MazeBolt Technologies , profile picture
Uploaded byMazeBolt Technologies
116 views

DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt

The document is a comprehensive guide on DDoS mitigation strategies, outlining the components and approaches, including cloud-based, on-premises, and hybrid solutions. It details various network devices critical for DDoS protection, such as scrubbing centers, CDNs, firewalls, and WAFs, highlighting their strengths and limitations. Additionally, it emphasizes the importance of properly configuring and stress-testing these systems to effectively safeguard against DDoS attacks.

Embed presentation

Download to read offline
WHITEPAPER www.mazebolt.com A Simple Guide to DDoS Mitigation
3 EXECUTIVE SUMMARY 3 COMPONENTS OF A DDoS MITIGATION SYSTEM 4 APPROACHES TO MITIGATION ACTIVITY 4 Cloud-Based Solutions 4 Scrubbing Center 5 Content Delivery Network (CDN) 6 On-Prem. Based Solutions 6 Vendor Appliances (Customer Premises Equipment - CPE) 7 Intrusion Prevention Systems (IPS) 8 Web Application Firewalls (WAFs) 9 Load Balancer 10 Firewall 11 CONCLUSION 12 RESOURCES 3 Figure 1: Illustration of a Typical Hybrid DDoS Mitigation Posture 4 Figure 2: Illustration of a Cloud Scrubbing Service 5 Figure 3: Illustration of a Content Distribution Network (CDN) 6 Figure 4: Illustration of Dedicated On-Prem DDoS Mitigation Equipment 7 Figure 5: Illustration of an Intrusion Prevention System (IPS) 8 Figure 6: Illustration of a Web Application Firewall (WAF) 9 Figure 7: Illustration of a Load Balancer 10 Figure 8: Illustration of a Firewall TABLE OF CONTENTS TABLE OF FIGURES
EXECUTIVE SUMMARY Figure 1: Illustration of a Typical Hybrid DDoS Mitigation Posture The more complex the mitigation system, the more likely failure will be due to configuration issues as most enterprise IT organizations do not have the time or resources to ensure that every part of their DDoS Mitigation posture is updated, integrated, and running the right settings for their specific environment. This document reviews the most common network devices from the DDoS mitigation perspective to provide clarity regarding the role each element plays in mitigating DDoS attacks. COMPONENTS OF A DDoS MITIGATION SYSTEM There are generally three types of DDoS mitigation postures: Cloud based, On-Prem solutions, and Hybrid combinations of the two. | 03 External Environment / Web Internal Network Scrubbing Center Router Legend: Dedicated DDoS Device Partial DDoS Mitigation (WAF) Web Application Firewall Firewall (CPE) DDoS Mitigation Device Application Server Web Mail FTP DNS HTTP/S, DNS, SIP, FTP, SSH...
APPROACHES TO MITIGATION ACTIVITY Cloud-Based Solutions Scrubbing Center Most scrubbing centers are cloud-based. They are the first source of defense for most volumetric attacks, which send an enormous number of packets in an attempt to overwhelm network resources and saturate bandwidth. The reason they are used mostly against large volumetric attacks is because of their ability to scale and match even some of the largest floods exceeding 10Tbps. As data cleansers, they review traffic going through them and remove packets that don’t adhere to the rules and guidelines defined. Application Layer (Layer 7) traffic is encrypted, this means that the ability of a scrubbing service to effectively mitigate malicious Application Layer traffic is highly dependent on whether it has the relevant decryption keys – i.e. “SSL Visibility”. | 04 Figure 2: Illustration of a Cloud Scrubbing Service Internet / Web Internal Network Legend: Forced Route Scrubbing Center (BGP) Router Firewall Application Server Web Mail Deployment Location Cloud-Based Functional Role Scalable Data Cleanser DDoS Mitigation Capabilities Layer 3 & 4 – Strong Layer 7 – Conditional on SSL Visibility
Content Delivery Network (CDN) Content Delivery Networks (CDNs) use the DNS (Domain Name System) protocol to route traffic through the CDN provider’s system. CDNs are used to improve customers’ access to website content. CDNs cache some of the site’s resources, and only forward requests it cannot handle, that is, only Layer 7 traffic. Incidentally, that means that Layers 3 and 4 traffic is never forwarded by a CDN to the organization’s IT infrastructure, thus protecting it against volumetric attacks. CDNs will only protect organizations against attacks that use the DNS names as their target. A CDN can only be a part of a bigger DDoS mitigation scheme. Usually, more advanced attackers can find and attack the source IP of the website directly, circumventing the CDN completely. Figure 3: Illustration of a Content Distribution Network (CDN) Internet / Web Internal Network Router Firewall Web Application Server CDN Server Africa CDN Server Europe CDN Server Asia CDN Server America Deployment Location Cloud-Based Functional Role Static Content Serving DDoS Mitigation Capabilities Good - Situational | 05
On-Prem. Based Solutions Vendor Appliances (Customer Premises Equipment - CPE) Vendor appliances contain a variety of proprietary technologies, but, at their core, they are all tuned to detect and stop DDoS attacks. DDoS CPE equipment is generally located at the very edge of the organization's network, after the router but before reaching the internal network infrastructure, E.g. Firewalls, Load Balancers etc. Many of the devices deliver in-depth traffic analysis, bandwidth monitoring, and anomaly reports, allowing for better network traffic planning and DDoS attack analysis. Post-attack forensics may provide lessons learned, so the systems can be better tuned for mitigation of future attacks. CPE equipment without a scrubbing center will not protect against large volumetric attacks, even if the CPE equipment is well configured. The CPE alone will not provide protection against internet pipe saturation. Figure 4: Illustration of Dedicated On-Prem DDoS Mitigation Equipment Internet / Web Internal Network Router Firewall (CPE) DDoS Mitigation Device Application Server Web Mail FTP Deployment Location On-Prem. Functional Role DDoS Mitigation and Protection DDoS Mitigation Capabilities Strong | 06
Intrusion Prevention Systems (IPS) These appliances specifically monitor suspicious activities within the network. They can be part of the router system, integrated into the firewall, serve as a back-up to a firewall, or sit deeper within the network infrastructure. They inspect and scan packets based on pre-existing rule sets, signatures, protocol status, or anomaly detection, creating alerts and/or blocking when any type of cyberattack is suspected. The underlying design is focused on blocking security breaches and is not set to stop a DDoS attack. These systems generally have some layer 3, 4 and 7 protection capabilities. Generally, most DDoS attacks cannot be mitigated using IPS systems and having to use an IPS system to block an attack most likely means the organization targeted is under a very advanced DDoS attack campaign in which CPE and or scrubbing center services are failing to mitigate Layer 7 attack traffic. Figure 5: Illustration of an Intrusion Prevention System (IPS) Deployment Location On-Prem. Functional Role Detecting and Stopping Cyber Attacks DDoS Mitigation Capabilities Poor | 07 Internet / Web Internal Network Router Firewall Users (IPS) Intrusion Prevention System Application Web Mail
Web Application Firewalls (WAFs) WAFs perform multiple functions – intrusion detection, DDoS attack detection and prevention. They analyze application traffic, distinguish potential risks from legitimate usage, control access to applications and services by applying a set of rules to the incoming HTTP traffic. They perform deep-packet inspections by locating, identifying, classifying, rerouting and/or blocking packets with specific data or code payloads. Legitimate user traffic will be allowed through, while suspicious traffic will be routed elsewhere for further inspection or simply blocked. The web application firewall can be customized to your applications. For example, protecting from certain attacks against functionality – they generally protect against layer 7 attacks, which directly affect applications. The inspection process does increase latency and affects the user experience, so efficiency is key. The WAF can also be cloud-based via a service provider like AWS. Apparently, it does not protect against volumetric attacks on layers 3 and 4 that target network availability. WAFs depend on white-listing and black-listing, which means they must be updated continuously. Figure 6: Illustration of a Web Application Firewall (WAF) Internet / Web Internal Network Router Firewall WAF Application Web Mail Deployment Location On-Prem./Cloud-based Functional Role Protection against Layer 7 Application Attacks DDoS Mitigation Capabilities Mild | 08
Load Balancer A Load Balancer receives traffic from many clients and distributes that traffic evenly between multiple application servers of the same type. It acts as a man-in-the-middle. Clients connect to it on one end, and the load balancer creates a connection to one of the application servers on behalf of the client. In this way, the load balancer has to keep track of every connection's state, i.e. the load balancer is a stateful device. Like many other stateful devices, the load balancer is vulnerable to state-table saturation attacks e.g. HTTP attacks and a SYN flood. A Load Balancer can help offset DDoS Attacks by distributing the malicious traffic between the application servers. Unfortunately, without a robust DDoS mitigation component upstream to filter out most of the attack traffic, the load balancer will not be enough to stop your site from being overwhelmed. Figure 7: Illustration of a Load Balancer Deployment Location On-Prem. Functional Role Distributing Incoming Traffic DDoS Mitigation Capabilities Poor | 09 Internet / Web Internal Network Router Load Balancer Application Application Application Application Application
Firewall The Firewall guards the entrance to your internal network, preventing certain types of packets or requests from reaching your servers. It does so using rules defined at the setup time, and filters according to the allowed packet types and the connection states. A Firewall keeps a record of the state of every connection opened between external clients and the internal servers and uses those records to filter out any packet that is out-of-state. Seemingly, that qualifies the Firewall as a stateful device. Like many other stateful devices, the Firewall is vulnerable to state-table saturation attacks e.g. HTTP attacks and a SYN flood. A Firewall can filter the packets that are part of a DDoS attack but is usually not optimized for the number of incoming packets that a DDoS entails. It will become overloaded very quickly and will go into a fail-open or fail-closed state, both of which are sure to cause downtime. Figure 8: Illustration of a Firewall Internet / Web Internal Network Router Firewall Application Server Web Mail Deployment Location On-Prem. Functional Role Rule-Based Traffic Filtering DDoS Mitigation Capabilities Mild | 10
CONCLUSION Choosing the right combination of mitigation devices requires an understanding of how each devices’ capabilities match your environment's needs together with an objective look at the corporate requirements – risk, available resources, budget, personnel, existing network infrastructure. No matter how the technology is mixed and matched, it needs to be stress-tested to ensure that it works when DDoS attacks strike. RADAR™, MazeBolt’s new patented technology solution is part of the MazeBolt security platform. RADAR™ simulates DDoS attacks continuously and non-disruptively. Delivering advanced intelligence through straightforward reports on how to remediate the detected DDoS vulnerabilities found. With RADAR™ organizations can achieve, maintain, and verify the continuous closing of their DDoS vulnerability gaps. Reducing and maintaining the vulnerability level of a damaging DDoS attack from an average of 48% to under 2% ongoing. | 11
| 12 RESOURCES About MazeBolt MazeBolt is an innovation leader in cybersecurity and part of the DDoS mitigation space. Offering full DDoS risk detection and elimination and working with any mitigation system to provide end to end full coverage. Supporting organizations in avoiding downtime and closing DDoS vulnerabilities before an attack happens. 1. https://en.wikipedia.org/wiki/Application_firewall 2.https://www.techwalla.com/articles/what-are-the-advantages-and-disadvantages -of-using-a-firewall 3. https://searchnetworking.techtarget.com/definition/deep-packet-inspection-DPI 4. https://arxiv.org/pdf/1710.08628.pdf 5. http://www.ijiss.org/ijiss/index.php/ijiss2/article/view/248/pdf_561 6. https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos- prevention-monitoring-mitigation-techniques-service-provider-environment-1212 7. http://www.infosecurityeurope.com/__novadocuments/22581 8. https://en.wikipedia.org/wiki/Data_monitoring_switch

More Related Content

PDF
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
byMazeBolt Technologies
 
PDF
Why DDoS RADAR | MazeBolt Technologies
byMazeBolt Technologies
 
PDF
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
byMazeBolt Technologies
 
PDF
Automatic DDoS Attack Simulator | MazeBolt Technologies
byMazeBolt Technologies
 
PDF
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
byMazeBolt Technologies
 
PDF
Common Types of DDoS Attacks | MazeBolt Technologies
byMazeBolt Technologies
 
PDF
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
byMazeBolt Technologies
 
PPTX
DDoS Explained
byThe Lorenzi Group
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
byMazeBolt Technologies
 
Why DDoS RADAR | MazeBolt Technologies
byMazeBolt Technologies
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
byMazeBolt Technologies
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
byMazeBolt Technologies
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
byMazeBolt Technologies
 
Common Types of DDoS Attacks | MazeBolt Technologies
byMazeBolt Technologies
 
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
byMazeBolt Technologies
 
DDoS Explained
byThe Lorenzi Group
 

What's hot

PPTX
DDoS
byMilan Petrásek
 
PDF
The role of DDoS Providers
byNeil Hinton
 
PDF
DDoS Defense for the Hosting Provider - Protection for you and your customers
byStephanie Weagle
 
PDF
Cybersecurity breakfast tour 2013 (1)
byInfradata
 
PPTX
Presentation1 shweta
byswet4
 
DOCX
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
byDeenuji Loganathan
 
PDF
Distil technical-white-paper
byDr. Augustine Fou - Independent Ad Fraud Researcher
 
PPTX
DDoS Mitigation - DefensePro - RADWARE
byDeivid Toledo
 
DOCX
Security Risk Assessment for Quality Web Design
byTing Yin
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
PDF
Protecting against modern ddos threats
byPedro Espinosa
 
PDF
Radware Hybrid Cloud WAF Service
byRadware
 
PPTX
Attack Prevention Solution for RADWARE
byDeivid Toledo
 
PPTX
Radware Solutions for MSSPs
byRadware
 
PDF
Module 5-cloud computing-SECURITY IN THE CLOUD
bySweta Kumari Barnwal
 
PPT
ICRTITCS-2012 Conference Publication
byTejaswi Agarwal
 
PDF
DDoS Threat Landscape - Ron Winward CHINOG16
byRadware
 
PDF
Radware Hybrid Cloud Web Application Firewall and DDoS Protection
byAndy Ellis
 
PPTX
DSS ITSEC 2013 Conference 07.11.2013 -Radware - Protection against DDoS
byAndris Soroka
 
PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDF
byDominik Suter
 
DDoS
byMilan Petrásek
 
The role of DDoS Providers
byNeil Hinton
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
byStephanie Weagle
 
Cybersecurity breakfast tour 2013 (1)
byInfradata
 
Presentation1 shweta
byswet4
 
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...
byDeenuji Loganathan
 
Distil technical-white-paper
byDr. Augustine Fou - Independent Ad Fraud Researcher
 
DDoS Mitigation - DefensePro - RADWARE
byDeivid Toledo
 
Security Risk Assessment for Quality Web Design
byTing Yin
 
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
Protecting against modern ddos threats
byPedro Espinosa
 
Radware Hybrid Cloud WAF Service
byRadware
 
Attack Prevention Solution for RADWARE
byDeivid Toledo
 
Radware Solutions for MSSPs
byRadware
 
Module 5-cloud computing-SECURITY IN THE CLOUD
bySweta Kumari Barnwal
 
ICRTITCS-2012 Conference Publication
byTejaswi Agarwal
 
DDoS Threat Landscape - Ron Winward CHINOG16
byRadware
 
Radware Hybrid Cloud Web Application Firewall and DDoS Protection
byAndy Ellis
 
DSS ITSEC 2013 Conference 07.11.2013 -Radware - Protection against DDoS
byAndris Soroka
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
byDominik Suter
 

Similar to DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt

PDF
A10 issa d do s 5-2014
byRaleigh ISSA
 
PPTX
Service Provider Deployment of DDoS Mitigation
byCorero Network Security
 
PPTX
Denial of Service Threats: Analysis of DoS and DDoS Attacks with Mitigation T...
bysu92bssemf220701
 
PPTX
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
byCloudflare
 
PDF
DDoS mitigation EPIC FAIL collection - 32C3
byMoshe Zioni
 
PPTX
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
byCloudflare
 
PPTX
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
byAndris Soroka
 
PPTX
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
byPROIDEA
 
PPTX
The Fundamentals of a. Firewalls Hardware.pptx
byJOAQUINENRILE
 
PDF
FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and...
byThousandEyes
 
PDF
DDoS Mitigation Techniques for Your Enterprise IT Network
byHaltdos
 
PDF
F5 DDoS Protection
byMarketingArrowECS_CZ
 
PPT
Protecting your business from ddos attacks
bySaptha Wanniarachchi
 
PPTX
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
byPROIDEA
 
PPTX
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
byMarta Pacyga
 
PDF
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
byPROIDEA
 
PPTX
Multi-Layer DDoS Mitigation Strategies
byLogan Best
 
PDF
D do s_white_paper
byFrancisco Terrones Ramos
 
PDF
DDoS Attacks
byVitor Jesus
 
PDF
What You Should Know Before The Next DDoS Attack
byCloudflare
 
A10 issa d do s 5-2014
byRaleigh ISSA
 
Service Provider Deployment of DDoS Mitigation
byCorero Network Security
 
Denial of Service Threats: Analysis of DoS and DDoS Attacks with Mitigation T...
bysu92bssemf220701
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
byCloudflare
 
DDoS mitigation EPIC FAIL collection - 32C3
byMoshe Zioni
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
byCloudflare
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
byAndris Soroka
 
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
byPROIDEA
 
The Fundamentals of a. Firewalls Hardware.pptx
byJOAQUINENRILE
 
FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and...
byThousandEyes
 
DDoS Mitigation Techniques for Your Enterprise IT Network
byHaltdos
 
F5 DDoS Protection
byMarketingArrowECS_CZ
 
Protecting your business from ddos attacks
bySaptha Wanniarachchi
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
byPROIDEA
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
byMarta Pacyga
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
byPROIDEA
 
Multi-Layer DDoS Mitigation Strategies
byLogan Best
 
D do s_white_paper
byFrancisco Terrones Ramos
 
DDoS Attacks
byVitor Jesus
 
What You Should Know Before The Next DDoS Attack
byCloudflare
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 

DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt

  • 1.
  • 2.
    3 EXECUTIVE SUMMARY 3COMPONENTS OF A DDoS MITIGATION SYSTEM 4 APPROACHES TO MITIGATION ACTIVITY 4 Cloud-Based Solutions 4 Scrubbing Center 5 Content Delivery Network (CDN) 6 On-Prem. Based Solutions 6 Vendor Appliances (Customer Premises Equipment - CPE) 7 Intrusion Prevention Systems (IPS) 8 Web Application Firewalls (WAFs) 9 Load Balancer 10 Firewall 11 CONCLUSION 12 RESOURCES 3 Figure 1: Illustration of a Typical Hybrid DDoS Mitigation Posture 4 Figure 2: Illustration of a Cloud Scrubbing Service 5 Figure 3: Illustration of a Content Distribution Network (CDN) 6 Figure 4: Illustration of Dedicated On-Prem DDoS Mitigation Equipment 7 Figure 5: Illustration of an Intrusion Prevention System (IPS) 8 Figure 6: Illustration of a Web Application Firewall (WAF) 9 Figure 7: Illustration of a Load Balancer 10 Figure 8: Illustration of a Firewall TABLE OF CONTENTS TABLE OF FIGURES
  • 3.
    EXECUTIVE SUMMARY Figure 1:Illustration of a Typical Hybrid DDoS Mitigation Posture The more complex the mitigation system, the more likely failure will be due to configuration issues as most enterprise IT organizations do not have the time or resources to ensure that every part of their DDoS Mitigation posture is updated, integrated, and running the right settings for their specific environment. This document reviews the most common network devices from the DDoS mitigation perspective to provide clarity regarding the role each element plays in mitigating DDoS attacks. COMPONENTS OF A DDoS MITIGATION SYSTEM There are generally three types of DDoS mitigation postures: Cloud based, On-Prem solutions, and Hybrid combinations of the two. | 03 External Environment / Web Internal Network Scrubbing Center Router Legend: Dedicated DDoS Device Partial DDoS Mitigation (WAF) Web Application Firewall Firewall (CPE) DDoS Mitigation Device Application Server Web Mail FTP DNS HTTP/S, DNS, SIP, FTP, SSH...
  • 4.
    APPROACHES TO MITIGATIONACTIVITY Cloud-Based Solutions Scrubbing Center Most scrubbing centers are cloud-based. They are the first source of defense for most volumetric attacks, which send an enormous number of packets in an attempt to overwhelm network resources and saturate bandwidth. The reason they are used mostly against large volumetric attacks is because of their ability to scale and match even some of the largest floods exceeding 10Tbps. As data cleansers, they review traffic going through them and remove packets that don’t adhere to the rules and guidelines defined. Application Layer (Layer 7) traffic is encrypted, this means that the ability of a scrubbing service to effectively mitigate malicious Application Layer traffic is highly dependent on whether it has the relevant decryption keys – i.e. “SSL Visibility”. | 04 Figure 2: Illustration of a Cloud Scrubbing Service Internet / Web Internal Network Legend: Forced Route Scrubbing Center (BGP) Router Firewall Application Server Web Mail Deployment Location Cloud-Based Functional Role Scalable Data Cleanser DDoS Mitigation Capabilities Layer 3 & 4 – Strong Layer 7 – Conditional on SSL Visibility
  • 5.
    Content Delivery Network(CDN) Content Delivery Networks (CDNs) use the DNS (Domain Name System) protocol to route traffic through the CDN provider’s system. CDNs are used to improve customers’ access to website content. CDNs cache some of the site’s resources, and only forward requests it cannot handle, that is, only Layer 7 traffic. Incidentally, that means that Layers 3 and 4 traffic is never forwarded by a CDN to the organization’s IT infrastructure, thus protecting it against volumetric attacks. CDNs will only protect organizations against attacks that use the DNS names as their target. A CDN can only be a part of a bigger DDoS mitigation scheme. Usually, more advanced attackers can find and attack the source IP of the website directly, circumventing the CDN completely. Figure 3: Illustration of a Content Distribution Network (CDN) Internet / Web Internal Network Router Firewall Web Application Server CDN Server Africa CDN Server Europe CDN Server Asia CDN Server America Deployment Location Cloud-Based Functional Role Static Content Serving DDoS Mitigation Capabilities Good - Situational | 05
  • 6.
    On-Prem. Based Solutions VendorAppliances (Customer Premises Equipment - CPE) Vendor appliances contain a variety of proprietary technologies, but, at their core, they are all tuned to detect and stop DDoS attacks. DDoS CPE equipment is generally located at the very edge of the organization's network, after the router but before reaching the internal network infrastructure, E.g. Firewalls, Load Balancers etc. Many of the devices deliver in-depth traffic analysis, bandwidth monitoring, and anomaly reports, allowing for better network traffic planning and DDoS attack analysis. Post-attack forensics may provide lessons learned, so the systems can be better tuned for mitigation of future attacks. CPE equipment without a scrubbing center will not protect against large volumetric attacks, even if the CPE equipment is well configured. The CPE alone will not provide protection against internet pipe saturation. Figure 4: Illustration of Dedicated On-Prem DDoS Mitigation Equipment Internet / Web Internal Network Router Firewall (CPE) DDoS Mitigation Device Application Server Web Mail FTP Deployment Location On-Prem. Functional Role DDoS Mitigation and Protection DDoS Mitigation Capabilities Strong | 06
  • 7.
    Intrusion Prevention Systems(IPS) These appliances specifically monitor suspicious activities within the network. They can be part of the router system, integrated into the firewall, serve as a back-up to a firewall, or sit deeper within the network infrastructure. They inspect and scan packets based on pre-existing rule sets, signatures, protocol status, or anomaly detection, creating alerts and/or blocking when any type of cyberattack is suspected. The underlying design is focused on blocking security breaches and is not set to stop a DDoS attack. These systems generally have some layer 3, 4 and 7 protection capabilities. Generally, most DDoS attacks cannot be mitigated using IPS systems and having to use an IPS system to block an attack most likely means the organization targeted is under a very advanced DDoS attack campaign in which CPE and or scrubbing center services are failing to mitigate Layer 7 attack traffic. Figure 5: Illustration of an Intrusion Prevention System (IPS) Deployment Location On-Prem. Functional Role Detecting and Stopping Cyber Attacks DDoS Mitigation Capabilities Poor | 07 Internet / Web Internal Network Router Firewall Users (IPS) Intrusion Prevention System Application Web Mail
  • 8.
    Web Application Firewalls(WAFs) WAFs perform multiple functions – intrusion detection, DDoS attack detection and prevention. They analyze application traffic, distinguish potential risks from legitimate usage, control access to applications and services by applying a set of rules to the incoming HTTP traffic. They perform deep-packet inspections by locating, identifying, classifying, rerouting and/or blocking packets with specific data or code payloads. Legitimate user traffic will be allowed through, while suspicious traffic will be routed elsewhere for further inspection or simply blocked. The web application firewall can be customized to your applications. For example, protecting from certain attacks against functionality – they generally protect against layer 7 attacks, which directly affect applications. The inspection process does increase latency and affects the user experience, so efficiency is key. The WAF can also be cloud-based via a service provider like AWS. Apparently, it does not protect against volumetric attacks on layers 3 and 4 that target network availability. WAFs depend on white-listing and black-listing, which means they must be updated continuously. Figure 6: Illustration of a Web Application Firewall (WAF) Internet / Web Internal Network Router Firewall WAF Application Web Mail Deployment Location On-Prem./Cloud-based Functional Role Protection against Layer 7 Application Attacks DDoS Mitigation Capabilities Mild | 08
  • 9.
    Load Balancer A LoadBalancer receives traffic from many clients and distributes that traffic evenly between multiple application servers of the same type. It acts as a man-in-the-middle. Clients connect to it on one end, and the load balancer creates a connection to one of the application servers on behalf of the client. In this way, the load balancer has to keep track of every connection's state, i.e. the load balancer is a stateful device. Like many other stateful devices, the load balancer is vulnerable to state-table saturation attacks e.g. HTTP attacks and a SYN flood. A Load Balancer can help offset DDoS Attacks by distributing the malicious traffic between the application servers. Unfortunately, without a robust DDoS mitigation component upstream to filter out most of the attack traffic, the load balancer will not be enough to stop your site from being overwhelmed. Figure 7: Illustration of a Load Balancer Deployment Location On-Prem. Functional Role Distributing Incoming Traffic DDoS Mitigation Capabilities Poor | 09 Internet / Web Internal Network Router Load Balancer Application Application Application Application Application
  • 10.
    Firewall The Firewall guardsthe entrance to your internal network, preventing certain types of packets or requests from reaching your servers. It does so using rules defined at the setup time, and filters according to the allowed packet types and the connection states. A Firewall keeps a record of the state of every connection opened between external clients and the internal servers and uses those records to filter out any packet that is out-of-state. Seemingly, that qualifies the Firewall as a stateful device. Like many other stateful devices, the Firewall is vulnerable to state-table saturation attacks e.g. HTTP attacks and a SYN flood. A Firewall can filter the packets that are part of a DDoS attack but is usually not optimized for the number of incoming packets that a DDoS entails. It will become overloaded very quickly and will go into a fail-open or fail-closed state, both of which are sure to cause downtime. Figure 8: Illustration of a Firewall Internet / Web Internal Network Router Firewall Application Server Web Mail Deployment Location On-Prem. Functional Role Rule-Based Traffic Filtering DDoS Mitigation Capabilities Mild | 10
  • 11.
    CONCLUSION Choosing the rightcombination of mitigation devices requires an understanding of how each devices’ capabilities match your environment's needs together with an objective look at the corporate requirements – risk, available resources, budget, personnel, existing network infrastructure. No matter how the technology is mixed and matched, it needs to be stress-tested to ensure that it works when DDoS attacks strike. RADAR™, MazeBolt’s new patented technology solution is part of the MazeBolt security platform. RADAR™ simulates DDoS attacks continuously and non-disruptively. Delivering advanced intelligence through straightforward reports on how to remediate the detected DDoS vulnerabilities found. With RADAR™ organizations can achieve, maintain, and verify the continuous closing of their DDoS vulnerability gaps. Reducing and maintaining the vulnerability level of a damaging DDoS attack from an average of 48% to under 2% ongoing. | 11
  • 12.
    | 12 RESOURCES About MazeBolt MazeBoltis an innovation leader in cybersecurity and part of the DDoS mitigation space. Offering full DDoS risk detection and elimination and working with any mitigation system to provide end to end full coverage. Supporting organizations in avoiding downtime and closing DDoS vulnerabilities before an attack happens. 1. https://en.wikipedia.org/wiki/Application_firewall 2.https://www.techwalla.com/articles/what-are-the-advantages-and-disadvantages -of-using-a-firewall 3. https://searchnetworking.techtarget.com/definition/deep-packet-inspection-DPI 4. https://arxiv.org/pdf/1710.08628.pdf 5. http://www.ijiss.org/ijiss/index.php/ijiss2/article/view/248/pdf_561 6. https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos- prevention-monitoring-mitigation-techniques-service-provider-environment-1212 7. http://www.infosecurityeurope.com/__novadocuments/22581 8. https://en.wikipedia.org/wiki/Data_monitoring_switch