In October 2016 DNS provider Dyn was hit by a major DDoS (Distributed Denial of Service) attack by an army of IoT devices which had been hacked specially for the purpose. Over 14,000 domains using Dyn’s services were overwhlemed and became unreachable including big names like Amazon, HBO, and PayPal.
According to research by Cloudflare the average cost of infrastructure failure to businesses is $100,000 (£75,000) per hour. How then can you make sure that your organization doesn’t fall victim to this kind of attack. In this guide you’ll discover major infrastructure providers who have the necessary digital muscle to protect against attacks designed to flood your network capacity.
You’ll also discover which providers can offer protection against more sophisticated application (layer 7) attacks, which can be carried out without a huge number of hacked computers (sometimes known as a botnet).
Project Shield is the creation of Jigsaw, an offshoot of Google’s parent company Alphabet. Development began several years ago under George Conard in the wake of attacks on election monitoring and human rights related websites in the Ukraine.
Project Shield is able to filter potential malicious traffic by acting as a reverse proxy which sits between a website and the internet at large, filtering connection requests. If a connection seems to be from a legitimate visitor Project Shield permits the connection request. If a connection request is determined to be bad e.g. multiple connection attempts from the same IP address, then it is blocked. This system makes Project Shield extremely easy to implement simply by changing your server’s DNS settings.
Any power users reading may wonder how filtering traffic via a proxy will work with SSL. Fortunately, Jigsaw has thought of this and has put together a comprehensive tutorial to make sure secure connections to your site work seamlessly. Several other tutorials are also available in the support section.
Currently Project Shield is only available for media, election monitoring and human rights related websites. The primary focus is also on small under resourced websites which cannot afford expensive hosting solutions to protect themselves for DDoS. If your organization doesn’t match these requirements you may have to consider an alternative solution such as Cloudflare.
Anyone who has used the Internet in the last few years will be familiar with Cloudflare as many major websites make use of its protection. Although Cloudflare is based in the US it maintains over 180 data centers around the world: an infrastructure to rival Google’s. This maximizes your site’s chances of staying online.
Every Cloudflare user can choose to activate the ‘I’m under attack’ mode which can protect against even the most sophisticated of DoS attacks by presenting a Javascript challenge. As a matter of routine Cloudflare also acts as a reverse proxy sitting between visitors and your site host to filter traffic in much the same way as Jigsaw’s Project Shield. In March 2019, Cloudflare introduced Spectrum for UDP, which provides DDoS protection and firewalling for unreliable protocols.
Visitors making connection requests have to run a gauntlet of sophisticated filters including site reputation, whether their IP has been Blacklisted and if the HTTP header seems suspicious. HTTP requests are finger printed to protect against known Botnets. As an industry giant, Cloudflare can easily leverage its position by sharing intel across the 7+ million websites it manages.
Cloudflare offers a free basic package which includes unmetered DDoS mitigation. For those who are willing to pay for a Cloudflare business subscription (prices start at $200 or £149 a month), more advanced protection is available such as custom SSL certificate uploads.
AWS Shield protection is provided by the good people of Amazon web services. The ‘Standard’ tier is available to all AWS customers at no extra charge. This is ideal as many small businesses choose to host their websites with Amazon. AWS Shield Standard is available to all customers at no extra charge. It protects against more typical network (layer 3) and transport (layer 4) attacks when used Amazon’s Cloud Front and Route 53 services.
This should put off all but the most determined hackers. However, your bandwidth e.g. 15Gbp/s will still be limited by the size of you Amazon instance making it feasible for hackers to carry out a DoS attack if they have sufficient resources. Worse still you remain responsible for paying for the extra traffic to your instance.
To mitigate this Amazon also offers AWS Shield Advanced. A Subscription include DDoS cost protection, which can save you from a huge spike in your monthly usage bill if you are the victim of an attack. AWS Shield Advanced can also deploy your ACL’s (Access Control Lists) to the border of the AWS network itself giving you protection against even the largest of attacks.
Advanced Subscribers also benefit from a round the clock DRT (DDoS response team) as well as detailed metrics on any attacks on your instances. The piece of mind afforded by AWS Shield Advanced is expensive however. You must be willing to subscribe for a minimum of one year for a price of $3,000 (£2,200) a month. This is in addition to data transfer usage costs which you can cover on a ‘pay as you go’ basis.
Like Amazon, Microsoft offers the option to rent service space via their service Azure. All members benefit from basic DDoS protection. Features include always on traffic monitoring and real time mitigation of network (layer 3) attacks for any public IP addresses you use. This is the very same type of protection afforded to Microsoft’s own online services and the entire resources of Azure’s network can be used to absorb DDoS attacks.
For organizations in need of more sophisticated protection Azure also offers a ‘Standard’ tier. This has been widely praised for being very easy to enable, requiring just a few clicks of your mouse. Crucially Azure does not require you to make any changes to your apps although the standard tier does offer protection against application (layer 7) DDoS attacks via the app gateway web app firewall. Azure monitor can show you real time metrics if an attack does take place. These are retained for 30 days and can be exported for further study if you wish.
Azure constantly checks web traffic to your resources. If these exceed a pre-defined threshold, DDoS mitigation is automatically launched. This includes inspecting packets to make sure they aren’t malformed or spoofed as well as using rate limiting.
Standard protection is currently $2,944 (£2,204) per month plus data charges for up to 100 resources. Protection applies equally to all resources. In other words you cannot tailor DDoS mitigation for individual ones.
Update: Verisign’s security services are transferred to Neustar.
Verisign is almost as old as the Internet itself. Since 1995 it has grown from a simple Certificate Authority to a major player in the Network Services industry.
Verisign DDoS protection operates in the Cloud. Users can choose to redirect connection attempts with a simple change of their DNS (Domain Name Server) settings. Traffic is sent to Verisign for checking to prevent network attacks. Verisign analysis all traffic thoroughly before redirecting.
As Verisign operates two of the thirteen global route name servers it should come as no surprise that the organization also maintains several dedicated DDoS “scrubbing centers”. These analyze traffic and filter out bad connection requests. The combined infrastructure runs to almost 2TB/s and can block even the most overwhelming DDoS attacks.
This is largely achieved via Athena, Verisign’s threat mitigation platform. Athena is broadly divided into three elements. The ‘Shield’ filters network (layer 3) and transport (layer 4) attacks via DPI (Deep Packet Inspection), blacklists & whitelists and site reputation management. The Athena ‘proxy’ inspects HTTP headers for bad traffic during initial connection attempts. The ‘proxy’ and ‘shield’ are supported by Athena’s ‘load balancer’ which helps to prevent application (layer 7) attacks.
The customer portal displays detailed reports on traffic and allows you to configure your threat management, for example by creating connection blacklists. For users who are reluctant to deploy everything to the Cloud, Verisign also offers OpenHybrid which can be installed onsite.
Image Credit: Wikimedia Commons (Antoine Lamielle)
