SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Transcription

1 SHARE THIS WHITEPAPER Top Selection Criteria for an Anti-DDoS Solution Whitepaper

2 Table of Contents Top Selection Criteria for an Anti-DDoS Solution...3 DDoS Attack Coverage...3 Mitigation Technology...4 Reporting System...5 Vendor Expertise...5 Smart Network. Smart Business. 2

3 Top Selection Criteria for an Anti-DDoS Solution With the recent rise in DDoS attacks many companies claim to provide some form of DDoS protection ; however, there are vast differences between vendors in the technologies they employ and the security protection they provide. When selecting an anti-ddos vendor, ask the following questions to make sure that the vendor you select is right for your business: DDoS Attack Coverage What is the DDoS attack coverage that your vendor provides? Recent DoS attacks reveal that attackers launch more complex attacks that last for a longer duration using multiple attack tools in each attack. Attackers target multiple vulnerability points of the IT infrastructure such as the network, servers and the application layers. The network layer is targeted with volumetric network flood attacks such as UDP flood or ICMP flood, aiming to consume or misuse networking resources and ultimately saturate the Internet pipe of the victim. The server layer is targeted by SYN flood attacks and low & slow attack tools, which aim to misuse the server resources. And the application layer is targeted with a wide variety of attacks such as SSL based attacks, HTTP GET or POST attacks and application misuse attacks. Today s anti-ddos solutions must be able to detect and mitigate attacks on all three layers. Can your vendor protect from SSL based DDoS attacks? SSL based DDoS attacks target the secured online services of the victim. These attacks are easy to launch and difficult to mitigate, making them attackers favorites. In order to detect and mitigate DDoS SSL attacks, the anti- DDoS solution must first decrypt the traffic using the customer s SSL keys. This task is a CPU consuming task and should be done by dedicated hardware accelerators so it can meet the required traffic load. Since the customer s SSL keys are required for the decryption process, this task cannot be done outside of the customer s data center, e.g. in the cloud, and must be done on-premise. Can your vendor protect from application DDoS attacks? Instances of DDoS attacks that target application resources have grown recently and are widely used by attackers today. They target not only the well-known HTTP, but also HTTPS, DNS, SMTP, FTP, VOIP, and other application protocols that possess exploitable weaknesses allowing for DoS attacks. The most popular application DDoS attacks are HTTP GET and POST floods, where the attackers mimic the behavior of legitimate users that access the website to download a large image or to fill up a web form. By launching a well coordinated DDoS HTTP flood attack, the web servers of the victim are becoming so busy handling the attackers requests that they cannot process requests from legitimate users. Application DDoS attacks are harder to detect as they do not generate a lot of network traffic, and are complicated to mitigate as every transaction looks legitimate. Can your vendor protect from low & slow DDoS attacks? Low & slow DDoS attack tools generate slow rate and low volume attack traffic and therefore are hard to detect by standard anti-ddos solutions. These attack tools usually exploit a weakness in the HTTP protocol that allows them to open thousands of connections with the web servers without terminating any connection. This consumes all the available connections resources of the web server, causing it to stop handling new requests and prevent the service from legitimate users - hence achieving a denial of service. Smart Network. Smart Business. 3

4 Mitigation Technology How does your vendor protect the Internet pipe of the organization from volumetric DDoS attacks that threaten to saturate the Internet pipe? In some cases the DDoS attacks turn into volumetric attacks that threaten to saturate the Internet pipe of the organization. Such attacks must be mitigated from the cloud and not from the organization s premises. The best approach is to deploy a hybrid anti-ddos solution that can divert the attack from the organization s premises into the cloud while it shares information about the attack with the cloud mitigation. This is required in order to ensure smooth transition to the cloud and immediate mitigation. How does your vendor distinguish between legitimate users and attackers? Unlike other cyber security threats, a DDoS attack is composed of many legitimate requests and only the large volume of simultaneous requests actually constitute an attack. Since every request in a DDoS attack looks legitimate, the biggest challenge for anti-ddos mitigation is to distinguish between attacker requests and legitimate user requests. Standard anti-ddos solutions design their mitigation strategy on rate limit methodologies that are triggered once the traffic crosses a pre-defined threshold. This approach results in relatively high falsepositives and blocks legitimate users from accessing the services. Advanced anti-ddos solutions deploy more sophisticated mitigation technologies such as behavioral analysis that compares the current traffic to normal baselines and take intelligent decisions regarding the attack mitigation. In addition, there are mechanisms that challenge suspicious sources and based on the response from the source, it can be determined if the source is a Bot or a legitimate user. How does your vendor guarantee best quality of experience to legitimate users even under attack? The objective of attackers that launch DDoS attacks is to prevent the online services from legitimate users; therefore the mitigation solution must not only mitigate the attacks, but also guarantee best quality of experience to legitimate users during the prolong DDoS attack campaigns. The best approach to deal with this challenge is to separate the hardware resources that handle attacker requests and legitimate user requests in the mitigation solution, and to make sure that the resources for legitimate users are always available, even under severe DDoS attack. Where is your vendor DDoS mitigation solution deployed at the network? Does it protect other network elements such as firewall, IPS, ADC and WAF from DDoS attacks? Recent DDoS attacks taught us that traditional network security solutions such as firewall, IPS and WAF cannot stop DDoS attacks. All the organizations that became a target for DDoS attacks had firewalls and IPS devices in their infrastructure and yet their availability was hurt causing them to go offline. Although firewall, IPS, ADC and WAF solutions have essential roles, they were simply not designed to handle today s emerging DDoS threats and may become the bottlenecks themselves during a DDoS attack. According to Radware 2012 Global Application & Network Security Report, in 33% of DDoS attacks, the firewall or the IPS devices are the bottlenecks. Therefore, the anti-ddos mitigation solution must be deployed before all the other network elements so it can protect them during a DDoS attack. How quickly will your vendor detect and mitigate an attack? The ideal DDoS mitigation solution detects and blocks attacks at the perimeter of the victim organization s data center before the attack can impact IT infrastructure. Such a configuration of defenses allows for real-time protection. Solutions that are purely cloud-based and have no detectors in the organizations data center do not protect against an attack until attack traffic is manually redirected by an Internet Service Provider to flow through an MSSP for scrubbing. This process can take minutes or hours, is complicated to manage, and effectively leaves an organization and its customers exposed to a DDoS attack until the attack can be redirected for scrubbing. Smart Network. Smart Business. 4

5 Reporting System Does your vendor include a mechanism that provides real time information about an attack? Security Information and Event Managers (SIEMs) are the central nervous system by which security professionals gather critical insight about sophisticated DDoS attacks. The SIEM role is to detect, alert and report on any security incident or event that might be related to a DDoS attack. Advanced anti-ddos solutions must be well integrated with SIEM systems that are able to aggregate, normalize, and correlate data from multiple sources; to provide automated information gathering and risk assessment; to conduct real-time analysis and to provide real-time reports, logs, attack trends and additional information that can assist the security team to mitigate the attack. Vendor Expertise Does your vendor have a 24x7 emergency response team to help customers under DDoS attacks? Even with the best DDoS protection solution and a knowledgeable staff, DDoS attacks can become a major challenge to your business and can create unwanted emergency situations. With DDoS attacks that last for many days and new attack tools and techniques that emerge occasionally, the anti-ddos solution should be accompanied with an emergency response team of security professionals that are handling DDoS attacks everyday, and can support the customer s security team during the attack. Is your vendor technology market proven? Who else is using the technology? Is it used by leading cloud MSSPs that provide anti-ddos services? MSSPs that provide anti-ddos services are using 3rd party technologies and products in their attack mitigation data centers. The industry leading MSSPs are the most demanding customers when it comes to anti-ddos solutions, as they understand the nature of the attacks, the various mitigation technologies and the expectations of their customers. Therefore, it is wise to ask for MSSP references who are focused on providing anti-ddos services. Is your vendor a recognized authority on DDoS attacks? Make sure your vendor has a solid track record of industry awards, relevant certifications, expert industry commentary in the media, and publishable research on recent DDoS threats Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Smart Network. Smart Business. 5 PRD-DDoS-Selection-Criteria-WP /04-US