Upload
incapsula
View
13.182
Download
1
Embed Size (px)
Citation preview
Confidential
DDoS ProtectionThe 5 Commandments of DDoS Mitigation
Confidential
DDoS – The Basics
Volume Based Attacks• Method: Include UDP floods, ICMP floods, and other spoofed packet floods. • Objective: Saturate the bandwidth of the attacked site. • Magnitude: Typically measured in Bits per second.
Protocol Attacks: • Method: Primarily SYN floods, but also fragmented packet attacks. • Objective: Consume web server resources or intermediate communication
equipment, such as firewalls and load balancers. • Magnitude :These are usually measured in Packets per second.
Application Layer Attacks• Method: Unlike protocol attacks, these are comprised of legitimate and
seemingly innocent requests. • Objective: Bring the application servers down. • Magnitude: Requests per second.
Confidential
DDoS – Current and Future Trends
Volume Based Attacks are getting bigger• More and more attacks over 20Gbps
Application Layer Attacks are becoming more frequent• Targeting specific website platforms• Targeting smaller websites
New Attack Types• IP Range Blanket Bombing DOS Techniques• Amplification through DNS requests to an Open DNS or open “public” SNMP
Confidential
The 5 Commandment of DDoS Mitigation
Confidential
Commandment 1: Thou shall be invisible
Your users don’t need to know and don’t care that you are under attack People Don’t like to hang around in “dangerous” places
People should be allowed to enter:• Without delays• Without being sent through holding areas &
splash screens• Without being served outdated cached content
Confidential
Commandment 2: Let he who is innocent step forward
Self Redemption is Key!!!
All users should be able to exonerate themselves.
At the very least users should be able to:
Shout out (complain)Redeem themselves by completing a CAPTCHA.
Confidential
Commandment 3: Spare no bot but beware of those holier than thou
Block all Application Layer Bot Requests• There is very little head room for most sites• Even 50 excess page views/second can take
down your site, or slow it down.
Transparency should not come at the expense of airtight protection
However, you must grant the “Internet Gods” (Google, Bing, Pingdom, etc.) access at all times
Confidential
Commandment 4: Absorb all that is cast upon you
Take Cover! Network attacks are getting bigger
You must be able to take a “20Gbps +” hit standing
You must have isolation capabilities to prevent others from trembling with you
Confidential
Commandment 5: To err is Human. Precise Detection is divine
Automatic & Accurate DDoS detection is just as important as effective mitigation
One shouldn’t be in “DDoS Mode” unnecessarily and you can’t watch your site 24x7x365
Real-time protection activation is crucial, otherwise you’re going down