On-Premises Defense Is Required in Comprehensive DDoS Strategy

Abstract dark teal lines and orbs on a dark background

Cloud-only distributed denial-of-service (DDoS) protection providers have been available for some time, but as services have become more mission-critical with less tolerance for downtime and application-layer DDoS attacks have evolved to become more complex, cloud-only solutions are not enough.

Research and experience have proved that a multilayered DDoS defense strategy is the only holistic approach for protecting against modern DDoS threats. The analyst community has for a few years voiced strong support for a multilayered DDoS defense strategy backed by continuous threat intelligence. Some aspects of today’s targeted complex attacks require on-premises components. In fact, because of the elusiveness of some attack types with regard to cloud solutions, on-premises purpose-built DDoS protection devices should be considered the foundation for a network DDoS protection posture.

Battling Complex DDoS Attacks

Today’s DDoS attacks are increasingly complex and surgically targeted. Attackers react to mitigation policies by using multiple attack vectors, from volumetric ones such as reflection/amplification to application-specific “smart” floods or state exhaustion techniques, attacks embedded in encrypted traffic, and bots placed in unsecured devices (indicators of compromise, or IoCs) on your network to inflict damage later on. 

Application-layer attacks typically conform to the protocols the applications are using, which often involve protocol handshakes and protocol/application compliance. An example of this type of attack would be a Slow Post attack, in which the attacker sends legitimate HTTP Post headers that are compliant, but the message body is sent at a painfully low speed, slowing the server to a crawl. Because the traffic within the attack appears to be legitimate, these attacks go undetected by traditional cloud-based mitigation strategies.

Some other typical targets for the bad guys are stateful devices such as firewalls and VPN devices. In fact, 83 percent of enterprise respondents to NETSCOUT’s 2021 Worldwide Infrastructure Security Report (WISR) survey reported DDoS attacks in which overloaded firewalls and/or VPN devices contributed to an outage—up 21 percent from 2019. Because NETSCOUT Arbor Edge Defense (AED) is designed to sit on the edge of the network between the internet and your network’s stateful devices, it protects those stateful devices from the flood attacks designed to take them down. Further, because AED is stateless and always on, it is not susceptible to the delays in the start of mitigation that are typical with an on-demand cloud solution.

The Importance of IoCs

Attackers are unrelenting in their assaults on high-value encrypted targets. A key component of a security arsenal, therefore, is the ability to decrypt and inspect encrypted traffic securely and attest to its authenticity without slowing, disrupting, or compromising legitimate traffic.

Another area of concern regarding decrypting and scanning packets is where the encryption is executed. Many organizations do not want their traffic being decrypted offsite or by a cloud service because that may require sharing private certificates with the cloud provider—a security risk many enterprises aren’t willing to take. In some situations, cloud providers themselves don’t want to be responsible for managing private keys and the associated liability risks if the keys are leaked or exposed from their systems.

IoCs play an integral role in cybersecurity analysis and attack protection. Not only do they reveal and confirm that a security attack has occurred, but they also disclose the tools that were used to carry out the attack. The threat resides in the reluctance or inability to collect and correlate IoCs in real-time with a comprehensive resource for current threat intelligence. By not monitoring or further analyzing IoCs, organizations lose the ability to identify security incidents that may have gone undetected or security incidents that currently are going undetected by other tools in the security stack. AED provides advanced packet-based protection against internet-scale threats, neutralizing the malware families that make up the global botnet threat. 

Armed with millions of reputation-based IoCs, NETSCOUT’s packet processing engine can detect and block inbound threats and outbound communication from internal compromised hosts that have been missed by other devices in the security stack, helping to stop further proliferation of malware and other tactics used within crimeware and advanced threat campaigns.

Read more about defending your DNS Infrastructure.