In the past five years, we have watched a rapid evolution in both sophistication and scale of DDoS attacks. Long gone are the days of the traditional Denial of Service (DoS) attack. Now, threat actors use massive IoT botnets to enslave millions of devices into global scale DDoS attacks. They confuse defenses by launching short multi-vector attacks in bursts, they multiply the force impact of their attacks by using TLS/SSL, and even destroy systems with Permanent Denial of Service (PDoS) attacks.
These changes force both security vendors and service providers to think differently about how they clean and scrub traffic. For starters, the volume of traffic that Radware processes has grown exponentially. This requires us to expand our scope and scale of scrubbing capabilities. However, capacity alone is not enough. We had to rethink how to approach DDoS protection for modern applications against sophisticated as well as high volume attacks.
From a traffic-based view to an application-based view
Radware’s DDoS scrubbing network has seen its network rapidly expand, from six global scrubbing centers to nine scrubbing centers worldwide, with locations in Seoul, Johannesburg, and Sydney. In addition, we expanded our mitigation capacity to 3.5 Tbps and to 6+ billion packets per second (PPS) of network connections, to make sure we stay ahead of the game in the event of large-scale attacks.
This represents a significant shift from looking at DDoS protection through an outdated lens of traffic – which only counts how many Tbps it can handle – to an application view, which is not only better suited for how modern web applications are built, but also provides better DDoS protection.
Tbps don’t matter, PPS do
Well, Tbps do matter. But not as much as you’d think.
Traditionally, the way to look at DDoS protection was to count gigabits (Gbps) and Terabits (Tbps) of traffic. This has led some DDoS protection vendors to make increasingly outsized claims about protection capacity.
However, there are two problems with this approach:
One problem is that this capacity is largely superfluous. Although large DDoS attacks make for scary headlines and page clicks, in practice, the vast majority of DDoS attacks are much smaller. According to Radware’s 2017 ERT Report, 79% of DDoS attacks are smaller than 1 Gbps, and only 4% of attacks are larger than 50 Gbps.
The largest DDoS attack recorded to date – the Mirai botnet attack against Dyn – reached a reported peak of 1.2 Tbps. Most leading DDoS protection vendors have far more mitigation capacity than even the largest DDoS attacks ever recorded, and even smaller DDoS vendors can usually absorb such large attacks, let alone smaller ones.
The other problem with a traffic-based approach to DDoS protection is that attack size, by itself, tells you very little about the nature of the attack itself. Large DDoS attacks tend to be simple volumetric floods of network-layer protocols such as TCP and UDP. However, a much smaller application-level attack such as HTTP flood can do more damage than a larger UDP flood.
Therefore, when evaluating DDoS attacks, a more useful factor is the rate of packets-per-second (PPS). The higher the rate of packets, the more severe the attack. This is particularly true with a new generation of emergent DDoS attacks such as SSL-based DDoS attacks, Low-&-Slow attacks, DNS-based attacks and IoT-based botnet attacks, which can make use of large number of concurrent connections to overwhelm applications.
Rise of SSL
As more and more web traffic is encrypted, SSL-based DDoS attacks are becoming increasingly more frequent and more harmful. SSL DDoS attacks are particularly potent because they demand large amounts of computing resources from target servers. A single SSL request can require up to x15 more resources from the target server than from the origin computer. Radware’s scrubbing centers are fully integrated with our DefenseSSL technology, to provide cloud-based SSL DDoS protection, without requiring users to provide full SSL keys, and without adding latency in peacetime.
This a crucial benefit to many customers, as it simplifies SSL key management, preserves user confidentiality and regulatory requirements, and does not impede application performance.