On-Premise, Cloud or Hybrid?

Approaches to Mitigate DDoS Attacks

Whitepaper

SHARE THIS WHITEPAPER

 Approaches to Mitigate DDoS Attacks Whitepaper

Table of Contents

Overview..................................................................................................................................................... 3

Current Attacks Landscape: DDoS is Becoming Mainstream........................................................................... 3

Attackers Launch Multi-Vector Attack Campaigns..................................................................................... 3

Traditional Network Security Solutions Cannot Mitigate DDoS......................................................................... 4

Choosing DDoS Mitigation Solutions............................................................................................................. 5

On-premise........................................................................................................................................... 5

Cloud .................................................................................................................................................. 6

Hybrid.................................................................................................................................................. 6

Summary.................................................................................................................................................... 7

Smart Network. Smart Business. 2

 Approaches to Mitigate DDoS Attacks Whitepaper

Overview
This paper is written for organizations that need to guarantee availability of online services and prioritize a
dedicated solution for DDoS mitigation. It reviews the current DDoS attack landscape and explains why traditional
network security solutions such as firewall, IPS and WAF cannot stop DDoS attacks. It then reviews the main three
approaches for deploying dedicated DDoS solutions and compares them.

Current Attacks Landscape: DDoS is Becoming Mainstream

The past three years have been the most active and destructive period in the history of cyber threats. Distributed
Denial of Service (DDoS) attacks were carried out with increased sophistication and persistence with destructive
results. In September 2012, some of the largest U.S. financial institutions, such as NYSE, Bank of America and
Chase Bank, experienced massive DDoS attacks that disrupted customer transactions for hours. Other Anonymous
attacks brought down the sites of the Central Intelligence Agency, the Interpol, the Vatican, the Federal Reserve
and others.

A study conducted by Ponemon Institute on November 2012 revealed that DDoS attacks are becoming a
mainstream: 65% of surveyed organizations had an average of three DDoS attacks in the prior twelve months
with an average annual cost of $3,000,000. According to the Radwares 2012 Global Application and Network
Security Report, the motivation for most attacks is still unknown, yet in those cases where the motivation is
known, political and hacktivism compromise 50% of the attacks. Other motivations include financial ransom,
angry users, and competitive businesses.

Attackers and hactivists are mainly targeting financial institutions, online retails, government and eGaming
online services with the purpose of disrupting the availability of those services, hence preventing users from
accessing the online services. This results in revenue loss, reputation damage and other consequences to the
victim organizations.

Attackers Launch Multi-Vector Attack Campaigns

Recent attacks reveal that attackers launch more complex attacks, using more attack tools that last for a longer
duration. During the recent attack campaigns, the attackers set the Botnet (or instruct their fans, as in the case of
Anonymous group operations) to launch several attack types in parallel, targeting multiple vulnerability points of the
victims IT infrastructure such as the network, servers and the application layers.

Today online businesses and data centers face multiple types of attacks that hit every layer of the IT infrastructure:

The network layer is targeted with volumetric network flood attacks such as UDP flood or ICMP flood aiming
to consume or misuse networking resources. Volumetric flood attacks can saturate an organizations Internet
pipe causing a complete denial of service. In 2012, 15% of the attacks handled by Radwares Emergency
Response Team (ERT) blocked the Internet pipe.

The server layer is targeted by SYN flood attacks and low & slow attack tools, which aim to misuse the
server resources.

The application layer is targeted with a wide variety of attacks such as SSL based attacks, application
misuse attacks and application GET or POST attacks.

Launching multi-vector attack campaigns against online businesses is not a complicated task anymore as there
are many DDoS for hire services, allowing the attacker to choose the attack vectors, the attack tools and the
duration of the attack.

Smart Network. Smart Business. 3

 Approaches to Mitigate DDoS Attacks Whitepaper

Traditional Network Security Solutions Cannot Mitigate DDoS

Recent DDoS attacks taught us that traditional network security solutions such as firewall, IPS and WAF cannot
stop DDoS attacks. All the organizations that became a target for DDoS attacks had firewalls and IPS devices in
their infrastructure and yet their availability was hurt and they went offline. Although firewall, IPS and WAF solutions
have an essential role in providing security to organizations, they were simply not designed to handle todays
emerging DDoS threats and may become the bottlenecks themselves during DDoS attacks.

IPS devices have been designed to prevent intrusions that result in data breach through a full inspection of the
session. Firewalls act as a policy enforcer and determine whether traffic should be allowed into the organization
based on predetermined rules. While these are critical security tools, they cannot protect the availability of the
online services for several reasons:

Reason #1: Firewall, WAF & IPS are stateful devices - this means that they track all the connections that
they inspect. All connections are stored in a connection table, and every packet is matched against that
connection table to verify that it is being transmitted over an established legitimate connection. The
connection table of a standard enterprise-class firewall, IPS or WAF can store tens of thousands of active
connections, and is sufficient for normal network activity.

However, during a DDoS attack, an attacker will send thousands of packets per second to the targets
network. In the absence of a dedicated anti-DoS device to shield the traditional network security devices from
such a high volume of traffic, these devices are usually the first device in an organizations network to handle
the force of the DDoS attack. Because of the way a firewall and IPS are designed, they open a new
connection in their connection tables for each malicious packet, resulting in the exhaustion of the connection
tables in a very short period of time. Once the connection tables have reached their maximum capacity,
they do not allow additional connections to be opened, ultimately blocking legitimate users from establishing
connections, and subsequently preventing such users from accessing the online services.

Proper DDoS mitigation devices include a stateless DDoS protection mechanism that cannot be exploited
by connection-based attacks. Such devices can handle millions of attempts to establish connections without
consuming connection table entries or exhausting other systems resources.

Reason #2: Cannot distinguish between malicious and legitimate users unlike intrusion attempts that
firewalls and IPS are designed to detect and block, certain DDoS attack vectors such as HTTP floods,
are composed of millions of legitimate sessions. Each session during a DDoS attack is legitimate and does
not comply with any predefined IPS or firewall rule. Each session by itself is not a problem and it cannot be
detected as a threat by IPS and firewalls; however when there are millions of concurrent sessions a DDoS
attack is emerging, the solution must look on all sessions and their behavior. IPS and firewalls are not
designed to look on all sessions, but rather on a session-by-session basis.

Reason #3: Inappropriate network location Firewalls, IPS and WAF solutions are deployed too close to the
protected servers and are not deployed as the first line of defense where DDoS attacks should be mitigated.
This results in DDoS attacks that go through the protected data center without being detected by the
traditional network security solutions. A dedicated DDoS mitigation solution should be deployed even before
the access router at the ISP hand-off.

There are additional reasons why firewalls, IPS and WAF devices fail to protect from DDoS attacks including lack of
DDoS expertise, limited security coverage of DDoS threats, lack of a 24x7 emergency response team to fight DDoS
attacks and more.

Smart Network. Smart Business. 4

 Approaches to Mitigate DDoS Attacks Whitepaper

At the beginning of 2013, Radwares Emergency Response Team (ERT) released its annual security report based
on dozens of DoS and DDoS attacks that the team handled during 2012. The ERT checked which network devices
were bottlenecks during these DDoS attacks, and found that in 33% of the cases the target organizations firewall
and IPS devices were the main bottlenecks. As high as this number sounds, it should not surprise security experts
who understand the nature of DDoS attacks and how IPS and firewalls are designed.

30%

26%
25% 25%

22%

20%

15%

11%
10%
8% 8%

5%

0%

Internet Pipe Firewall IPS/IDS Load Balancer The server SQL Server
(ADC) under attack

Diagram: Network elements that have been the bottleneck during DDoS attack
Source: Radwares 2012 Global Application and Network Security Report

Choosing DDoS Mitigation Solutions

Enterprises and organizations that would like to guarantee the availability of their online services from DDoS
attacks should consider a dedicated DDoS mitigation solution that is especially designed to deal with todays
emerging availability based threats. There are three approaches to DDoS solutions: on-premise, cloud and hybrid.

On-premise
An on-premise DDoS mitigation solution is a dedicated, specially designed device to detect and mitigate DDoS
attacks. The device is usually deployed as the first device in the organizations network, even before the access
router. Such a device provides protection to the entire data center and especially to the online services.
On-premise DDoS devices should provide protection from many types of DDoS attacks including:

UDP / ICMP network flood attacks

SYN flood attacks
SSL based attacks
HTTP GET / POST application layer attacks
Low & Slow attacks

Smart Network. Smart Business. 5

 Approaches to Mitigate DDoS Attacks Whitepaper

Mitigation systems deployed on-premise in proximity to the protected online applications can be easily fine-tuned
to have a greater awareness to changes in network traffic flows in and out of the application servers, and therefore
have a greater chance of detecting suspicious traffic on the application layer. However, on-premise DDoS solution
cannot handle volumetric network floods that saturate the Internet pipe of the enterprise and such attacks must
be mitigated from the cloud.

When the DDoS solution is deployed on-premise the organization benefits from an immediate and automatic attack
detection and mitigation. Within a few seconds from the attack initiation the online services are well protected and
the attack is mitigated.

Cloud
With the rise of DDoS attacks, many Internet Service Providers (ISPs) and Managed Security Service Providers
(MSSPs) have begun to offer anti-DDoS services. Such services protect organizations from network flood attacks
by deploying mitigation equipment at the ISP or MSSP scrubbing centers. Often referred to as clean pipe, this
type of mitigation is guaranteed to block network flood attacks from ever reaching the organization, as attacks are
mitigated before they ever reach the connection between the ISP or MSSP and the organization. This renders the
organizations Internet pipe free of volumetric network flood attack.

However, cloud based anti-DDoS services cannot block application DDoS attacks as well as low & slow attacks since
their mitigation equipment is not sensitive enough to detect the intricacies of such attacks when its deployed in the
cloud. In addition, to detect SSL based attacks the MSSP must host the SSL keys of the protected enterprise. This
results in compliance and regulatory concerns for the protected enterprises, which cannot provide its SSL keys to the
MSSP and therefore SSL based attacks are travelling into the enterprise data center without any mitigation.

During attack, cloud based mitigation requires diversion of the traffic from the protected enterprise into the MSSP
scrubbing center. This diversion process requires human intervention and takes at least 15 minutes in which the
enterprise online services are not protected and are exposed to the attackers.

Hybrid
Hybrid DDoS solution aspires to offer best-of-breed mitigation solution by combining on-premise and cloud
mitigation into a single, integrated solution. The hybrid solution chooses the right mitigation location and the
mitigation technique based on the attack characteristics, attack tools and attack volume. In the hybrid solution,
attack detection and mitigation starts immediately and automatically using the on-premise DDoS solution that
stops various attacks from diminishing the availability of the online services. All the attacks are mitigated on-
premise, unless they threaten to block the Internet pipe of the organization. In case of pipe saturation threat, the
hybrid solution activates the cloud mitigation and the traffic is diverted to the cloud, where it is scrubbed before
sent back to the enterprise. The hybrid solution also shares essential information about the attack between the
on-premise mitigation devices and the cloud devices in order to accelerate and to enhance the mitigation of the
attack once it reaches the cloud.

The hybrid solution allows enterprises to benefit from:

Widest security coverage that can be achieved only by combining on-premise and cloud coverage
Shortest response time by employing an on-premise solution that starts immediately and automatically to
mitigate the attack
Single contact point during an attack both for on-premise and cloud mitigation
Traffic is diverted to the cloud only as a last resort
Integrated reporting system provides information both from the on-premise mitigation and
in-the-cloud mitigation

Smart Network. Smart Business. 6

 Approaches to Mitigate DDoS Attacks Whitepaper

The table below summarizes the aforementioned alternatives for DDoS solutions:

Capability On-Premise Cloud Hybrid

UDP / ICMP network floods V V V
Floods that saturate the
X V V
Internet pipe
Attack Coverage SSL based attacks V X V
HTTP application GET / POST
V X V
attacks
Low & slow attacks V X V
Mitigation response time Slow at least
Immediate Immediate
Mitigation 15 minutes
Start automatically Yes No Yes
Only when threaten
Divert traffic with BGP
Traffic Diversion No For every attack to saturate the
announcement or DNS
Internet pipe

Summary
DDoS attacks are on the rise and have become very popular among attackers because it is easy to launch using
DDoS-for-hire services and the impact of these attacks are significant. Traditional network security solutions such
as firewalls, IPS and WAF are not sufficient to handle the emerging DDoS threats and they themselves become the
bottlenecks during many of the attacks. Enterprises that aspire to guarantee the availability of their online services
are urged to prioritize specially designed DDoS solutions. Based on the description in this paper of the various
DDoS solutions, each organization should decide whether on-premise, cloud or hybrid is the most suitable solution
to its needs and move forward to deploy one sooner rather than later.

If youre interested in learning more about how to deploy one of these methods, read about our Attack Mitigation
Solutions and specialized offerings such as DefensePipe.

2013 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in
the U.S. and other countries. All other trademarks and names are the property of their respective owners.

Smart Network. Smart Business. 7

PRD-DDoS-Mitigation-Approaches-WP-02-2013/04-US