top US Bank Trusts Neustar SiteProtect for Reliable DDoS Protection Depth

Load Balancing 101: Nuts and Bolts

NINE MYTHS ABOUT. DDo S PROTECTION

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SUPERCHARGE YOUR DDoS PROTECTION STRATEGY

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

WHITE PAPER Hybrid Approach to DDoS Mitigation

August 14th, 2018 PRESENTED BY:

Integrated Access Management Solutions. Access Televentures

FOR FINANCIAL SERVICES ORGANIZATIONS

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Transcription:

HTTP CACHE BYPASS FLOOD THINK APP SECURITY FIRST CHOOSING THE RIGHT MODEL A GUIDE TO DDoS PROTECTION DNS AMPLIFICATION

INTRODUCTION By thinking proactively about DDoS defense, organizations can build a comprehensive strategy to mitigate attacks. RECENT DATA INDICATES THAT BUSINESSES OF ALL SIZES IN NEARLY EVERY INDUSTRY RUN THE RISK OF A DDoS ATTACK. Until recently, security teams for organizations in many industries believed they didn t need to worry about DDoS attacks, but the latest data from the Verizon 2017 Data Breach Investigations Report indicates that businesses of all sizes in nearly every industry run the risk of being attacked.¹ IoT devices are increasingly compromised, recruited into botnets, and offered up by their creators as for-hire DDoS services. Additionally, there are numerous DDoS tools and services that are easily accessible and easy to use, even for the untechnical novice. Modern denial-of-service attacks not only interrupt or bring down websites and applications, but also serve to distract security operations teams from even larger threats. Attackers combine a variety of multi-vector attacks including volumetric floods, low-and-slow application-targeted techniques, and authentication-based strategies in hope of identifying weak spots in an organization s defense. Whether your organization has already been hit by a DDoS attack or you ve witnessed a partner or another organization struggle to mitigate one, planning is the key to survival. Building a DDoS-resistant architecture can help your organization keep its critical applications available and mitigate network, application, and volumetric attacks. With options such as on-premises protection, cloud-based scrubbing services, and hybrid solutions, the question is not whether you should prepare for a DDoS attack, but which strategy best helps your organization ensure service continuity and limit damage in the face of an attack. 1 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ 2

DDoS IMPACTS ALL LAYERS OF THE APPLICATION STACK A BRIEF OVERVIEW OF DDoS ATTACKS TYPES Before considering which DDoS protection strategy makes the most sense for your organization, consider the various types of DDoS attacks, which constantly change as attackers become more and more sophisticated. It helps to picture the components that make up the threat surface of an application and then match them to individual attack types. While the type of attack(s) you experience will not solely determine which model is right for you, it s important to understand that a DDoS attack can take many forms. And remember that vast swarms of bots (botnets) are most often the delivery mechanism for the attacks. Recognizing bot activity on a per-component level makes it easier to recognize attacks, no matter the type. It s possible, too, that an attacker might employ several of these attack types in concert, which means that organizations must develop a comprehensive and flexible DDoS protection strategy. APP SERVICES HEAVY (RESOURCE-INTENSIVE) URL ATTACKS SLOWLORIS (LOW-AND-SLOW) ATTACKS GET FLOODS HTTP CACHE BYPASS FLOODS ACCESS/IDENTITY ACCOUNT LOCKOUT FLOODS TLS/SSL SSL FLOODS SSL RENEGOTIATION ATTACKS SSL PROTOCOL MISUSE On the following pages, we ll explore your options, beginning with the standard on-premises solution. DNS DNS AMPLIFICATION DNS REFLECTION DNS NXDOMAIN ATTACKS NETWORK TCP SYN FLOODS UDP & ICMP FLOODS FIN/RST FLOODS NETWORK PROTOCOL ABUSE 3

MODEL OPTION 1: ON-PREMISES DDoS PROTECTION The value of an on-premises solution is clear for many organizations. By deploying point products in your data centers, you can maintain direct control over your infrastructure, allowing you to update, change, add, or remove any piece of it at any time. You also reap the benefit of immediate mitigation of an attack through the instant response of your security devices followed by reporting on the details of the attack. Your in-house IT team can architect custom solutions that scale independently of each other. In addition, low-level DDoS attacks such as Slowloris, as well as exploits that target your applications, are much more efficiently identified and mitigated in your data center close to the application. Furthermore, many organizations especially large financial institutions are reluctant to share their private keys with outside vendors, such as a cloud-scrubbing DDoS service. ON-PREMISES DDoS PROTECTION 1 HIGH-CAPACITY, DDoS PROTECTION DEVICE 2 WEB APPLICATION FIREWALL Maintain direct control of DDoS mitigation by owned and operated devices, but remain vulnerable to large attacks that overwhelm bandwidth capacity. 3 ONLY THE CLEAN TRAFFIC IS ROUTED BACK TO THE APPLICATION SUPPORTS MILLIONS OF SIMULTANEOUS CONNECTIONS STOPS HTTP FLOODS AND TLS-BASED ATTACKS REPELS FLOOD ATTACKS WHILE ADMITTING LEGITIMATE TRAFFIC AUTOMATICALLY BLOCKS KNOWN BAD ACTORS (WITH IP INTELLIGENCE INTEGRATION) TERMINATES TLS IDENTIFIES AND STOPS MALICIOUS LAYER 7 BOT TRAFFIC WITH BEHAVIORAL ANALYSIS

ON-PREMISES DDOS PROTECTION, CONT. By keeping DDoS mitigation in house, you always which detracts from your security operations team s have optimal visibility and control over your ability to focus on other threats. Furthermore, some protection strategy. The bottom line is that if your of these individual solutions are not extensible and organization gets targeted repeatedly, you will save provide value only when you are attacked, which money and time by having an on-premises solution means that you ve spent a large amount of money that s fine-tuned and ready to spring into action at for something you might use only once or twice (if the first sign of an attack. you re lucky). IF YOUR ORGANIZATION GETS TARGETED REPEATEDLY, YOU WILL SAVE MONEY AND TIME BY HAVING A FINE-TUNED ON-PREMISES SOLUTION. 1TBPS TODAY S LARGE-SCALE DDOS ATTACKS ARE EXCEEDING 1 TBPS IN TOTAL THROUGHPUT, WHICH EASILY OUTCLASSES ALL BUT THE LARGEST ON-PREMISES ENTERPRISE DEFENSES. Finally, not all on-premises solutions are designed to work with upstream cloud solutions this is an important point to consider as your organization s needs change. Having a vendor that can provide seamless integration from on-premises defense to cloud scrubbing (when needed) helps you streamline your network architecture, reduce time from attack detection to mitigation, and avoid manual steps that can introduce errors. On-premises solutions do have some limitations. For example, even the most robust on-premises DDoS solution would be overwhelmed by the size of some of today s large volumetric attacks. In addition, while there are many point products on the market, there are very few comprehensive DDoS solutions, which means that organizations must work with multiple vendors to develop a full-featured solution. Managing several products from several different vendors requires a lot of varying technical knowledge and can be a time-consuming process, 5

MODEL OPTION 2: CLOUD-BASED MANAGED SERVICES For some organizations, employing a cloud-based scrubbing service and web application firewall (WAF) to outsource (or simply upgrade) your DDoS protection is the best strategy. If you re managing born in the cloud applications, you many not operate a traditional data center where on-premises security devices could be placed. In addition, you may not have the technical staff to deploy and manage an on-premises DDoS protection solution. According to the F5 State of Application Delivery 2018 report, 87% of companies surveyed operate applications in multiple clouds.² Cloud-based DDoS solutions offer a centralized solution, no matter how many clouds you use. Whether operating in multiple clouds, an in-house data center, or a combination of both, a cloud-scrubbing service ingests your traffic; directs it to massive, globally 2 https://interact.f5.com/2018_soad.html CLOUD-BASED MANAGED SERVICES 1 CLOUD-SCRUBBING SERVICE 2 CLOUD-BASED MANAGED WAF All traffic flows through the cloud provider with 24x7 expert monitoring and mitigation. 3 ONLY THE CLEAN TRAFFIC IS ROUTED BACK TO THE APPLICATION HIGH-VOLUME, CLOUD-BASED TRAFFIC SCRUBBING STOPS HTTP FLOODS AND TLS-BASED ATTACKS REAL-TIME VOLUMETRIC DDOS ATTACK DETECTION AND MITIGATION 24x7 EXPERT MONITORING AND SUPPORT IDENTIFIES AND STOPS MALICIOUS LAYER 7 BOT TRAFFIC WITH BEHAVIORAL ANALYSIS FLEXIBLE ACROSS HYBRID ENVIRONMENTS 24x7 EXPERT MONITORING AND SUPPORT

CLOUD-BASED MANAGED SERVICES, CONT. dispersed scrubbing centers; blocks malicious traffic; and then delivers clean traffic to your on-premises or cloud data center(s). And for the attacks aimed at layer 7, application security experts provide continuously updated WAF policies to ensure only legitimate traffic reaches your application. Cloud-based DDoS protection solves the problem that no on-premises solution can: pipe-saturating DDoS events. Cloud-based DDoS protection services work to block attacks closest to the source of the attack, ensuring that attack traffic never reaches your data center(s) and application(s). In today s world of massive DDoS attacks generated from global IoT botnets, it is imperative to block those attacks as close to the origination point as possible. IF YOU RE CONSIDERING A CLOUD-SCRUBBING SERVICE, LOOK FOR ONE THAT ALSO OFFERS A WEB APPLICATION FIREWALL OPTION. While the majority of the attacks seen today are volumetric attacks aimed at layers 3 and 4, the application layer (layer 7), is seeing an increase in attacks. A cloud-based managed WAF can augment your protection against application-level DDoS attacks. You ll have a solution for the many variations of HTTP floods or heavy URL resource attacks, including complex database queries that can quickly overwhelm your app. With the average salary of an application security engineer in the U.S. now up to $138,000 a year³, it s expensive to build a team that can be available during nights, weekends, and holidays to fine-tune policies and stay on top of alerts. While this will round out your complete DDoS solution in the cloud, you ll also get many more benefits to your application security, such as defense against OWASP top 10 threats, credential stuffing, and API protection just to name a few. Managed cloud-based security services can often improve operational efficiency and decrease IT overhead as they can be deployed in minutes. In addition, the best services offer 24x7 attack support from security experts, which can free your security team to focus on other issues. These services protect many customers, so the overall equipment cost is shared among a pool of customers. And because your organization only pays for the services it uses, you often reap significant CapEx savings. However, if all your network traffic is being scrubbed and you are bound by the terms of the service agreement you sign with the cloud-scrubbing service there s less flexibility in customizing your solution. If you are considering a cloud-scrubbing service, look for one that also offers a web application firewall option for application attacks so you can remove the chance of conflict between multiple vendors. Lastly, to effectively protect an application with a managed WAF, your provider will need to terminate TLS which will require them to host your private key. 33 % IN 2017, 33% OF ALL ORGANIZATIONS FACED AT LEAST ONE DDoS ATTACK.⁴ 3 https://www.glassdoor.com/salaries/applications-security-engineersalary-srch_ko0,30.htm 4 https://www.techrepublic.com/article/33-of-businesses-hit-by-ddosattack-in-2017-double-that-of-2016/ 7

MODEL OPTION 3 HYBRID DDoS PROTECTION STRATEGY While both on-premises solutions and cloud-based services offer protection from DDoS attacks, many organizations will want to consider the benefits of a hybrid strategy that employs combined on-premises and cloud protection to stop all varieties of DDoS attacks. Once architected, a hybrid solution delivers a closed feedback loop between on-premises and cloud components, which allows for fine-tuned mitigation as well as granular reporting of attack details. Perhaps the strongest approach to hybrid DDoS protection involves a multi-tiered architecture where layer 3 and layer 4 attacks are mitigated at the network tier with robust firewalls and IP reputation database integration. The application tier handles high-cpu security functions such as SSL termination and web application firewall functionality. And a cloud-based tier protects against large volumetric attacks by filtering the HYBRID DDoS PROTECTION 1 CLOUD-SCRUBBING SERVICE 2 ON-PREMISES DDOS PROTECTION 3 WEB APPLICATION FIREWALL Retain control of mitigation timing and techniques, but have on-demand help from a cloud provider for the large, bandwidth-consuming attacks. 4 ONLY THE CLEAN TRAFFIC IS ROUTED BACK TO THE APPLICATION HIGH-VOLUME, CLOUD- BASED TRAFFIC SCRUBBING REAL-TIME VOLUMETRIC DDOS ATTACK DETECTION AND MITIGATION 24X7 EXPERT MONITORING AND SUPPORT LAYER 3 AND 4 PROTECTION MITIGATION OF LOW- VOLUME ATTACKS IP REPUTATION DATABASE STOPS HTTP FLOODS AND TLS-BASED ATTACKS TERMINATES TLS IDENTIFIES AND STOPS MALICIOUS LAYER 7 BOT TRAFFIC WITH BEHAVIORAL ANALYSIS

HYBRID DDOS PROTECTION STRATEGY, CONT. traffic generated by the attacker while returning legitimate traffic to your data center. This true hybrid solution delivers DDoS defense at all layers, protecting protocols (including those employing SSL and TLS encryption) as well as stopping DDoS bursts, randomized HTTP floods, cache bypass, and other attacks that can disrupt application behavior. A hybrid approach to DDoS protection can also lead to cost savings and greater efficiency. Automatically shifting large attacks to the cloud requires fewer inhouse technical resources, while boosting mitigation speed, which results in less downtime. There are also benefits to only engaging the cloud-scrubbing service when you need it, instead of sending traffic through it continuously. This always-available architecture allows traffic to flow normally to your data center(s), which reduces complexity, until engagement of cloud-based protections is needed. A true hybrid solution offers expedient cloudengagement to reroute traffic through the cloudscrubbing platforms. And, ideally, both parts of your hybrid solution can share a combined fabric that controls whether attacks are handled on-premises or in the cloud thus enabling the optimal balance for any given attack or series of attacks. Completely outsourcing your DDoS protection requirements to a cloud-based service is the simplest way to achieve a high degree of protection, while managing a hybrid solution does require some in-house technical resources. In addition, some businesses have spent considerable time and money architecting strong volumetric solutions on-premises, which works well as long as your in-house devices aren t overwhelmed by the growing size of DDoS attacks. The last caveat about a hybrid solution is that your organization may need to employ multiple incident managers to address attacks on-premises and in the cloud. A HYBRID APPROACH TO DDOS PROTECTION CAN ALSO LEAD TO COST SAVINGS AND GREATER EFFICIENCY. 9

IS THERE AN IDEAL SOLUTION? HAVING A SINGLE VENDOR THAT PROVIDES CONSISTENT PROTECTION SERVICES ACROSS ALL MODELS CAN HELP MEET YOUR NEEDS TODAY AND AS THEY EVOLVE. In today s climate of ever-evolving DDoS attacks, it s increasingly clear that every organization needs to consider and adopt a DDoS protection strategy. Integrated on-premises solutions offer tight control Whatever you decide, be proactive in your DDoS and flexibility, but can be quickly overwhelmed defense. Ensure the continuity of your site and your by a large volumetric attack. Managed cloudbased services deliver protection from those large you experience an attack. services by putting your solution in place before attacks, but can be expensive if used for all traffic, For more information about protecting your all the time. By using a combination of on-premises organization against DDoS attacks, visit security devices and a cloud-based scrubbing f5.com/security. service to handle volumetric attacks, organizations maintain control, while spinning up cloud-protection services as needed to handle the largest volumetric floods. In choosing how to best protect your organization from DDoS attacks, you should weigh the likelihood of experiencing an attack against the ability of your organization to effectively mitigate it. Having a single vendor that provides consistent protection services across all models to meet your needs today and as they evolve can be a key advantage. 10

THINK APP SECURITY FIRST Always-on, always-connected apps can help power and transform your business but they can also act as gateways to data beyond the protections of your firewalls. With most attacks happening at the app level, protecting the capabilities that drive your business means protecting the apps that make them happen. US Headquarters: 401 Elliott Ave W, Seattle, WA 98119 888-882-4447 // Americas: info@f5.com // Asia-Pacific: apacinfo@f5.com // Europe/Middle East/Africa: emeainfo@f5.com // Japan: f5j-info@f5.com 2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of the irrespective owners with no endorsement or affiliation, expressed or implied, claimed by F5. EBOOK-SEC-197489895 2.18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback