The Practical Guide to Choosing a DDoS Mitigation Service



Similar documents
Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks

Four Steps to Defeat a DDoS Attack

Four Steps to Defeat a DDoS Attack

Cutting the Cost of Application Security

The Top 10 DDoS Attack Trends

Four Steps to Defeat a DDoS Attack

End-to-End Application Security from the Cloud

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Enterprise-Grade Security from the Cloud

10 Things Every Web Application Firewall Should Provide Share this ebook

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

SecurityDAM On-demand, Cloud-based DDoS Mitigation

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Practical Advice for Small and Medium Environment DDoS Survival

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

A Layperson s Guide To DoS Attacks

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

CHECKLIST: ONLINE SECURITY STRATEGY KEY CONSIDERATIONS MELBOURNE IT ENTERPRISE SERVICES

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

IAAS REFERENCE ARCHITECTURES: FOR AWS

Stop DDoS Attacks in Minutes

IDG Connect DDoS Survey

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

TDC s perspective on DDoS threats

How To Block A Ddos Attack On A Network With A Firewall

F5 Silverline DDoS Protection Onboarding: Technical Note

Akamai to Incapsula Migration Guide

Web Application Defence. Architecture Paper

What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications

How To Protect A Dns Authority Server From A Flood Attack

Stop DDoS Attacks in Minutes

DDoS Overview and Incident Response Guide. July 2014

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

FortiDDos Size isn t everything

Protection Solution. Strategic White Paper

ADC Survey GLOBAL FINDINGS

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 2 2ND QUARTER 2014

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

/ Staminus Communications

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Business Case for a DDoS Consolidated Solution

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

First Line of Defense to Protect Critical Infrastructure

Securing Your Business with DNS Servers That Protect Themselves

Advantages of Managed Security Services

Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and

VALIDATING DDoS THREAT PROTECTION

DDoS Threat Landscape Report +1 (866)

INTRODUCING isheriff CLOUD SECURITY

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

First Line of Defense

Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Manage the unexpected

Application Security Backgrounder

MANAGED SECURITY SERVICES : IP AGNOSTIC DDOS AN IP AGNOSTIC APPROACH TO DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION

WHITE PAPER Hybrid Approach to DDoS Mitigation

Complete Protection against Evolving DDoS Threats

Denial of Service Attacks, What They are and How to Combat Them

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

DDoS Protection on the Security Gateway

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

The Changing Face of SSL

How to Secure Your SharePoint Deployment

How To Protect Yourself From A Dos/Ddos Attack

Securing Your Business with DNS Servers That Protect Themselves

DDoS Protection Technology White Paper

Technical Series. A Prolexic White Paper. 12 Questions to Ask a DDoS Mitigation Provider

How Effective CSOs Prepare for DDoS Attacks. Rob Kraus & Jeremy Scott Solutionary SERT

DDoS Attack Mitigation Report. Media & Entertainment Finance, Banking & Insurance. Retail

Ferramentas de Ataques de DDoS e a Evolução de ameaças a disponibilidade contra serviços Internet. Julio Arruda Gerente America Latina Engenharia

Powered by. Incapsula Cloud WAF

How to Evaluate DDoS Mitigation Providers:

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

How Cisco IT Protects Against Distributed Denial of Service Attacks

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

SharePoint Governance & Security: Where to Start

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

How To Stop A Ddos Attack On A Website From Being Successful

The F5 DDoS Protection Reference Architecture

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Akamai Cloud Security Solutions:

Transcription:

WHITE PAPER The Practical Guide to Choosing a DDoS Mitigation Service From massive volumetric attacks to sophisticated application layer threats, DDoS attacks are bigger, smarter and more dangerous than ever. Given today s threat landscape and the availability of inexpensive, Do It Yourself DDoS tools, online businesses need to take DDoS mitigation seriously. These attacks can cripple a website or online application in minutes, resulting in lost revenues, reputation damage and reduced customer confidence. This white paper provides online businesses of all sizes with practical guidelines for choosing a DDoS mitigation solution. It outlines several important considerations, useful tips and key requirements to be used for evaluating potential solutions. The document includes an overview of Imperva Incapsula DDoS Protection solution, showing how it helps online businesses mitigate highvolume and sophisticated DDoS attacks without disrupting the user experience.

DDoS: Who s at Risk? The answer to the question of who s really at risk from a DDoS (Distributed Denial of Service) attack is quite simple: any business with a web presence. DDoS attacks today target both large and small companies, organizations, government offices, and even individuals with a prominent web presence. The Incapsula 2013-2014 DDoS Threat Landscape Report, points to a 240% increase in DDoS botnet activity over the space of one year. Among the driving forces behind the proliferation of DDoS are the simplicity and low cost of putting an attack in motion, and the relative impunity attackers enjoy. Simple, low-cost DDoS toolkits, such as Dirt Jumper and its variants, leave no website or network safe. While hacktivist attacks, such as those perpetrated by the QCF against leading US banks in 2012-2013 often get the most headlines, the majority of DDoS attacks are executed by criminal botnet services. Botnets-for-hire, composed of thousands of compromised devices, are readily available on the Internet and provide the foundation for launching devastating attacks against online businesses. The fees for these services start at $50 for small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners advertise their services in underground forums and mailing lists. Another trend ratcheting up the risk to commercial sites is the fact that DDoS attacks are increasingly being used as a competitive business tool, designed to create chaos and level damage to competitors sites. As such, DDoS attacks, which used to focus mainly on high-profile websites, now also target mid-sized enterprises and SMBs. Preliminary Precautions Given today s threat landscape, any business owner with a website should take DDoS mitigation seriously. In particular, organizations with significant online financial or reputational assets should take immediate action with respect to implementing a DDoS mitigation solution. Even those still considering their DDoS mitigation options should at the very least conduct ongoing monitoring to be aware of threats, and have an idea of possible remedies. This means that today you should: Conduct online reconnaissance Take note of online buzz about your organization, and look for hints of budding hacktivism focus. Subscribe to free security assessment reports that cover DDoS incidents and emerging DDoS techniques. Understand the basics of mitigation Once you know of relevant threats, take note of basic mitigation recommendations like implementing content filtering rules or modifying your firewall settings. In the event that you are attacked, prepare a communications strategy in advance that will let your customers know what s going on, and what you re doing about it. Evaluate alternatives to absorb DDoS bandwidth peaks Over-provisioning Internet bandwidth is one of the most common measures to alleviate DDoS attacks, but it is also probably the most expensive, especially since DDoS attacks can be 10 times or even 100 times greater than standard Internet traffic levels. An alternative is to use a security service that scales on-demand to absorb and filter DDoS traffic. DDoS protection services are designed to stop massive DDoS attacks without burdening businesses Internet connections. Know where to get help You should at least know how to find a DDoS mitigation service, if you re under attack and need a quick remedy. Services like Incapsula can deliver reasonably-priced protection in just minutes keeping your site from crashing in the event of an attack, or at least minimizing downtime.

Choosing a DDoS Mitigation Solution Practical Tips Once you re ready to get serious about implementing DDoS mitigation, you ll need to delve deeper into the nature and types of solutions out there. The DDoS threat has pushed vendors to the limits of their creativity. As a result there s good news and bad news. The good news is that there ARE good solutions, technologies, and ideas out there; the bad news is that there are A LOT OF THEM to choose from, each representing a different approach to protection. Some notable approaches include: Appliances deployed within the data center Hardened hosting platforms Cloud-based DDoS mitigation services Regardless of the approach, when choosing a DDoS mitigation solution, you should make sure the solution adheres to the following fundamental guidelines. Transparent Mitigation Your users don t need to know and don t care that you are under attack. People should be able to access your site without delay, without being sent through holding areas or splash screens, and without receiving outdated cached content. Find a solution that protects your realm invisibly, yet effectively. Absorb Volumetric Network DDoS Attacks Network (Layers 3 & 4) DDoS attacks continue to grow in size. These types of attacks, the largest of which have exceeded 200 Gbps, are growing at a rapid pace, fueled in part by the widespread availability of cloud infrastructure. Amplification-based attacks are popular with attackers because they can deliver a massive flood of data at the target while requiring only a relatively small output from the source. You need to be able to absorb arbitrary yet massive - amounts of traffic. Service providers do this by building large 20 gigabyte data centers and distributing traffic among them, when possible. Appliance vendors deal with it by stacking and cloudifying their appliances. Find the path to absorption that works best, and is most cost-effective, for your needs. Identify Sophisticated Application (Layer 7) DDoS Attacks Application (Layer 7) DDoS attacks typically mimic legitimate user traffic to evade an organization s common security measures (including barebone anti-ddos solutions). Application attacks are dangerous because they don t require high volumes to succeed. It takes no more than 50-100 targeted requests per second to bring down a mid-sized server. Most importantly, because application layer DDoS relies on human-like bots and (in some cases) actual browsers, they re much harder to mitigate even once detected. To mitigate Layer 7 attacks, you need a solution with the brains to profile incoming traffic and distinguish between humans and bots. Leave a Path to Redemption One of the key challenges in mitigating applicative DDoS attacks is minimizing false-positives and business disruption. Legitimate visitors to your site should never be shut out without the possibility of redemption. What if they were wrongly accused of being a bot? As a last resort, legitimate users should be given a chance to prove they are human by filling out a CAPTCHA. Find a solution that ensures the best possible user experience.

Preserve the User Experience Even when struggling to prevent DDoS attacks, remember that indiscriminately blocking all bot traffic can have serious repercussions for your business. For example, blocking Googlebot or McAfee ScanAlert bot can harm your site in the short and long term. Effective DDoS protection should revolve around pinpoint-accurate identification. Your DDoS protection solution should recognize and respect good bots, allowing them continuous and uninterrupted access to all areas of your site. Always On Protection In a global economy, your online business never shuts down, which means that your DDoS protection strategy must be based on accurate 24x365 monitoring. This is something that human operators should support but, in practice, simply cannot deliver reliably. Moreover, hit & run attacks can wreak havoc with DDoS mitigation solutions that need to be manually turned on and off at every burst. Find a solution that protects you automatically, without the hassles and risks of manual activation. Monitor Application and Network Traffic Monitoring application and network traffic provides IT security administrators with instant visibility into DDoS attack status. Security administrators should be able to review traffic levels, application performance, anomalous behavior, protocol violations and Web server error codes. Real-time traffic monitoring enables data-driven response to DDoS threats and any other unwanted scenarios. A Parting Thought DDoS is a reality that your business needs to face. When choosing a DDoS mitigation service, following the guidelines above can help your business not only weather the flood of DDoS attacks, but even survive and thrive in the dangers of the virtual jungle. Imperva Incapsula Cloud-Based DDoS Mitigation Service Incapsula is a cloud-based service that stops all types of DDoS threats, including network, protocol and application level (Layers 3, 4 & 7) attacks with minimal business disruption. Leveraging a high-capacity global CDN, Incapsula always on DDoS mitigation service scales on demand to stop multi-gigabit attacks without requiring businesses to purchase expensive Internet connections or deploy additional networking equipment. DDoS Protection can be rolled out without the need for hardware, software, integration or web application code changes. Customers can provision this service simply by changing their website s DNS setting. The service detects and mitigates advanced attacks that exploit applications, web server, and DNS server vulnerabilities. Ironclad network defenses detect network attacks like SYN floods and DNS amplifications. Incapsula detects sophisticated application-layer attacks that bypass traditional DDoS security services by implementing advanced and progressive challenge mechanisms. These defenses differentiate between bots and legitimate application users by validating whether the client browser can execute JavaScript, store cookies and perform other basic browser functions.

How It Works 40Gbps data center 40Gbps data center... On-Edge Packet Analysis Web Application Firewall (WAF) DDoS Rule Engine Rate rules Client classification Generic rules Application awareness Custom rules Behavioral analysis Progressive Challanges CDN distributes traffic between Incapsula scrubbing centers Dedicated hardware and software blocks network DDoS threats Security engine protects from web application and server vulnerabilities Visitors are assigned a risk score and their actions are put into context A set of challenges allows for granular and transparent mitigation Key Features & Benefits Comprehensive DDoS Protection Incapsula protects your website against all types of DDoS threats, including network-based attacks, like Sloworis, ICMP or TCP & UDP floods, and application layer attacks, such as GET flood, that attempt to overwhelm server resources. The service detects and mitigates advanced attacks that exploit application, Web and DNS server vulnerabilities, hit-and-run DDoS events and large botnets. High-Capacity Network As the size of network DDoS attacks, such as SYN flood and DNS amplifications, continues to increase, organizations require robust network capacity to mitigate any threat that might come its way. Incapsula global CDN offers high capacity to thwart the largest volumetric DDoS attacks. Zero Business Disruption Incapsula protects your site not only from complete denial of service, but also from disruptions related to DDoS attacks, mitigation false-positives, etc. We offer transparent mitigation with less than 1% false positives, and without degrading the normal user experience in any way. This lets you enjoy true DDoS protection, even from lengthy attacks, without affecting legitimate users. Infrastructure Protection Infrastructure Protection lets you protect core infrastructure (e.g., web, email, FTP servers) on demand across entire subnet ranges. In the event of an attack, traffic is re-routed through Incapsula scrubbing centers using BGP announcements. From this point on, Incapsula acts as the ISP and advertises all protected IP range announcements. All incoming network traffic is inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise network via GRE tunneling. 24x7 Managed Security Service Incapsula dedicated team of SOC engineers monitors your attacks and is available before, during or after attacks to ensure your site is up and running and performing optimally. Collaborative Security Incapsula protects websites using collective knowledge about security threats, including new and emerging DDoS attack methods. Using crowd-sourcing techniques, new security information is aggregated across the entire network and new mitigation rules are applied in real-time, across all protected websites. Affordable, Pay as you Go/Grow Service With Incapsula you don t incur any CAPEX in purchasing expensive equipment. We offer cost effective, monthly subscriptions with on-demand upgrade options.

About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Over 3,500 customers in more than 90 countries rely on our SecureSphere platform to safeguard their business. Imperva is headquartered in Redwood Shores, California. Learn more at www.imperva.com. www.imperva.com Copyright 2015, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-CHOOSING-DDOS-MITIGATION-SERVICE-0115rev2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information