What is a Distributed Denial of Service (DDoS) Attack?
What are Volumetric Attacks?
What are State-Exhaustion Attacks?
What are Application-Layer DDoS Attacks?
Why Doesn't My Firewall Stop DDoS Attacks?
Why Doesn't My Firewall's Anti-DDoS Capability Protect Me?
Why are Signature-Based Strategies Not Working Anymore?
Why Do I Need On-Premise Defense if I Already Use a Cloud Service?
A Distributed Denial-of-Service (DDoS) attack occurs when multiple systems are used to overwhelm the available bandwidth or resources of an application, service, or other targeted system. This overloading can cause the target to offer a severely degraded service, or even fail completely. While traditional DDoS focused on high volumes of packets to just flood the network, today's attacks use new, more sophisticated, techniques, often employing multiple attack vectors at the same time in order to evade traditional DDoS protection. Such attacks typically result in costly downtime, lost revenue, and reputation damage to organizations that rely on the Internet to do business.
Volumetric DDoS attacks, also referred to as Network floods, or “flooding”, are a common type of DDoS attack. This occurs when a network is overwhelmed by a large amount of attack traffic, causing the applications or services which rely on it to become inaccessible to legitimate users.
State-Exhaustion attacks consume the TCP connection state tables present in many network infrastructure and security devices, including; Routers, Firewalls, Intrusion Prevention Systems and Load-Balancers, as well as the application servers themselves. These attacks, which are also commonplace, can block access for legitimate users or render security devices inoperative, sometimes even leaving defences wide-open to data exfiltration.
Application layer DDoS, often called “Layer 7 DDoS”, is much less common than volumetric and state-exhaustion and does not typically involve high volumes of packets. Once the initial connection is established to the application, the attacker makes repeated requests, progressively consuming resources until they are entirely depleted, rendering the application incapable of responding to legitimate user requests. These application-level DDoS attacks require a different approach to detect and mitigate as they appear legitimate, do not consume excessive bandwidth and are typically hidden inside HTTPS encrypted packets.
Modern firewalls, by their very design are stateful - they need to remember the established connections in order to control which applications and services may be used. Attackers know this and calculatedly misuse the allowed services, compromising the firewall and/or its performance, as well as the downstream applications.
Even firewalls that claim to have anti-DDoS capabilities built-in only realistically offer a limited ability to block attacks: typically, via the use of basic thresholds. When the threshold limit is reached, every application and every user using that port gets blocked, causing an outage. Attackers know this is an effective way to block the good users along with the attack, achieving their end-goal of denying service.
Signature-based strategies detect known threats. They utilize pattern-matching techniques similar to anti-virus products, but have no ability to block new attacks, because they have no signature—and attackers know this. By simply manipulating a few characters in a header, or payload, an attack can easily pass through solutions which rely solely on signature-based technology. Corero’s SmartWall Threat Defense System uses both protocol behavioral analysis techniques as well as signature matching to protect against unknown attacks before they hit the network.
Cloud DDoS protection services are typically on-demand solutions. They only activate when they are needed, either automatically via remote monitoring, or manually, via a portal or a phone call. Either way, an attack will hit your network until the service is activated. Even for automatic activation, it typically takes minutes, or even tens of minutes, before the attack is blocked, by which time much of the damage is already done. On-premise DDoS defense offers immediate protection from all attacks and only needs to revert to the cloud service if the Internet connection itself is in danger of filling up. This means your services are never impacted by an attack, even in those first minutes, and the amount of times you require the cloud service can be significantly reduced, saving significant cost.