A Distributed Denial of Service (DDoS) attack is when a web service or application receives an overwhelming amount of traffic that it cannot respond. The most common way that this is achieved is through the coordinated use of “bots” – devices or endpoints that have had malware installed on them, allowing an attacker to control them.
A DDoS attack will cause a site to crash and can affect both front end and backend communication. This means that as well as customers being unable to reach your site, you might be prevented from communicating internally to resolve the issue. This type of attack is ever evolving and becoming more complex. To respond to this sophisticated threat, organizations need to implement an effective DDoS protection solution.
It can be difficult to understand how the different solutions work, and what you need – with cloud-based, on-premises, and hybrid solutions that cover different communication layers making the choice more complicated.
In this article we’ll explore the top DDoS protection solutions, focusing on those that work at the network, transport, and application layers. Common features include real-time threat detection, reporting, analytics, and multi-layer protection. For each solution, we’ll give some background information, highlight key features, and suggest the type of customer that they’re most suitable for.
Akamai provides comprehensive DDoS protection through three products: Kona defender for web-based application security, Edge DNS for cloud-based authoritative domain name system service, and Prolexic, which utilizes scrubbing centers to protect against high-bandwidth sustained attacks and vector application attacks.
Akamai’s cloud-based web application firewall (WAF) Kona Site Defender stops threats through configurable firewall layers, backed by Akamai Threat Research. The system benefits from both artificial and human intelligence with automated processes, custom policies, and responses to malicious traffic that adapt to the scale of your business helping improve your business’ security posture. The application firewall also features automatic API discovery, self-tuning, and WAF updates that can be manually implemented or configured automatically. Akamai have also made SIEM integration seamless, allowing the platform to run alongside pre-existing, on-premises and cloud-based SIEM applications.
Edge DNS is Akamai’s cloud-based DNS solution with a globally distributed anycast network foundation, offering non-stop DNS availability, increased responsiveness, and DDoS protection. Implementation can come as a primary or secondary DNS service, helping to support existing DNS infrastructure, or even replace it. Edge DNS provides a 100% uptime service level agreement (SLA), and with thousands of DNS servers worldwide to ensure that connections to your website and application servers can be reliable. Edge DNS can withstand the sufficient DDoS attacks through managing the traffic while responding to legitimate user requests, so users can still access your domain throughout an attack uncompromised.
Prolexic provides comprehensive protection against DDoS attack of all shapes and sizes, from high bandwidth sustained attacks, to vector application attacks. The platform utilizes Border Gateway Protocol (BGP) to re-route traffic through Akamai’s scrubbing centers (8tbps capacity) – once there, mitigation controls disband all abnormal traffic immediately and the Akamai SOC team analyze the remaining traffic for malicious threats. From here, only clean traffic is re-routed back to your domain.
Amazon Web Service’s (AWSs) answer to DDoS protection comes in the form of AWS Shield, a managed platform that provides comprehensive defense against network, transport, and application-layer attacks. The service provides two tiers of support for customers of AWS: Standard and Advanced.
The standard DDoS package provides protection against network and transport layer attacks, and can be combined with Amazon Cloudfront and Amazon Route 53 for a fully comprehensive DDoS solution. One of the key features of this solution is the ease and quantity of integrations. Due to its exclusivity with AWS, Shield operates by default for AWS customers, with add-ons accessible through the management console or via API. The service is always-on, monitoring traffic flow into AWS services using filters and anomaly detectors that analyze traffic signatures. There are also automated mitigation systems, such as deterministic packet filtering and priority-based traffic shaping which help to nullify basic network layer attacks. All of these features are applied in line with the existing AWS services, which means there’s no impact on latency.
Shield Advanced builds on the standard package by enabling admins to implement custom firewall policies through the web-application firewall (WAF) to defend against business-specific threats. The firewall can also be configured to run proactive rules such as rate-base blocks to nullify an early-stage DDoS attack. The system can be tailored to either act or react to incoming threats, so it can outright block traffic and hunt for threats, or deal with them as they hit. Its health-based detection can be configured through the API to prioritize the response to unhealthy/vulnerable applications first. Advanced users can also utilize the Shield Response Team (SRT), whereby the team can contact your organization in the event of a DDoS attack, helping to identify the threat and stopping it too. Centralized management is also a key feature of Shield Advanced, where admins can manage both Shield and the WAF across the organization in one place, quickly and efficiently implementing universal policies and defenses.
Cloudflare is a market leader in comprehensive DDoS protection, offering defense against network, transport, and application-layer attacks. The solution is scalable to your business and provides many add-ons to help tailor the service to best suit your use case.
Cloudflare DDoS Protection protects against network and transport-layer attacks such as DDoS Amplification, SYN (half-open attacks) flooding, IPN flooding through the use of their patented Anycast network, which can handle over 37 Tbps, allowing websites to withstand even the largest of DDoS attacks. This defense is channeled through Cloudflare’s Edge Data centers, where initial HTTP requests are reviewed and filtered to see whether the visitor could be malicious. Cloudflare filter visitors according to criteria including user agents, paths, HTTP methods, and Transport Layer Security (TLS) checkers.
Cloudflare’s response to application-layer attacks come in the form of a Web Application Firewall (WAF), which utilizes pre-existing policies to block and filter incoming requests, as well as embracing custom policies too. This means that the solution can be tailored to suit your specific business traffic and needs. The Rate Limiting add-on complements the original defense by offering protection against application-layer attacks, such as brute-force password attempts. This tool uses request thresholds, CAPTCHAS, response codes, and other mitigation responses to manage traffic access. The solution also offers analytical capabilities with Cloudflare’s automatic learning platform. Incoming network traffic is analyzed in real-time, which contributes to the over 1 billion unique IP addresses that pass through Cloudflare’s network every day. With each new IP address, their threat intelligence systems are updated to protect against the latest threats that pose danger to your website or application.
Customers have praised the simple configuration and comprehensive feature set of Cloudflare’s solution. We would recommend Cloudflare DDoS Protection for businesses of all sizes to help defend against a range of DDoS attacks.
F5 Solutions’ DDoS Hybrid Defender has the ability to utilize hybridization, with on-premises and cloud-based systems to provide comprehensive network, transport, and application layer DDoS protection.
During an attack, the on-premises platform signals to the cloud-based scrubbing centers when volumetric attacks strike, allowing the F5 Security Operations Center to mitigate the attack. The Hybrid Signaling can also be deployed to filter malicious IP addresses from attempting to access your business’ services.
The cloud scrubbing centers enable users to stay online whilst the DDoS attack takes place, minimizing the effect on customers and protecting the brand’s reputation. The scrubbing centers are designed to respond to the threat’s level, scale, and complexity, providing multi-layered protection against all ranges of DDoS attacks. Through analyzing incoming threats and mitigating them, the centers filter out malicious traffic and return the safe and clean traffic back to your service. Combining both preset filters, as well as customizing tools, the platform can be tailored for your business’ needs. The service can be either run continuously or activated by admins on demand. The platform is also hidden from service users, allowing for ease of access and uninterrupted service throughout the attack, keeping your sites and applications running without delays or slow load times.
The API provides access to securely manage your Security Operation Center (SOC) services, configure proxy routes, and generate real-time reports of attacks. These reports include details such as size, type, IP origin, and the mitigation process, where all actions taken by the SOC are recorded for your admins. The reports also track patterns to help admins plan for future attacks. F5 offers flexible plans, with options of service length and protected bandwidth payment schemes.
Imperva DDoS Protection provides four-way defenses to protect against DDoS attacks on all fronts. Imperva DDoS protection utilizes Imperva’s high-capacity global network, with a capacity of over 6 Tbps scrubbing meaning that it can cleanse more than 65 billion attack packets per second. As your web traffic is guided through the Imperva global network, the AI behavioral learning utilizes these centers to process each new attack—helping to both prepare for new waves and track new attack patterns to keep the system up-to-date.
The platform features advanced algorithms which combat intricate application-layer attacks, whilst legitimate users of the service remain unaffected via an integrated content delivery network (CDN). Imperva DDoS Protection analyzes real-time inbound attacks, plotting each into a manageable attack timeline for admins to review. The dashboard feature allows admins to review intelligence, making suitable adjustments to policy changes in real-time to manage and control security posture. Imperva guarantees to stop any size, duration, and type of DDoS attack in three seconds or less.
Imperva’s global network can process the largest volume-based attacks, such as SYN floods and DNS amplification, but the DDoS protection platform also has the capability to stop high-level HTTP application-layer attacks with minimal impact on legitimate users. Imperva’s suite also offers web-facing solutions, including WAF, bot protection, DDoS attack mitigation, account takeover prevention, and API security. This allows the service to be scaled to your business’ needs and security requirements.
If you would like to find out more about Imperva and how they can protect your data, click the link below to read our interview.
Microsoft Azure DDoS Protection Standard provides comprehensive protection against network, transport, and application-layer attacks. The solution offers immediate, always-on traffic monitoring and protection from the moment that the solution is installed. The adaptive AI learns traffic patterns specific to your business in order to identify anomalies and to update the service at the most appropriate time.
Protection Standard also includes a web application firewall, which defends against both network and application-layer attacks. Admins can receive analytics of these attacks and their mitigations through Microsoft Azure Sentinel, or an offline security information and event management (SIEM) system, whereby detailed reports can be delivered every five minutes during the attack—followed by a comprehensive summary report at the end. Users can also access the DDoS Protection Rapid Response (DRR) team, who can intervene and help diagnose and investigate attacks. The platform also offers cost-guarantee measures, which can be implemented to help recover the costs of DDoS attacks.
Microsoft Azure offers a very flexible payment plan, where businesses can choose the specific add-ons that they require in order to defend their services effectively. And because it’s a Microsoft service, regulatory compliance measures are fully covered through the API, and implementation into existing systems is simple.
Netscout operate through Arbor’s DDoS suite, where a hybrid solution of Arbor Sightline, Arbor Threat Mitigation System (TMS) and the Arbor Cloud are all combined to provide full protection against transport, network, and application-layer attacks.
For larger networks, Arbor Sightline and Arbor TMS provide on-premises protection, providing clear network visibility and DDoS threat detection, with a capacity of 400 Gbps. The Sightline platform detects threats and can automatically drive traffic to the TMS, whereby the threat is analyzed and mitigated. Smaller networks may see Arbor Edge Defensive (AED) as a more effective defense for their business. AED is an in-line, always-on DDoS detection platform which finds and mitigates inbound attacks, with sub 100Mbps to 40 Gbps capacity. When a larger attack is detected, the platform signals to Arbor Cloud, which is where Arbor’s scrubbing centers are used.
Arbor Cloud provides a fully managed DDoS protection service that uses 14 scrubbing centers through the US, Europe, and Asia to provide global coverage. Organizations can seamlessly integrate their on-premises AED, Sightline, and TMS defenses to allow for automatic threat signaling and mitigation, or for extra mitigation capacity. With Arbor Cloud, admins can outsource DDoS management via the on-premises Sightline and TMS platform, allowing your business to keep on running whilst the attack is happening.
Customers have praised the fast response and support the service has to offer, as well as its user-friendly interface and easy deployment. We would recommend Arbor for businesses of all sizes, from SMB to enterprise.
Neustar Security Services have a wide range of DDoS solutions that suit businesses of all sizes, with on-premises DDoS control, and fully cloud-based defenses in a hybrid solution. For this listing, we’ll focus on UltraDDoS Protect, which provides comprehensive cover against all attacks.
Neustar’s UltraDDoS Protect empowers organizations to instantly mitigate smaller attacks, but also escalate the defenses when needed for a large-scale attack. The UltraDDoS Protect combines both on-premises and cloud-based defenses to manage each threat with the most effective defense strategy. The on-premise defense comes in the form of Arbor Prevail DDoS mitigation appliance; this is built to stop transport and application-layer attacks straight “out of the box”. The software can be integrated easily with existing systems, and the Prevail API comes with straightforward configuration.
DDoS protection is automated too, requiring minor if any admin interaction when an attack hits. There are also real-time visibility reports into attacks, providing audit logs with details of blocked hosts, where the attacks came from, and previous trends to help defend against the next attack. The on-premises defense utilizes packet-based defense systems to avoid overloading during an attack, whereby only essential information is collected in short periods and session tracking is required.
At the point where the on-premises capacity is surpassed, Neustar directs the traffic to the UltraDDoS Protect cloud, where the malicious traffic is managed until the threat dies down. Options for automation allow admins utilize the UltraWAF and on-demand cloud protection through DNS redirection, BGP redirection, and API-triggering. The fully managed service provides remote access management of the on-premises Arbor defense suite too, minimizing the impact on productivity. The UltraDDoS Protect Portal collates all the information you need in one space, providing a personalized security report that suits your needs. By combining both on-premises and the managed cloud service, your business’ web infrastructure will be fully secure, through a single point of contact.
Nexusguard’s MX7000 Mitigation Platform is a “cloud-in-a-box” DDoS mitigation service for cloud service providers. The platform defends against network, transport, and application-layer attacks by analyzing traffic, detecting, and nullifying threats in real-time. When an attack threatens to overload the local capacity, traffic can be re-directed to Nexusguard’s scrubbing centers; these cleanse the malicious traffic and feed the genuine traffic back to the site. Nexusguard’s detection technology utilizes anomaly detection, black/whitelisting, deep packet inspection, session timeouts, rate limiting, caching, and load balancing. The platform continuously monitors the incoming IP and application requests, which helps plot behavioral patterns for the system to determine whether an anomaly or an attack is about to take place. This behavioral analysis also creates a baseline whereby the system can recommend threshold values to stop attacks more effectively. The built-in web application firewall (WAF) also provides cover against application-layer attacks in depth.
The mitigation process features extensive hi-speed, adaptive application-level filtering with flexible content filters too. The hi-speed border filters out fraudulent IP addresses and infected hosts, followed by protocol verification that utilizes challenge-response algorithms such as TCP SYN cookie and TCP SYN authentication, which helps differentiate malicious and legitimate traffic. The adaptive filters use AI and machine learning technologies to understand your company’s baselines, against which they can detect anomalies. Once the traffic reaches the application layer, filters engage specific HTTP policies to guarantee genuine HTTP transactions, whilst also limiting the volume of connection and/or requests to specific objects. The flexible content utilizes the baseline to analyze traffic for anomalies and HTTP flood attacks through adaptive content filters to provide fast counters to attacks. The WAF eases customer management, protects web applications from attacks, safeguards sensitive information, and controls access of the applications through traffic analysis, aiding PCI-compliance.
Radware DefenseProX is an advanced, all-in-one DDoS defense platform that spans across original data centers and the public cloud.
DefenseProX offers automated mitigation techniques against a range of threats including high-volume, encrypted, Internet of Things (IoT) based attacks, ransom, and permanent denial-of-service attacks. The platform uses dedicated hardware to help mitigate incoming attacks without affecting non-malicious traffic. The system also utilizes Radware’s patented machine learning technology that detects incoming threats quickly, with each threat coordinating patterns to help block future threats and reducing the potential for false positives. DefensePro features real-time signature creation technology, enabling instant and automatic defense from zero-day and unknown attacks, with mitigation in 18 seconds or less. DefensePro has a built-in SSL attack mitigation tool, protecting against attacks on encrypted traffic. With the platform providing the service of its 13-scrubbing center network of 5Tbps capacity, users are protected from simultaneous attacks, reducing down time to a minimum.
There are also the options for Radware’s Emergency Response Team (ERT) to manage the on-premises devices, which includes set-up by security experts, who tailor the devices to your business’ policies and practices. DefensePro can be implemented inline or out-of-path (OOP) in a scrubbing center, allowing for most effective and efficient mitigation accuracy. Customers have praised DefensPro’s scalability, with the options for on-premises, hybrid, or full cloud implementation, with fast and dedicated response teams ready for callouts.
FAQs
What Is A DDoS Attack?
A DDoS attack is a targeted cyberattack that utilizes corrupted machines – known as bots – to all request server access simultaneously. This sudden surge in demand overwhelms the server, causing it to crash and preventing usual activities from being carried out.
How Do DDoS Defense Solutions Work?
DDoS defense solutions are typically comprised of firewalls and filters that can monitor the traffic that is attempting to access a server. If there is a sudden surge, or any other reasons to suspect the requests are suspicious, the filters will block access. This first identification stage can indicate how best to resolve and mitigate the attack.
From here, the filters and firewalls can use tactics like IP address filtering to block specific devices from accessing the server. In some cases, geo-blocking is used as this can block all traffic from a particular region. Limited access can be granted to legitimate users, whilst bulk bot traffic can be denied. This might, however, slow access for the legitimate users too.
In some cases, you may decide to reroute legitimate traffic to an alternative, hidden IP address by changing the DNS. This is achieved through contacting your ISP, and can be a useful temporary solution to fix a small scale DDoS attack.
How To Protect Your Network From Becoming Bots?
While this top 10 article has focused on solutions that prevent your site from falling victim to a DDoS attack, it is worth spending a moment to consider how we can prevent bots in the first place. As bots are a form of malware, preventing your system from being infested will ensure your systems are not used in an attack.
Securing your perimeter is essential if you want to identify and block threats from accessing your systems. You can achieve this through implementing a firewall or endpoint detection and response (EDR) solution.
A firewall acts as a permitter and scans all content that attempts to gain access to your network. It can block known threats or conduct sandboxing and quarantining for unknown content that has the potential to be malicious. Firewalls will prevent the vast majority of threats from being installed on your devices, thereby offering you an essential level of protection.
Endpoint detection and response (EDR) solutions will proactively monitor requests and usage at each of your endpoints. If any malicious content is identified, the EDR will work to block the threat using predefined playbooks, as well as AI and ML capabilities. The EDR can carry out threat hunting to trace malware through your system and identify any residual code.
What Are DDoS Solutions?
DDoS solutions give your organizations confidence that DDoS attacks can be prevented, or at least, mitigated. A DDoS attack is when malware-infected devices are used to request site access simultaneously. This overwhelms the servers, causing them to crash, and preventing normal operations and service.
DDoS attacks are evident through the large increase in traffic, withing a short window of time. These requests often come from a specific IP range or from devices that share a behavioral profile (such as devices, geolocations).
DDoS protection solutions will monitor for influxes in traffic, then regulate traffic flow to ensure that servers are not overwhelmed. This can be made more complex with advanced DDoS attacks, known as multi-vector attacks. These use multiple pathways to navigate a systems defenses and overwhelm the network.
Beyond regulating traffic, DDoS solutions can create plans and implementing protocols to mitigate and reduce the damage done by an attack. This might be through increasing network bandwidth, creating blacklists and whitelists, or filtering specific traffic sources. DDoS protection features should identify and log abnormal traffic to help identify future attacks.
What Are The Most Important DDoS Protection Features?
Modern on-premises and cloud-based DDoS solutions are robust and adaptable enough to cope with evolving attack types. An on-premises solution is limited by the bandwidth that your network can use. Increasingly, we are seeing the emergence of hybrid, “best-of-both-worlds” solutions; these combine on-premises and cloud-based capabilities.
Important features to look out for when looking for the best DDoS protection solutions include:
- Scalability: DDoS attacks create a huge influx of traffic in order to overwhelm networks. Your DDoS solution should match your usual level of traffic flow, whilst having the capacity to cope with one of these attacks. Some providers will describe this as autoscaling; the ability for your solution to grow as your organization does.
- Granular controls: Granular configurations and highly customized policies allow you to tailor your solution to your organization, ensuring that protection is targeted and specific. Admins should be able to define policies based on URL, IP headers, geolocation, source IP, and destination IP. Admins should be able to set auto-configured behavior-based traffic profiling policies to enhance this coverage.
- Visibility: Your chosen DDoS protection solution should provide admins with extensive visibility. Teams should receive insights, analytics, and alerts regarding traffic activity, threats, and attacks as they develop in real-time.
- Blacklisting And Whitelisting Capabilities: DDoS mitigation tools should have blacklists and whitelists to easily identify what traffic is permitted access.
- SSL Mitigation: While this feature is not relevant for all organizations, those that experience a high volume of SSL-based traffic and transactions need a solution that supports SSL mitigation. This means that it will supports in-line decryption and traffic re-encryption.