A Distributed Denial of Service (DDoS) attack is when a web service or application receives an overwhelming amount of traffic that it cannot respond. The most common way that this is achieved is through the coordinated use of “bots” – devices or endpoints that have had malware installed on them, allowing an attacker to control them.
A DDoS attack will cause a site to crash and can affect both front end and backend communication. This means that as well as customers being unable to reach your site, you might be prevented from communicating internally to resolve the issue. This type of attack is ever evolving and becoming more complex. To respond to this sophisticated threat, organizations need to implement an effective DDoS protection solution.
It can be difficult to understand how the different solutions work, and what you need – with cloud-based, on-premises, and hybrid solutions that cover different communication layers making the choice more complicated.
In this article we’ll explore the top DDoS protection solutions, focusing on those that work at the network, transport, and application layers. Common features include real-time threat detection, reporting, analytics, and multi-layer protection. For each solution, we’ll give some background information, highlight key features, and suggest the type of customer that they’re most suitable for.
Akamai provides comprehensive DDoS protection through three products: Kona defender for web-based application security, Edge DNS for cloud-based authoritative domain name system service, and Prolexic, which utilizes scrubbing centers to protect against high-bandwidth sustained attacks and vector application attacks.
Akamai’s cloud-based web application firewall (WAF) Kona Site Defender stops threats through configurable firewall layers, backed by Akamai Threat Research. The system benefits from both artificial and human intelligence with automated processes, custom policies and responses to malicious traffic to adapt to the scale of your business helping boost your business’ security posture. The application firewall also features automatic API discovery, self-tuning, and WAF updates that can be manually implemented or configured automatically. Akamai have also made SIEM integration seamless too, allowing the platform to run alongside pre-existing on-premises and cloud-based SIEM applications.
Edge DNS is Akamai’s cloud-based DNS solution with a globally distributed anycast network foundation, offering non-stop DNS availability, increased responsiveness, and DDoS protection. Implementation can come as a primary or secondary DNS service, helping to support existing DNS infrastructure, or even replace it. Edge DNS provides a 100% uptime service level agreement (SLA), and with thousands of DNS servers worldwide, connections to your website and application servers can be reliable. Edge DNS can withstand the sufficient DDoS attacks through absorbing the traffic while responding to legitimate user requests, so users can still access your domain throughout an attack uncompromised.
Prolexic Routed provides comprehensive protection against DDoS attack of all shapes and sizes, from high bandwidth sustained attacks, to vector application attacks. The platform utilizes Border Gateway Protocol (BGP) to re-route traffic through Akamai’s scrubbing centers (8tbps capacity) – once there, mitigation controls disband all abnormal traffic immediately and the Akamai SOCC team analyze the remaining traffic for malicious threats. From here, only clean traffic is re-routed back to your domain.
Amazon Web Service’s (AWSs) answer to DDoS protection comes in the form of AWS Shield, a managed platform that provides comprehensive defense against network, transport and application-layer attacks. The service provides two tiers of support for customers of AWS; Standard and Advanced.
The standard DDoS package provides protection against network and transport layer attacks, and can be combined with Amazon Cloudfront and Amazon Route 53 for a fully comprehensive DDoS solution. One of the key features of this solution is the seamless integrations available. Due to its exclusivity with AWS, Shield is already active for existing AWS customers, with add-ons accessible through the management console or via API. The service is always-on, monitoring traffic flow into AWS services using filters that analyze traffic signatures and anomaly detectors. There are also automated mitigation systems, such as deterministic packet filtering and priority-based traffic shaping, which help nullify basic network layer attacks. All of these features are applied in line with the existing AWS services, which means there’s no impact on latency.
Shield Advanced builds on the standard package by enabling admins to implement custom firewall policies through the web-application firewall (WAF) to defend against business-specific threats. The firewall can also be configured to run proactive rules such as rate-base blocks to nullify an early-stage DDoS attack. The system can be tailored to either act or react to incoming threats, so it can outright block traffic and hunt for threats, or deal with them as they hit. Its health-based detection can be configured through the API to prioritize the response to unhealthy/vulnerable applications first. Advanced users can also utilize the Shield Response Team (SRT), whereby the team can contact your organization in the event of a DDoS attack, helping to identify the threat and stopping it too. Centralized management is also a key feature of Shield Advanced, where admins can manage both Shield and the WAF across the organization in one place, quickly and efficiently implementing universal policies and defenses.
Cloudflare is a market leader in comprehensive DDoS protection, offering defense against network, transport, and application-layer attacks. The solution is scalable to your business and provides many add-ons to help tailor the service to best suit your use case.
Cloudflare DDoS Protection protects against network and transport-layer attacks such as DDoS Amplification, SYN (half-open attacks) flooding, IPN flooding, and more through the use of their patented Anycast network, which can handle over 37 Tbps, allowing websites to withstand even the largest of DDoS attacks. This defense is channeled through Cloudflare’s Edge Data centers, where initial HTTP requests are reviewed and filtered to see whether the visitor could be malicious. Cloudflare filter visitors according to criteria including user agents, paths, HTTP methods, and Transport Layer Security (TLS) checkers.
Cloudflare’s response to application-layer attacks come in the form of a Web Application Firewall (WAF), which utilizes pre-existing policies to block and filter incoming requests, as well as embracing custom policies too, tailoring the service to your specific business traffic. The Rate Limiting add-on complements the original defense by offering protection against application-layer attacks, such as brute-force password attempts, through request thresholds, CAPTCHAS and other mitigation responses, and response codes. The solution also offers analytical capabilities with Cloudflare’s automatic learning platform. Incoming network traffic is analyzed in real-time, which contributes to the 1 billion plus unique IP addresses that pass through Cloudflare’s network every day. With each new IP address, their threat intelligence systems are updated to protect against the latest threats that pose danger to your website or application.
Customers have complemented the simple configuration and comprehensive feature set of Cloudflare’s solution. We would recommend Cloudflare DDoS Protection for businesses of all sizes to help defend against a range of DDoS attacks.
F5 Solutions’ DDoS Hybrid Defender has the ability to utilize hybridization, with on-premises and cloud-based systems to provide comprehensive network, transport and application layer DDoS protection.
During an attack, the on-premises platform signals to the cloud-based scrubbing centers when volumetric attacks strike, allowing the F5 Security Operations Center to mitigate the attack. The Hybrid Signaling can also be deployed to filter malicious IP addresses from attempting access to your business’ services.
The cloud scrubbing centers enable users to stay online whilst the DDoS attack takes place, minimizing the effect on customers and protecting the brand’s reputation. The scrubbing centers are designed to respond to the threat’s level, scale and complexity, providing multi-layered protection against all ranges of DDoS attacks. Through analyzing incoming threats and mitigating them, the centers filter out malicious traffic and return the safe and clean traffic back to your service. Combining both preset filters, as well as customizing tools, the platform can be tailored for your business’ needs. The service can be either run continuously or activated by admins on demand, for when the time needs it. The platform is also hidden from service users, allowing for ease of access and uninterrupted service throughout the attack, keeping your sites and applications running without delays or slow load times.
The API provides access to securely manage your Security Operation Center (SOC) services, configure proxy routes, and generate real-time reports of attacks. These reports include details such as size, type, IP origin and the mitigation process, where all actions taken by the SOC are recorded for your admins. The reports also track patterns to help admins plan for future attacks. F5 offers flexible plans, with options of service length and protected bandwidth payment schemes.
Imperva DDoS Protection provides four-way defenses to protect against DDoS attacks on all fronts. Imperva DDoS protection utilizes Imperva’s high-capacity global network, with a capacity of over 6 Tbps scrubbing capacity, with the capability to cleanse more than 65 billion attack packets per second. As your web traffic is guided through the Imperva global network, the AI behavioral learning utilizes these centers to process each new attack—helping to both prepare for new waves and track new attack patterns to keep the system up-to-date.
The platform features advanced algorithms which combat intricate application-layer attacks, whilst legitimate users of the service remain unaffected via an integrated content delivery network (CDN). Imperva DDoS Protection analyzes real-time inbound attacks, plotting each into a manageable attack timeline for admins to review. The dashboard feature allows admins to review the analyses, making suitable adjustments to policy changes in real-time or, when necessary, allowing for central views and control of your security posture. Imperva guarantees to stop any DDoS attack of varying size and duration in three seconds or less..
Imperva’s global network can process the largest volume-based attacks, such as SYN floods and DNS amplification, but the DDoS protection platform also has the capability to stop high-level HTTP application-layer attacks with minimal impact on legitimate users. Imperva’s suite also offers web-facing solutions, including WAF, bot protection, DDoS attack mitigation, account takeover prevention, API security and more, allowing the service to be scaled to your business’ needs and security requirements.
If you would like to find out more about Imperva and how they can protect your data, click the link below to read about our interview.
Microsoft Azure DDoS Protection Standard provides comprehensive protection against network, transport and application-layer attacks. The solution offers immediate protection as soon as the platform is activated, and features always-on traffic monitoring, identifying traffic threats and alerting admins when the signs are there. The adaptive AI learns traffic patterns specific to your business in order to identify anomalies and to update the service at the most appropriate time.
Protection Standard also includes a web application firewall, which defends against both network and application-layer attacks. Admins can receive analytics of these attacks and their mitigations through Microsoft Azure Sentinel, or an offline security information and event management (SIEM) system, whereby detailed reports can be delivered every five minutes during the attack—followed by a comprehensive summary report at the end. Users can also access the DDoS Protection Rapid Response (DRR) team, who can intervene and help diagnose and investigate attacks. The platform also offers cost-guarantee measures, which can be implemented to help recover the costs of DDoS attacks.
Microsoft Azure offers a very flexible payment plan, where businesses can choose the specific add-ons that they require in order to defend their services effectively. And because it’s a Microsoft service, regulatory compliance measures are fully covered through the API, and implementation into existing systems is simple.
Netscout operate through Arbor’s DDoS suite, where a hybrid solution of Arbor Sightline, Arbor Threat Mitigation System (TMS) and the Arbor Cloud are all combined to provide full protection against transport, network and application-layer attacks.
For larger networks, Arbor Sightline and Arbor TMS provide on-premises protection, providing clear network visibility and DDoS threat detection, with a capacity of 400 Gbps. The Sightline platform detects the threats and can be configured to automatically drive traffic to the TMS, whereby the threat is analyzed and mitigated. Smaller networks may see Arbor Edge Defensive (AED) as a more effective defense for their business. AED is an in-line, always-on DDoS detection platform which finds and mitigates inbound attacks, with sub 100Mbps to 40 Gbps capacity. When a larger attack is detected, the platform signals to Arbor Cloud, which is where Arbor’s scrubbing centers come in.
Arbor Cloud provides a fully managed DDoS protection service that uses 14 scrubbing centers through the US, Europe and Asia, providing global coverage. Organizations can seamlessly integrate their on-premises AED, Sightline and TMS defenses to allow for automatic threat signaling and mitigation, or for extra mitigation capacity. With Arbor Cloud, admins can outsource DDoS management via the on-premises Sightline and TMS platform, allowing your business to keep on running whilst the attack is happening..
Customers have praised the fast response and support the service has to offer, as well as its user-friendly interface and easy deployment. We would recommend Arborfor businesses of all sizes, from SMB to enterprise.
Neustar Security Services have a wide range of DDoS solutions that suit businesses of all sizes, with on-premises DDoS control, fully cloud-based defenses, and a hybrid solution. For this listing, we’ll focus on UltraDDoS Protect, which provides comprehensive cover against all attacks.
Neustar’s UltraDDoS Protect enables organizations to instantly mitigate smaller attacks, but also escalate the defenses when needed for a large-scale attack. The UltraDDoS Protect combines both on-premises and cloud-based defenses to manage each threat with the most effective defense strategy. The on-premise defense comes in the form of Arbor Prevail DDoS mitigation appliance, which is built to stop transport and application-layer attacks straight ” out of the box”. The software can be easily integrated into existing systems, and the Prevail API comes with straightforward configuration.
DDoS protection is automated too, requiring minor if any admin interaction when an attack hits. There are also real-time visibility reports into attacks, providing audit logs with details of blocked hosts, where the attacks came from, and previous trends to help defend against the next attack. The on-premises defense utilizes packet-based defense systems to avoid overloading during an attack, whereby only essential information is collected in short periods and session tracking is required.
At the point where the on-premises is surpassed, Neustar directs the traffic to the UltraDDoS Protect cloud, where the malicious traffic is managed until the threat dies down. Options for automation allow admins utilize the UltraWAF and on-demand cloud protection through DNS redirection, BGP redirection, and API-triggering. The fully managed service provides remote access management of the on-premises Arbor defense suite too, minimizing the impact on productivity. The UltraDDoS Protect Portal collates all the information you need in one space, providing a personalized security report that suits your needs. By combining both on-premises and the managed cloud service, your business’ web infrastructure will be fully secure, through a single point of contact.
Nexusguard’s MX7000 Mitigation Platform is a “cloud-in-a-box” DDoS mitigation service for cloud service providers. The platform defends against network, transport and application-layer attacks by analyzing traffic, detecting and nullifying threats in real-time. When an attack threatens to overload the local capacity, traffic can be re-directed to Nexusguard’s scrubbing centers, which cleanse the malicious traffic and feed the genuine traffic back to the site. Nexusguard’s detection technology utilizes anomaly detection, black/whitelisting, deep packet inspection, session timeouts, rate limiting, and caching and load balancing. The platform continuously monitors the incoming IP and application requests, which helps plot behavioral patterns for the system to determine whether an anomaly or an attack is about to take place. This behavioral analysis also creates a baseline whereby the system can recommend threshold values to stop attacks more effectively. The built-in web application firewall (WAF) also provides cover against application-layer attacks in depth.
The mitigation process features extensive hi-speed, adaptive application-level filtering with flexible content filters too. The hi-speed border filters out fraudulent IP addresses and infected hosts, followed by protocol verification that utilizes challenge-response algorithms such as TCP SYN cookie and TCP SYN authentication, which helps differentiate malicious and legitimate traffic. The adaptive filters use AI and machine learning technologies to understand your company’s baselines, against which they can detect anomalies. Once the traffic reaches the application layer, filters engage specific HTTP policies to guarantee genuine HTTP transactions, whilst also limiting the volume of connection and/or requests to specific objects. The flexible content utilizes the baseline to analyze traffic for anomalies and HTTP flood attacks through adaptive content filters to provide fast counters to attacks. The WAF eases customer management, protects web applications from attacks, safeguards sensitive information, and controls access of the applications through traffic analysis, aiding PCI-compliance.
Radware DefensePro is an advanced, all-in-one DDoS defense platform that spans across original data centers and the public cloud.
DefensePro offers automated mitigation techniques against a range of threats including high-volume, encrypted, Internet of Things (IoT) based attacks, ransom and permanent denial-of-service attacks. The platform uses dedicated hardware to help mitigate incoming attacks without affecting non-malicious traffic. The system also utilizes Radware’s patented machine learning technology that detects incoming threats quickly, with each threat coordinating patterns to help block future threats and reducing the potential for false positives. DefensePro features real-time signature creation technology, enabling instant and automatic defense from zero-day and unknown attacks, with mitigation in 18 seconds or less. DefensePro has a built-in SSL attack mitigation solution, protecting against attacks on encrypted traffic. With the platform providing the service of its 13-scrubbing center network of 5Tbps capacity, users are protected from simultaneous attacks, reducing down time to a minimum.
There are also the options for Radware’s Emergency Response Team (ERT) to manage the on-premises devices, which includes set-up by security experts, who tailor the devices to your business’ policies and practices. Deplorability is also easily managed, whereby DefensePro can be implemented inline or out-of-path (OOP) in a scrubbing center, allowing for most effective and efficient mitigation accuracy. Customers have praised DefensPro’s scalability, with the options for on-premises, hybrid or full cloud implementation, with fast and dedicated response teams ready for callouts.
FAQs
How To Protect Your Network From Becoming Bots?
While this top 10 article has focused on solutions that prevent your site from falling victim to a DDoS attack, it is worth spending a moment to consider how we can prevent bots in the first place. As bots are a form of malware, preventing your system from being infested will ensure your systems are not used in an attack.
Securing your perimeter is essential if you want to identify and block threats from accessing your systems. You can achieve this through implementing a firewall or endpoint detection and response (EDR) solution.
A firewall acts as a permitter and scans all content that attempts to gain access to your network. It can block known threats or conduct sandboxing and quarantining for unknown content that has the potential to be malicious. Firewalls will prevent the vast majority of threats from being installed on your devices, thereby offering you an essential level of protection.
Endpoint detection and response (EDR) solutions will proactively monitor requests and usage at each of your endpoints. If any malicious content is identified, the EDR will work to block the threat using predefined playbooks, as well as AI and ML capabilities. The EDR can carry out threat hunting to trace malware through your system and identify any residual code.
