In the previous article of this series we’ve explored what DDoS attacks are and what implications they carry for end users and companies. Now, let’s take a look at what types of protection can be acquired and how it can shield a company from attacks.
Types and Classes of DDoS Protection
We can classify DDoS protection in 3 major types:
- by solution type: deployed locally, in a cloud, or hybrid;
- by protocol layer: packet (at the 3rd and 4th layers) or at the application layer (L7);
- by connection type: symmetric or asymmetric filtering.
Classification by Solution Type
At the highest level, DDoS protection solutions can be classified as follows:
1) Solutions deployed locally by the client or the client’s provider.
These solutions, in turn, can be divided into software and hardware sub-groups. There are several advantages to running this type of DDoS protection, including:
- Minimal impact on latency due to local installation;
- The ability to flexibly integrate the solution into the existing infrastructure;
- The ability to deeply configure protection without outside assistance;
However, these solutions also come with several restrictions, Which are:
- High hardware, software, and personal costs;
- The need to hire or train employees, set-up network monitoring, and generate incident response strategies;
- Filtering functionality, limited to protection against packet flood (L3-L5). The inability to protect against bot attacks at the HTTP level (L7) makes this solution type less than ideal for website defense.
- Bandwidth limitations: for example, when working with a40 Gbps channels, a 50 Gbps attack will easily penetrate the defense.
2) Cloud solutions
In essence, cloud solutions implement the same package protection functionality as on-premises solutions. However, the resources are divided among several clients. In addition to packet protection, these solutions offer bot attack protection via the HTTP protocol, which is useful for websites. Many providers also offer technical support and maintenance through DDoS attacks.
Let’s look at the advantages of cloud solutions (at least those of high quality):
- Low costs through a subscription, usually not requiring down payment;
- The solution does not require to hire or train staff;
- High filtration capacity;
- High connection speed (starting from a few minutes);
- Provides expertise in attack filtering along with the filtering itself;
- Trial periods allow clients to test before they buy.
- Attack filtering the application layer (L7) is great for website protection.
But it’s not all good. There are some disadvantages, which are:
- Increased latency (traffic first goes to the filtration center, before being routed to the client);
- Sensitive information has to go through the cloud, which may not be acceptable for some companies;
3) Hybrid solutions
Hybrid solutions are a combination of the two previously mentioned protection types. A cloud service protection is automatically activated when the attack size goes beyond what the on-premise solution can handle. This essentially eliminates the main drawback of on-premises solutions — the typical bandwidth limitation that stops from successfully defending against large-scale attacks. Essentially, hybrid protection merges the advantages of cloud and on-premises solutions.
In most cases, on-premise solutions are best suited to large telecom operators, like ISPs, cloud providers, and data centers. These businesses have the resources to run individual DDoS protection services and can monetize them to cover the considerable costs, allowing them to cope with powerful attacks, exceeding hundreds of gigabytes. However, on-premises solutions are currently being transformed into hybrid ones. As a result, in time, their cost will decrease, and the charges will be split between the initial purchase and a monthly or annual cloud subscription. This will make the solutions of this type more accessible to small businesses
In conclusion, before hybrid solutions become widely available, the best course of action for most companies is purchasing a cloud solution. Let’s look at how you can choose one below.
Classification by Protocol Layer
As a rule of thumb, DDoS attacks exploit vulnerabilities of protocols and systems either at the network and transport layers of the OSI model (the third and fourth layers, respectively) or at the applications and software services layers (seventh layer in the OSI model). Also, “intelligent” attacks that use very sophisticated influence methods are becoming more and more common. We can use this information to divide DDoS protection solutions into three categories:
- Solutions that protect against packet flooding with transport and network layer packet filtering — L3 and L4;
- Solutions that protect against both packet flooding and flooding at the application layer (L3-L7). This kind of protection is necessary to ensure the uptime of a website since most attacks on websites are carried out at the L7 layer;
- Solutions that protect from flooding at L3-L7 layers as well as from “intelligent” DDoS attacks that use “smart” bots. These attacks target the most resource-intensive parts of web applications that are geared at processing incoming requests. Solutions like this require integration into the Web Application Firewall (WAF).
On-premises solutions are usually limited to protection at the L3-L4 layers. Even if L7 filtering is available as an optional function, it works in an extremely limited way. Cloud solutions, on the other hand, are found in different price categories and capability levels. To understand what they are capable of, you need to carefully study the documentation of specific services. Choose an option that uses WAF if you need to protect critical resources — this will maximize the security and availability during DDoS attacks of different complexity levels.
Classification by Connection Format
DDoS protection can be divided into symmetric and asymmetric based on the connection type.
Symmetric algorithms imply setting the filter in a symmetric mode. This routes all incoming and outgoing traffic through the filter. Asymmetric algorithms do not analyze outgoing traffic from the server, only filtering the incoming traffic flow.
Typically, symmetric algorithms are more efficient because they analyze both traffic streams at the same time. Thus, they have more information on how the clients and servers interact within a network. Asymmetric algorithms are often more complicated: they are forced to “make assumptions” because they don’t see the whole picture. For example, the system may need to let several packets reach the server and then use the subsequent incoming packets to decide if there was any malicious activity. Thus, the asymmetric mode does not guarantee 100% effective attack filtering.
TCP Reflection is a good example of an attack that bypasses asymmetric filtering. We will not go into the mechanics of how the attack works or the details of filtering in this article. Let’s just say that protection against this attack in asymmetric algorithms is based either on blocking TCP segments with SYN + ACK flags to block all outgoing connections from the protected resource or by partially letting the malicious traffic into the network and further analyzing each connection.
In general, symmetric protection should be used for websites and critical applications that must be accessible as much as possible, while asymmetric protection is best suited for ISP networks, where directing outgoing traffic through a DDoS filter is difficult, unprofitable, or impossible.
See this presentation for more information on symmetric and asymmetric DDoS protection.
|Advantages||Symmetric protection||Asymmetric protection|
|Flexible outbound traffic management||No||Yes|
|The ability to use multiple providers to protect a single IP against DDoS attacks||No||Yes|
For the final article in this series, we will share how a company can protect itself against DDoS attacks and what variables play the biggest role in setting up a secure shielding.