Effective network security requires a hybrid or multi-layered approach

DDoS attacks are becoming more frequent and complex, with threat actors growing increasingly sophisticated and audacious, presenting considerable risks to organizations. These attacks typically overwhelm the internet circuit before traffic even reaches a company's website, effectively bypassing existing security measures. Additionally, there's a prevalent misconception in industries such as government, finance, and manufacturing that cloud-based solutions provided by managed security services providers (MSSPs) and content delivery networks (CDNs) can universally counteract DDoS threats. However, these attacks often employ a combination of sophisticated automated probing and manual analysis techniques that can evade primary defenses, potentially rendering critical business applications and services unavailable for extended periods. This emphasizes the necessity for a more detailed and layered approach to DDoS protection.

A major financial organization discovered the lesson the hard way after suffering two attacks within a fortnight.  The first attack, although relatively simple, managed to bypass the CDN’s additional DDoS protection and targeted their IP space.  This incident was particularly alarming for two reasons – firstly there was a prevalent assumption that the CDN’s DDoS solution was resistant to such attacks. Secondly, the attack significantly disrupted end-user productivity within the targeted application.

The second attack was more calculated, utilizing numerous bots to remain below the CDN’s detection threshold for alerting, yet still delivering sufficient fake requests to disable a customer portal.  This brief, five-minute attack resulted in the portal being offline for four hours.  The CDN failed to notify the organization of the attack because it did not detect it.  It is suspected that the attacker used a reconnaissance tool to learn the CDN’s thresholds and then cleverly tailored the attack causing maximum damage using the limited information gathered. 

Cloud-based DDoS protection alone is inadequate

Cloud-based DDoS mitigation services encompass both Content Delivery Network (CDN)-based and traffic diversion-based options. CDN-based services leverage a widespread infrastructure to absorb and neutralize attacks targeting assets delivered by their networks.

On the other hand, traffic diversion-based services, managed by specialized firms or divisions of large ISPs offer greater flexibility. Relying solely on cloud-based approaches for DDoS protection is not entirely foolproof or adequate. As organizations, their applications, and services become increasingly mission-critical, the demand for zero downtime intensifies, highlighting the need for more comprehensive protection strategies. 

A multi-layered approach is more effective

Cloud-based DDoS protection solutions are certainly essential to a hybrid, multi-layered partnership to secure networks against DDoS attacks. These solutions are crucial for handling large-scale attacks that can overwhelm a network by saturating its upstream bandwidth.

However, because many upstream protection providers often have constrained visibility and flexibility, based on their operational priorities, some smaller attacks may still penetrate these defenses. These minor yet harmful attacks highlight the necessity for every organization to adopt a comprehensive, multi-layered approach to DDoS protection. 

Sophisticated and targeted attacks of today demand on-premises solutions

Modern attackers utilize a variety of tactics including volumetric methods like reflection/amplification to application-specific floods, state exhaustion techniques, and attacks hidden within encrypted traffic.

Application-layer attacks often conform to normal application protocols, which include protocol handshakes and protocol/application compliance. An example of such an attack is the SLOW POST attack, where attackers send legitimate HTTP POST headers at a very slow pace, drastically slowing down the server. These attacks often appear legitimate, making them difficult to detect with traditional, on-demand cloud-based mitigation strategies.

Stateful devices such as firewalls and VPNs are commonly targeted. According to our Worldwide Infrastructure Security Report survey of 2023, 83% of respondents experienced outages due to DDoS attacks that overwhelmed these devices – a significant 21% increase from the previous year.  To effectively counteract these attacks, solutions need to be placed at the network edge, ahead of these devices. They must be stateless to avoid the same vulnerabilities and be always active, thus circumventing the initiation delays common in on-demand cloud services.

As attackers increasingly mask their activities in encrypted traffic, a critical element of any security strategy is the capability to decrypt and inspect this traffic securely without destabilizing its integrity.

Another consideration is the location of decryption as many organizations are hesitant to have their traffic decrypted offsite by a cloud service due to the risks of sharing private certificates with a third party, a concern that some cloud providers do not want to take up the responsibility of managing private keys.  

Given that the optimal location for DDoS protection is at the network’s edge, such systems can also help in detecting and blocking Indicators of Compromise (IoC) with robust threat intelligence resources.

This integrated approach not only enhances security but also ensures comprehensive protection against evolving DDoS threats. 

Layered protection strategy

Organizations of all sizes must rethink their approaches to DDoS protections.  Any cloud-based solution will have its drawbacks, and so will several network solutions, such as devices like intrusion detection systems/intrusion prevention systems (IDS/IPS), and web application firewalls – all have specialized protection features too.

The most effective protection against DDoS attacks is a hybrid or multi-layered strategy that blends the strengths of cloud-based services, DDoS-specific network solutions, and additional protections customized for specified services.

A multilayer protection strategy should be designed to enable comprehensive DDoS protection in an increasingly complex environment. On-premises, dedicated, DDoS mitigation devices provide stateless real-time protection packet-level visibility and can be surgically tuned to any environment. It can automatically and intelligently communicate with an ISP’s cloud-based DDoS protection service to provide optimal protection. 

Because of the damage that can be done by short-duration attacks on an organization’s critical business applications and services as well as the requirement for near real-time mitigation to stop these attacks, an always-on packet-level mitigation solution that sits on the edge of your network is the foundation and a critical need for a multilayered comprehensive DDoS defense.

 By Vinay Sharma, Regional Director, India and SAARC, NETSCOUT