DDoS attacks rose to an all-time high in the second half of 2022, which means enterprise-level organizations must continue improving defense methods, mainly to prevent multi-vector and application-layer attacks designed to bypass traditional defenses.
Although traditional cloud-based DDoS protection products can stop large volumetric attacks, organizations should go one step further to strengthen on-premises security to mitigate attacks designed to evade cloud-only products.
We’d like security teams to consider a hybrid DDoS defense strategy that includes stateless deep packet inspection at the edge and a cloud solution to stop large volumetric attacks. While there’s no one-size-fits-all option to DDoS protection at the edge, this hybrid approach will ensure that organizations can more effectively remediate DDoS attacks now and in the future.
The need for a hybrid DDoS defense strategy
Although there are three main types of DDoS attacks - volumetric, protocol, and application-layer, attackers tend to use more than one category to maximize disruptiveness in targeted networks. Despite the limitations of traditional cloud-based applications, security teams must mitigate volumetric attacks upstream from the victim. Thus, we need to take a multi-layer or hybrid approach to DDoS protection with both on-premises and cloud components that recognize all the different types and targets of DDoS attacks.
For example, cloud applications can mitigate high-volume flood attacks targeting internet connectivity before they overwhelm local protection. Meanwhile, application layer, state exhaustion, and encrypted traffic attacks require on-premise defenses near the targeted applications or services. The product must also have intelligent communication between these two layers backed by current threat intelligence to stop dynamic, multi-vector DDoS attacks.
Another example underscoring the need for hybrid DDoS defenses is in a protocol attack. SYN floods are a common type of protocol attacks. In a SYN flood attack, the nefarious agent can target any system connected to the internet and deliver transmission control protocol (TCP) services. This type of DDoS attack can take down even high-capacity devices capable of maintaining millions of connections.
Finally, application-layer DDoS attacks are quite insidious, as the attacks are designed to attack the application itself, focusing on specific vulnerabilities or issues, resulting in the application not being able to deliver content to the user. Application layer attacks are designed to attack specific applications, the most common being web servers, but can include any application such SIP voice services and BGP.
Ultimately, this trifecta of DDoS attacks plainly shows how today’s DDoS attack methodologies require a multi-faceted, stateless approach that lets users look across both internet infrastructure and network availability. To protect network devices, firewalls and VPNs, the product needs to sit in front of the edge of the network to see the attack traffic before it becomes an issue. Additionally, the hybrid defense strategy at the edge needs to include advanced, stateless, deep packet inspection (DPI) tools that enable pervasive network visibility and analytics to quickly identify and respond to cyberthreats.
The increasing complexity of attacks — and how to detect and mitigate them — not only reinforces the need for a multilayer hybrid defense strategy, but it makes it a requirement.
The case for a hybrid approach
A hybrid security strategy combines an on-premises, detection and mitigation system with on-demand cloud-based mitigation capabilities at the edge. Because of the increased tenacity of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection strategy should begin with an on-premises, always-on, purpose-built DDoS attack mitigation option. That particular product must automatically identify and stop all types of DDoS attacks and other cyber threats before impacting the availability of business-critical services.
Although traditional cloud-based DDoS protection products, including those provided by ISPs or CDNs, are designed to stop large volumetric DDoS attacks, they struggle to remove other types of DDoS attacks designed to evade their efforts. But security pros should not discard cloud-based mitigation solutions, as they enhance the protection of on-premises options. Ultimately, it’s best to use both an on-premises and a cloud product with intelligent and automated integration for the most comprehensive protection. Taking this approach helps ensure that an organization can thwart new and evolving DDoS attacks in real-time.
As DDoS attackers get smarter and attacks become harder to detect, organizations need a more comprehensive defense strategy to secure their network edges. While cost-effective, cloud-based options ultimately need to do more to mitigate the rapidly changing nature and types of new DDoS attacks. With a multi-layer, hybrid approach of deploying on-premises defense at the edge and a cloud-based backup, organizations can maintain better cyber hygiene and prevent extended server downtime.
Gary Sockrider, director of security solutions, Netscout
