Cloud Based DDoS Services – Baltoncp Amiran Communication

DDoS attacks are increasing in quantity and severity as these attacks become increasingly complex and persistent. Typical DDoS attacks have evolved to include simultaneous multiple attack vectors that test simple mitigation techniques.

Attacks using dynamic IP attacks that challenge mitigation through simple blacklisting are now ubiquitous. Volumetric network-level DDoS attacks at staggering throughput rates of hundreds of Gbps and hundreds of millions of packets per seconds have become commonplace, disabling organizations’ network and infrastructure. SSL-based and application level DDoS attacks that are effective in exploiting bottlenecks in the IT architecture of enterprises have become more prevalent. Launching DDoS attacks has never been easier.

cloud — Cloud Based Ddos Service

The technical barriers have mostly been removed due to the commoditization of DDoS tools and the emergence of DDoS-as-a-Service tools, which enable sophisticated multi-vector attacks on both the network and application layer. These attacks adapt quickly and require an immediate response. When volumetric attack grows, no matter what on-premise equipment exists, a diversion to cloud scrubbing is required in order to absorb and mitigate the attack, else risk suffering service degradation and outages.

(a) Protection against SSL Based DDoS Attacks

SSL based DDoS attacks target the secured online services of IT. These attacks are easy to launch and difficult to mitigate, making them attackers’ favorites. In order to detect and mitigate DDoS SSL attacks, the anti-DDoS solution must first decrypt the traffic using the organization’s SSL keys. This task is a CPU consuming task and should be done by dedicated hardware accelerators so it can meet the required traffic load. Since the organization’s SSL keys are required for the decryption process, this task cannot be done outside of the customer’s data center, e.g. in the cloud, and must be done on-premise.

(b) Protection from application DDoS attacks

Instances of DDoS attacks that target application resources have grown recently and are widely used by attackers today. They target not only the well-known HTTP, but also HTTPS, DNS, SMTP, FTP, VOIP, and other application protocols that possess exploitable weaknesses allowing for DoS attacks. The most popular application DDoS attacks are HTTP GET and POST floods, where the attackers mimic the behavior of legitimate users that access the website to download a large image or to fill up a web form. By launching a well-coordinated DDoS HTTP flood attack, the web servers of the victim are becoming so busy handling the attackers’ requests that they cannot process requests from legitimate users. Application DDoS attacks are harder to detect as they do not generate a lot of network traffic, and are complicated to mitigate as every transaction looks legitimate.

(c) Protection from low & slow DDoS attacks

Low & slow DDoS attack tools generate slow rate and low volume attack traffic and therefore are hard to detect by standard anti-DDoS solutions such as Next-Generation Firewalls. These attack tools usually exploit a weakness in the HTTP protocol that allows them to open thousands of connections with the web servers without terminating any connection. This consumes all the available connections’ resources of the web server, causing it to stop handling new requests and prevent the service from legitimate users – hence achieving a denial of service.

(d) Distinguishing between legitimate users and attackers

Unlike other cyber security threats, a DDoS attack is composed of many legitimate requests and only the large volume of simultaneous requests actually constitute an attack. Since every request in a DDoS attack looks legitimate, the biggest challenge for anti-DDoS mitigation is to distinguish between attacker requests and legitimate user requests. Standard anti-DDoS solutions design their mitigation strategy on rate limit methodologies that are triggered once the traffic crosses a pre-defined threshold. This approach results in relatively high false positives and blocks legitimate users from accessing the services. Advanced anti-DDoS solutions deploy more sophisticated mitigation technologies such as a behavioral analysis that compares the current traffic to normal baselines and take intelligent decisions regarding the attack mitigation. In addition, there are mechanisms that challenge suspicious sources and based on the response from the source, it can be determined if the source is a Bot or a legitimate user.

(e). Guaranteeing best quality of experience to legitimate users even under attack

The objective of attackers that launch DDoS attacks is to prevent the online services from legitimate users; therefore the mitigation solution must not only mitigate the attacks, but also guarantee best quality of experience to legitimate users during the prolong DDoS attack campaigns. The best approach to deal with this challenge is to separate the hardware resources that handle attacker requests and legitimate user requests in the mitigation solution, and to make sure that the resources for legitimate users are always available, even under severe DDoS attack.

Radware’s Cloud DDoS Protection Services are powered by a global cloud security network that scales over 5Tbps of mitigation capacity with dedicated scrubbing centers that segregate clean traffic from volumetric attack traffic. This capability is spread strategically across scrubbing centers around the world when volumetric attacks threaten to saturate customers’ link capacity. In addition to its scrubbing centers, Radware also supports multiple cloud Points-of-Presence (POPs) for always-on DDoS protection.

Radware scrubbing centers are designed to serve major markets with minimal latency and are constantly being expanded and upgraded based on the growth of the customer base and changes in DDoS attack trends. Each scrubbing center is backed-up automatically via proper procedures and policies and can be replaced by one of the other centers for scaling up or to ensure fault tolerance in case of a disaster. All scrubbing centers are inter-connected using a VPN and control can be transferred from one scrubbing center to another using the control center software.

Radware scrubbing centers have at least 99.999% availability SLAs. Every mission-critical device has at least one backup power feed with UPS and a generator backup. Physical access to the data center buildings, data floors, and individual areas is monitored 24/7. Standardized procedures also ensure that only selected staff has access to equipment whenever required. The scrubbing centers are designed in full mesh topology, and are based on N+1 redundancy across on all of its contained networking elements (routers, switches, load balancers and more) and mitigation elements including the DefensePro. All scrubbing centers are equipped with dual redundant power
supplies on all applicable equipment to assist maximum uptime.

This topology allows for steady and uninterrupted operation of each scrubbing center during maintenance and/or element failure. In addition, the scrubbing centers are connected to the Internet through multiple links from different ISPs. This configuration enables high capacity, flexibility in customer diversion, and high availability at all times. Everyday operation of the scrubbing center is controlled by management and monitoring systems, allowing continuous monitoring of all components, sub-components, and internal/ external and front-end/back-end applications to ensure infrastructure and service integrity. The management network is dedicated and separated from the mitigation network. All management servers are installed on a dedicated physical or virtual computer, protected by a leading firewall and network security systems.

The On-Demand Cloud DDoS Protection Service offers cloud-based DDoS protection for volumetric DDoS attacks with minimal need for customer i.e. IT involvement. The service includes monitoring of the IT infrastructure such as on-premise routers for traffic flow data. Upon detection of a growing volumetric attack, traffic diversion is activated (automatically, manually, API, etc.) to a cloud scrubbing center. Once
traffic is diverted to the cloud scrubbing centers, the customer’s traffic is cleaned from malicious traffic and only clean traffic is sent to the network/servers.

Advantage of the On-Demand Cloud DDoS Protection Service includes the lowest cost solution less sensitive to real-time detection of application-level and SSL-based DDoS attacks.

(a) DefensePro CPE System

DefensePro is Radware’s on-premise device that handles network-layer DDoS related attacks.
DefensePro is configured with policies that ensure maximum protection of the underlying network
components. In the event of volumetric attack the DefensePro signals the scrubbing center. DefensePro
is a real-time intrusion prevention system (IPS) and DoS protection device, which maintains business
continuity by protecting the application infrastructure against existing and emerging network-based
threats that cannot be detected by traditional IPSs such as: network- and application-resource misuse,
malware spreading, authentication defeat and information theft.

(b) In-the Cloud Scrubbing Centre

When a protected network is under attack, Radware detects the attack and determines if a traffic
diversion to the scrubbing center is required. The decision to divert is made automatically by predefined
pipe saturation thresholds and security alerts which are synced from the customer’s on-premise
equipment (CPE) via DefenseMessaging. This decision can also be made manually by clicking a button on
the portal, programmatically via API/SDK, or by Radware’s Emergency Response Team (phone/email). If
a decision to divert the traffic has been made, the traffic is diverted from the local data center to the
scrubbing center where the attack traffic is absorbed and mitigated, while only clean legitimate traffic is
routed back to the protected network.

(c) Emergency Response Team (ERT) Service

Radware’s Emergency Response Team provides 24/7/365 attack mitigation support services for
customers facing and/or experiencing DDoS attack or a malware outbreak. Often these attacks require
immediate assistance. Radware’s ERT provides expert assistance in support of the customer’s security
personnel in order to help them prepare for and defend operations against attacks. Radware’s ERT is
staffed by experienced security specialists and experts with deep knowledge of cyber threats, detection
and mitigation techniques, as well as in-depth operational knowledge of the Radware’s security portfolio
and technologies. ERT Standard Service is provided as part of Radware’s Technical Support and Advanced
Certainty Support Levels for Hybrid customer’s on-premises DefensePro units that are registered to an
active Security Update Subscription (SUS), and for On-Demand customers. On top of it, Hybrid & On-
Demand customers can also upgrade to an optional ERT Premium Service, which includes unique,
customer-tailored capabilities. ERT Premium is already included for Always-On customers.
ERT Services;

Real Time Attack Mitigation
Pre-Attack Alerts
Post-Attack Report and Recommendations
Post-Attack Forensics Analysis and Recommendations
Time to Security Operative Response -the time allowed between a customer’s engagement and ability to reach an ERT security expert on the phone will be less than 10 minutes.
Direct “Hot-Line” Access
Quarterly AMS Security Configuration Review
ERT Record of Security Configuration
Monitoring of Attacks
Monthly Security Events Report
Yearly Network Security Review
Device SW Maintenance

A DDoS attack lifecycle can be broken-down into seven simple steps that are all visible to the customer
in real-time:

Detection of an attack – the first step in mitigating a DDoS attack is to detect it. When a protected network is under attack, Radware detects the attack and determines if a traffic diversion to the scrubbing center is required.
Diversion Initiation – For On-Demand or Hybrid customers, the decision to divert can be made automatically by predefined pipe saturation thresholds and security alerts, which are synced from the customer’s on-premise equipment (CPE) via Defense Messaging, or manually either by the click of a button in the portal, programmatically via API/SDK, or by contacting Radware by
phone/email.
Traffic Diversion – once a decision to divert the traffic has been made, the traffic is diverted from the local data center to the scrubbing center.
Mitigation of attack traffic – dirty traffic enters the scrubbing center where it encounters full multi-layered protection spanning DDoS attacks on the network and application layers, volumetric and non-volumetric attacks, as well as coverage of SSL-based DDoS attacks.
Return of clean traffic to the protected network – while the attack traffic is being cleansed, only the legitimate traffic is routed back to the protected network.
Cool-down – when the attack has ended, traffic remains diverted for a period of up to four hours. This provides quick protection in case a secondary attack is launched.
Reversion – after the cool down period has ended, and no new attack has been launched, traffic returns to flow in the original peacetime routes; directly to the customer premises.

Radware operates the Cloud DDoS Protection Service to the highest operational standards, working to
ensure that its customer’s businesses are protected on a constant 24×7 basis. The service is hosted in
some of the leading colocation facilities around the world and is built upon the same technology that
powers Radware’s market-leading perimeter attack mitigation system, DefensePro.

Radware commits to detect, notify, divert and mitigate volumetric DDoS attacks for each of the service
types based on the Service Level Agreement. The “time-to” periods vary depending on the attack type
and customer configurations (API, Automatic, etc.).

Connect with our Cyber Security Department