RSS Feed

Related Articles

Related Categories

The inner workings of DDoS protection services

6th February 2014 Print

Distributed denial of service attacks remain one of the prime concerns in the world of cyber security. These malicious attacks are focused on rendering a server or network resource unavailable to the users through interrupting or suspending the host. Typically, a distributed denial of service assault uses a number of computers and internet connections to carry out the attack.

Network and application layer assaults

Recent DDoS attacks have generally taken one of two different forms. The network layer assaults were traditionally focused on simply generating a large amount of traffic, with the aim being to flood the bandwidth of the site in question. However, application layer attacks are far more sophisticated. They instead target individual features within websites, such as search data forms. The modus operandi of these attacks mean that they’re often hard to distinguish from genuine web traffic.  The fact that the assaults often use malware to rope other computers into a Botnet to participate in the assault makes it even harder to distinguish. There is also no huge spike in traffic as there would be with a standard network layer assault.

Mitigating application layer DDoS attacks

Dealing with these new threats is tricky, with web security firm Incapsula having developed a number of different techniques for helping to counter the threat.

The firm uses IP and ASN info, HTTP headers, Javascript footprints and a few other signs to distinguish between bot traffic and human traffic. Identifying the “good bots” such as search engines and monitoring tools plays a part of this process.  Once this traffic has been filtered out, the rest of the website is then partitioned into suspicious and legitimate visitors using Incapsula’s reputation system.

A key part of Incapsula’s DDoS protection security is the cloud.  Using the latest technology means that protective measures can be sent into place immediately, without any of the issues that come with clumsy hardware and software installations.  This also means that less resource is required to perform ongoing maintenance.  This cloud based protection allows Incapsula to simply absorb volume based attacks and to block any malicious traffic designed with the aim of committing protocol attacks.

Some DDoS attacks are actually used to weaken a website’s perimeter defences such as security appliances, so that more traditional attack vectors can be use to exploit known vulnerabilities in the system. In this case, Incapsula’s Web Application Firewall is used to protect clients from threats such as SQL injection, illegal resource access and remote file inclusion, amongst others.

Summing up

A great deal of threat mitigation services are based on cat-and-mouse tactics. Successful attacks can come in any form, which is why Incapsula focus on continuous monitoring and mitigation, using 24/7 support staff to be pro-active in detecting irregular behaviour. 

It’s a simple fact that network capacity alone is rarely enough to totally mitigate DDoS attacks, and the focus needs to be on individual visitor and traffic profiling. Networking skills, security expertise and traffic routing have all become essential skills within effective threat mitigation.