The Ultimate Defense Against Multivector DDoS Attacks

Distributed denial-of-service (DDoS) attacks are evolving. According to the NETSCOUT DDoS Threat Intelligence Report, there is a decline in volumetric reflection/amplification attacks, but a rise in direct path dynamic multivector attacks that evolve to evade existing defenses. Adversaries are leveraging artificial intelligence (AI) and other revolutionary technologies to take cyberattacks to the next level. This shifting from attack vector to attack vector creates a need to defend against these types of DDoS attacks, which can require a multilayered adaptive DDoS protection solution.

Multivector DDoS attacks present an emerging threat with familiar consequences. DDoS attacks can have significant direct and indirect costs. Lack of network, application, or service availability can cause downtime, leading to frustrated customers, unproductive employees, brand reputation damage, eroded customer trust, and direct impacts to revenue. Investing in both cloud-based and on-premises adaptive DDoS protection is the only way to protect against multivector dynamic attacks of all types to prevent these losses.

Challenges of Multivector DDoS Attacks

Reflection/amplification and volumetric attacks can leverage only a small number of attack vectors, which makes them defensible. This is because of the specific protocols they are required to use as well as the alert thresholds they tend to overwhelm and trigger. On the other side of the coin are direct-path multivector attacks. These use nonspoofed traffic and are dynamic in nature—in other words, they adapt to defenses and change vectors. They leverage state exhaustion and application layer attack vectors that are smaller in size and duration, and this, in combination with adaptation, makes them significantly more difficult to detect and mitigate.

DDoS Mitigation Strategies

Having stout defenses deployed both in the cloud and in-line on-premises is the key to mitigating dynamic DDoS attacks. This configuration defends against volumetric attacks with cloud-based protection, while the on-premises solution protects against smaller, more dynamic attacks such as state exhaustion, application layer, and multivector attacks. This layering of defenses is necessary because cloud-based solutions often miss the smaller attacks that don't reach certain mitigation thresholds, leaving firewalls and other vulnerable solutions to defend against them. A stateless solution placed outside the firewall helps protect the firewall and other devices in the security stack against these types of threats.

Features and Benefits of Adaptive DDoS Protection

NETSCOUT's Adaptive DDoS Protection solution can utilize the automated defensive measures outlined above. Our Arbor Cloud can detect and automatically mitigate all types of volumetric attacks. It is powered by a network of 16 international scrubbing centers with a total capacity of more than 15 Tbps. Arbor Cloud, paired with Arbor Edge Defense (AED), which is placed outside the firewall in an on-premises inline location, automatically protects against many types of DDoS attacks. AED’s stateless design prevents it from being overwhelmed by state exhaustion attacks, allowing only legitimate traffic through and thwarting adversary traffic. These solutions can be enhanced with ATLAS Intelligence Feed (AIF) to provide them with up-to-date threat intelligence on the latest DDoS threats, automating many defenses against known attackers.

Learn why adaptive DDoS protection is the only methodology that can defeat dynamic multivector DDoS attacks.