Under Attack?
Search
Menu

Detecting and Mitigating HTTPS Floods…Without Decryption Keys

By Eden AmitaiJuly 23, 2019

What is an HTTPS flood attack? Why is everybody talking about it these days? And is it really such a big threat?

HTTPS flood attack is a generic name for DDoS attacks that exploit SSL/TLS protocols over HTTP communications. Lately, we’ve been hearing much about this specific type of DDoS attack and other SSL/TLS attack vectors; according to our 2018-2019 Global Application & Network Security report, encrypted web attacks were the most commonly reported form of application layer attack in 2018.

And with regards to the last question, there is a simple answer: YES.

The Benefits of Encryption

We all know that encryption is being used almost everywhere today, with more than 70% of the web pages worldwide loaded over HTTPS. Encryption lets us enjoy many of benefits while being connected: We can securely send our private credentials to our bank, shop easily on Amazon without worrying whether our credit card details will be intercepted, and we can text safely and transfer files with peace-of-mind.

[You may also like: HTTPS: The Myth of Secure Encrypted Traffic Exposed]

Basically, by using encryption, or SSL/TLS in more technical jargon, we enjoy authenticity (meaning, to know the source of traffic), integrity (meaning, to know that no one tampered with the data between the two end-points), and of course, confidentiality (encryption turns data into a cypher-text using symmetric and asymmetric key exchanges).

It sounds so good, shut up and take my money!

A Fly in the Ointment

Indeed, data encryption gives us tremendous power over data transfer, but there is a fly in the ointment. All of these incredible capabilities require many system resources, and thus attract hackers and cyber criminals who wish to wreak havoc.

When it comes to the destination server or an organization’s server, the SSL/TLS connection requires even greater amounts of allocated resources – 15 times more than from the requesting host to be exact.

[You may also like: Why You Still Need That DDoS Appliance]

In other words, if a group knows how to manipulate the protocols and vulnerabilities inherent in it, they can cause significant damage by running powerful encrypted DDoS attacks. 

Now, there is only one option for organizations that wish to protect against HTTPS DDoS attacks: They must protect their network and infrastructure with dedicated, sophisticated devices that can detect and mitigate HTTPS DDoS attacks.

An Evolving Solution

Traditional protection devices require a copy of the SSL certificates (or keys) in order to decrypt the packets that are being transmitted through the device. However, while doing so, they damage user privacy (especially in the era of GDPR and other worldwide privacy regulations) and add latency. And needless to say, if not handled properly, the process can create additional security risks. What’s more, traditional devices are stateful and thus themselves vulnerable to DDoS attacks.

For service providers and carriers, whose security policies prevent them from holding their network tenants’ decryption keys, this is problematic. Without their network tenants’ keys, traditional off-the-shelf solutions are ineffective.

[You may also like: DDoS Protection Requires Looking Both Ways]

So, how can service providers properly protect their tenants from cyber attacks?

Keyless protection against HTTPS flood attacks based on stateless architecture is ideal for service providers and carriers. Such a solution not only eliminates operational complexity that comes with managing decryption keys, but protects against SSL-based HTTP DDoS attacks at scale without adding latency or compromising user privacy.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Posted in: DDoS Attacks Service ProviderTags:

Eden Amitai

Eden Amitai is a product marketing manager in Radware's security team. In his role, Eden is in charge of the company's line of DefensePro and DefenseFlow, Radware's on-prem DDoS Attack Mitigation Solutions. Eden works closely with Radware's white-hackers and cyber-experts to answer the needs of organizations and service providers in today's cyber-threat landscape. Eden has a diverse range of experience from both large enterprises and small firms, and deep knowledge in the cyber-security space. Before joining Radware, Eden spent a couple of years as the CMO of ACC, an Israeli startup. Prior the that, Eden worked at Intel's CHD product marketing department and as a product marketing manager at Xpandion, a cyber-security firm. Eden served in the IDF at an elite intelligence unit, and he holds a B.Sc. in Computer Science from the Interdisciplinary Center (IDC) Herzliya.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?