DDoS Mitigation Technology

About DDoS Attacks


DDoS mitigation

The anatomy of a modern DDoS attack Distributed denial of service (DDoS) attacks vary from regular denial of service (DoS) attacks due mainly to the extra "D," which stands for "distributed." Typically, a DDoS attack is launched from many machines which are generally PC's that have been infected with a virus or trojan allowing them to be controlled by a "bot herder," who gathers the infected machines into a single collective. An attacker can then issue commands to the collective, transparently ordering the machines to attack a specific target. The following diagram helps illustrate this concept: In most cases, the target goes offline instantly and is not restored until the attack ceases or the victim purchases a sometimes costly DDoS mitigation solution. To add insult to injury, the vast majority of DDoS mitigation solutions range from ineffective to somewhat effective, despite costing thousands of dollars for even a small amount of protection.

The distributed denial of service (DDoS) intelligence gap

The major problem with DDoS attacks does not exist entirely within the attacks themselves; rather it is the lack of intelligence within the information systems security community.

Every day the media reports on DDoS attacks, outlines trends, creates infographics, and touts the latest in protection technologies. At the time of this writing there were about 1970 articles written or syndicated in the past week on these very topics. You see, the actual problem is that the vast majority of DDoS mitigation intelligence was created by, or derived from, vendors of DDoS mitigation solutions.

In essence, there is very limited independently verifiable data available concerning the actual size and frequency of DDoS attacks. Even the most respected journalists and security experts are forced to rely on hearsay or potentially biased reports, whitepapers, and presentations. As a result, much of what is known about DDoS today has been implanted by biased security experts vs. independent research.

The importance of Layer 7 heuristics

Generally speaking, DDoS mitigation techniques can be viewed as either signature or heuristic based. With a signature based approach attacks are automatically dropped by a purpose built packet filter when an attack is identified using its unique fingerprint, similar to how viruses are detected on PC's using virus definition files. Despite being the most common method of DDoS mitigation, this has inherent flaws when relied upon exclusively. "Zero day" attacks, those which are previously unknown, strike frequently and will bypass a signature based appliance until the signature has been updated.

Vlan24 relies on a predominately heuristic based approach. Using technologies like network behavior analysis (NBA), and Human Behavior Analysis (HBA), we are able to build profiles of legitimate behavior and detect and mitigate deviations from known legitimate behavior in real time. This approach allows us to instantly mitigate even zero day attacks without having any prior knowledge of its behavior.

There is a common misconception that a hardware firewall, such as a Cisco ASA or Juniper SRX, can mitigate DDoS attacks. While these devices do have anti-DDoS features and can be used as part of a DDoS mitigation strategy, they will fail if relied upon exclusively. The main issue is stateful inspection and the lack of intelligent mitigation. Firewalls cannot intelligent detect and mitigate an attack if it does not match a predefined policy. When the firewall becomes saturated, sometimes with even a small amount of traffic, its session table will hit its maximum capacity with new sessions attempting to spawn substantially faster than the expiration rate of the older sessions.

One problem that cannot be easily mitigated with a DDoS mitigation appliance is known as a Layer 7 attack, referring to the application layer of the OSI model. This is where HBA becomes a critical component to Vlan24 mitigation strategy. HBA is similar to NBA as it is a technology capable of learning appropriate behavior and identifying malicious behavior within its own intelligence. The key difference is that HBA is an exclusively Layer 7 technology, the only one of its kind to be able to anticipate the behavior of a real human and proactively block malicious requests without the need to associate them with a larger DDoS attack.


The Vlan24 DDoS Mitigation Technology


Behavior analysis techniques in DDoS mitigation

There are 2 major schools of thought in the practice of DDoS mitigation: Signature vs. heuristic based filtering. Signature based filtering is the most common method, detecting attacks based on each attack's predetermined "fingerprint," and effectively blocking the attack based on this day. While highly efficient, this prevents real time mitigation of "zero day" (brand new) attacks.

Network Behavior Analysis (NBA), one primary method used by Vlan24, images known valid traffic patterns and performs analysis against traffic that does not match the expected behavior. When traffic is abnormal, the NBA systems must make the determination whether the abnormality was organic in nature or the result of a DDoS attack. When it is determined that the spike could not have occurred as the result of organic changes in traffic patterns, the traffic is temporarily blocked.

Human Behavior Analysis (HBA) uses similar concepts applied to Layer 7 traffic. When a Layer 7 request is received by a Vlan24 proxy system, either deployed as a remote proxy or a local web application firewall (WAF), it is inspected to determine whether the request originated from an actual human. The Vlan24 systems maintain intelligence on the expected request patterns and are able to block requests that do not match the expected behavior. Using this logic, even a single malicious request can be identified as a member of a botnet. This information is then used to augment NBA methods and form a more effective DDoS mitigation system.
DDoS mitigation
The Vlan24 DDoS Mitigation Level of Service


Standard DDoS Protection

Every Vlan24 customer can sign up for our standard DDoS Protection for additional cost. Bundling DDoS protection as a standard benefit assures the defense of our customers while eliminating the need to purchase additional third party protection.
  • Protection against all known attacks, with plans up to 10 Gbps and up to 6,000,000 packets per second
  • Heuristic based DDoS protection, enabling complete defense against all known and "zero day" threats
  • 99.9% SLA
  • Standard 24/7/365 ticket or telephone support

Mitigation Critical DDoS Protection

Customers requiring the highest level of availability assurance through multi-10G DDoS protection and VIP level technical support should consider upgrading to the Mitigation Critical DDoS Protection level. When uptime is critical and service requests must be handled with the highest possible priority, Mitigation Critical ensures that you're provided the white glove treatment that your needs dictate.
  • Multi-10G as needed to rapidly scale with dynamic customer requirements, enabling complete protection against any and all DDoS attacks
  • Heuristic based DDoS protection, enabling complete defense against all known and "zero day" threats
  • 99.99% Proactive SLA, guaranteeing the highest level of availability assurance, within the subscribed specification
  • VIP Priority Support; receive immediate Tier 2/3 escalation on every call or ticket
  • Dedicated account executive

Real-time DDoS Attacks (Source: Norse Dark Intelligence)

Get A Quote

We would like to offer you a solution to all of your hosting and eBusiness needs.
We are here to meet the growing needs of your business.
If you have questions about our services, inquiries about our company, or would like to request a customized quote please contact us.
Vlan24 Office 1.213.228.3338
Vlan24 Email sales@vlan24.com
Vlan24 Skype vlan24@vlan24.com
Contact Us
About Us Resources