True Network Security Requires a Hybrid or Layered Approach

Whether in government, financial, manufacturing, or other sectors, misconceptions persist regarding the best way large organizations can protect themselves from distributed denial-of-service (DDoS) attacks. Many such organizations have bought into a one-size-fits-all mentality that has been alleged as the norm regarding protections by cloud-based solutions such as those offered by managed security service providers (MSSPs) and content delivery networks (CDNs). Unfortunately, these parties are learning that modern DDoS attacks are intelligently designed and persistently executed: These attacks employ a variety of automated probing and manual analysis techniques that find ways to circumvent the primary defense used by upstream protections and render critical business applications and services unavailable for hours at a time.

The Case for a Multitiered Approach

Cloud-based DDoS protection solutions certainly have their place in a hybrid, multilayered partnership aimed at protecting a network from DDoS attacks. In fact, it is an absolute requirement to have such a solution in place to manage the volumetric attacks that shut down a network by exhausting bandwidth upstream. However, due to the limited visibility and agility available within many upstream protection providers based on their priorities, some attacks do slip by. These small but damaging attacks can be devastating and should drive every organization to consider a multitiered, layered approach to DDoS protection.

One of our largest global finance organizations discovered this the hard way. Within two weeks, it endured two attacks. One was relatively straightforward but still slipped by its CDN’s add-on DDoS offering and targeted the IP space. This was a big issue for the organization in two ways. One was because a lot of folks were under the impression that attackers couldn’t just go around their CDN’s add-on DDoS solution. And two, this small, undetected attack caused immeasurable disruption of end-user productivity within the targeted application.

The second attack strategically employed a large number of bots to stay under the CDN’s detection/alerting requests-per-second threshold but still deliver enough junk requests to take down a customer portal. This five-minute attack disabled a customer-facing portal for four hours. The CDN did not alert the organization because it did not detect the attack. It is believed the attacker employed a reconnaissance or probing program to ascertain the CDN's thresholds and adjusted the attack accordingly to inflict maximum damage with the limited information it had uncovered.

Luckily, the organization also had a NETSCOUT Arbor Sightline and Threat Mitigation System (TMS) on the network to protect other assets that the CDN could not see. Because of Sightline’s wide-ranging visibility into all traffic crossing the network edge, it proved its value in the DDoS space by detecting and alerting on each of the attacks missed by the CDN, promptly and as they occurred. Unfortunately, as we found out later, this was not a one-time incident and was happening monthly. But each time an attack slipped by the add-on DDoS solution from the CDN, it was detected by Sightline, thanks to Sightline’s ability to gain full visibility into all traffic and use unmatched threat intelligence to smartly identify the traffic as attack traffic.

Protection on Every Layer

Organizations large and small need to start rethinking their DDoS protections. Any cloud-based solution will have its drawbacks—as will many network solutions including devices in the security stack such as intrusion detection systems/intrusion prevention systems(IDSs/IPSs), web application firewalls (WAFs), and most importantly firewalls—which all have specialized protection features.

The key to real protection against DDoS is a hybrid or layered solution that employs the advantages of a cloud-based solution, a DDoS-specific network solution, and potentially other protections for specific services.

Learn more about multilayer DDoS protection.