Rethinking the Scrubbing Center


In the past five years, we have watched a rapid evolution in both sophistication and scale of DDoS attacks.  Long gone are the days of the traditional Denial of Service (DoS) attack.  Now, threat actors use massive IoT botnets to enslave millions of devices into global scale DDoS attacks.  They confuse defenses by launching short multi-vector attacks in bursts, they multiply the force impact of their attacks by using TLS/SSL, and even destroy systems with Permanent Denial of Service (PDoS) attacks.

These changes force both security vendors and service providers to think differently about how they clean and scrub traffic.  For starters, the volume of traffic that Radware processes has grown exponentially. This requires us to expand our scope and scale of scrubbing capabilities.  However, capacity alone is not enough.  We had to rethink how to approach DDoS protection for modern applications against sophisticated as well as high volume attacks.

From a traffic-based view to an application-based view

Radware’s DDoS scrubbing network has seen its network rapidly expand, from six global scrubbing centers to nine scrubbing centers worldwide, with locations in Seoul, Johannesburg, and Sydney. In addition, we expanded our mitigation capacity to 3.5 Tbps and to 6+ billion packets per second (PPS) of network connections, to make sure we stay ahead of the game in the event of large-scale attacks.

[You might also like: Has Cyber Security Reached Its Limits?]

The biggest change in our new approach was to stop thinking about protecting traffic and start thinking about how we protect applications. Modern web applications (and modern DevOps teams) don’t think about how much traffic they generate; rather, they think about their applications in terms of users, requests, and concurrent connections, as well as how to handle new standards of encrypted SSL / TLS traffic.

This represents a significant shift from looking at DDoS protection through an outdated lens of traffic – which only counts how many Tbps it can handle – to an application view, which is not only better suited for how modern web applications are built, but also provides better DDoS protection.

Tbps don’t matter, PPS do

Well, Tbps do matter. But not as much as you’d think.

Traditionally, the way to look at DDoS protection was to count gigabits (Gbps) and Terabits (Tbps) of traffic. This has led some DDoS protection vendors to make increasingly outsized claims about protection capacity.

However, there are two problems with this approach:

One problem is that this capacity is largely superfluous. Although large DDoS attacks make for scary headlines and page clicks, in practice, the vast majority of DDoS attacks are much smaller. According to Radware’s 2017 ERT Report, 79% of DDoS attacks are smaller than 1 Gbps, and only 4% of attacks are larger than 50 Gbps.

The largest DDoS attack recorded to date – the Mirai botnet attack against Dyn – reached a reported peak of 1.2 Tbps. Most leading DDoS protection vendors have far more mitigation capacity than even the largest DDoS attacks ever recorded, and even smaller DDoS vendors can usually absorb such large attacks, let alone smaller ones.

[You might also like: 5 Questions to Ask About DDoS Pricing]

The other problem with a traffic-based approach to DDoS protection is that attack size, by itself, tells you very little about the nature of the attack itself. Large DDoS attacks tend to be simple volumetric floods of network-layer protocols such as TCP and UDP. However, a much smaller application-level attack such as HTTP flood can do more damage than a larger UDP flood.

Therefore, when evaluating DDoS attacks, a more useful factor is the rate of packets-per-second (PPS). The higher the rate of packets, the more severe the attack. This is particularly true with a new generation of emergent DDoS attacks such as SSL-based DDoS attacks, Low-&-Slow attacks, DNS-based attacks and IoT-based botnet attacks, which can make use of large number of concurrent connections to overwhelm applications.

Rise of SSL

As more and more web traffic is encrypted, SSL-based DDoS attacks are becoming increasingly more frequent and more harmful. SSL DDoS attacks are particularly potent because they demand large amounts of computing resources from target servers. A single SSL request can require up to x15 more resources from the target server than from the origin computer. Radware’s scrubbing centers are fully integrated with our DefenseSSL technology, to provide cloud-based SSL DDoS protection, without requiring users to provide full SSL keys, and without adding latency in peacetime.

This a crucial benefit to many customers, as it simplifies SSL key management, preserves user confidentiality and regulatory requirements, and does not impede application performance.

Download “One Scrubbing Center to Rule Them All” to learn more.

Download Now

Previous articleMarrying the Business Need With Technology, Part 3: Re-aggregating the Tools
Next articleOrchestrating Flows for Cyber
Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Workload Protection Service. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.


Please enter your comment!
Please enter your name here