How to Mitigate Volumetric DDoS Attacks Leveraging the Application Delivery Controller Date:   Tuesday , November 05, 2013 A10 networks, Headquartered in Silicon Valley, with a back office in Gurgaon India, makes application delivery and server load products that help organizations accelerate, optimize and secure their applications. Mounting threats and damages by DDoS attacks The recent increase of DDoS (Distributed Denial of Service) attacks has made organizations aware of the need for an effective edge defense system. Documented attacks and motivations for attacks have revealed that the organizations at risk have spread from \"obvious\" targets, such as government agencies, gaming companies, media, and the largest organizations, to mid-size financial institutions and charitable foundations. In essence, every internet-based service is at risk. Financial and reputation loss can be substantial for organizations after suffering a DDoS attack. Some recent examples include PayPal reporting in court filings that a DDoS attack cost them $5.5 million In addition to an immediate revenue loss, website and service outages result in reputation damage. Let us consider how to effectively outrun and mitigate DDoS attacks to ensure datacenter security. Issues of current security solutions With cyber attacks continuing to increase in persistence and complexity, organizations\' need for robust security solutions is growing. While high volume DDoS attacks are and will remain common, it is still costly to purchase, deploy, and operate dedicated security products such as firewalls and IPSs (Intrusion Prevention System) that enable a high throughput of over 10Gbps and high bandwidth capacity. Added to this problem, there is a concern for performance degradation as a side-effect of enhanced security by such devices. Firewalls and IPSs are widely accepted as solutions for DDoS attacks for Web servers, but these security products often become a bottleneck and impact server performance; various parameters such as content size, number and type of signature, encryption/decryption process, etc. affect the performance of security products as well as the overall network. Nature of DDoS attacks Organizations have to prioritize and make appropriate investments within a limited budget. This requires deep understanding and analysis of the risks, and leads to the determination of information security management policy on what risk must be avoided by all means, and what risk can be taken. Hence, it is important to understand the nature of such DDoS attacks. Figure 1 shows major types of DDoS attacks. They are categorized by technique and layer employed in attacks: application attacks, resource attacks, protocol attacks, and volumetric attacks. According to Prolexic, 75 percent of DDoS attacks are targeted at the network layer, while 25 percent are targeted at the application layer. The traditional SYN flood attack, a form of DDoS attack that an attacker sends bulk packets to target servers to make them unable to respond and take offline, is still predominant and comprises 33 percent of the total percentage (Figure 2). Although the trend of security breaches on the internet is constantly changing, these statistics indicate that major techniques of attacks have been solidified and it is making it possible to predict common DDoS attacks and choose a positive measure focusing on a particular type of threat. Figure 1: DDoS Threat Pyramid Figure 2: Nature of DDoS Attacks DDoS mitigation by Application Delivery Controller Along with the fast pace of changes in trends and requirements for datacenter networks, recent Application Delivery Controllers (ADCs) provide security features such as DDoS protection, Web Application Firewall (WAF, DNS firewalls and more, in addition to conventional application networking features represented by server load balancing. An Australian datacenter operator \"Micron21\" and more organizations are consolidating old point products and starting to adopt ADCs, which integrate all these features on a single box and further enhance the availability and protection. ADCs are designed to inspect packets and distribute workloads, requests to servers and the like across resources on the network, realizing optimized resource use, higher availability, and better responses. The DDoS protection feature on ADCs derives from the method of load balancing technology and provides the ability to protect servers and services from malicious traffic from the internet. The next generation ADCs called Unified Application Service Gateways (UASGs) provide security features including DDoS protection as part of their solution. Taking advantage of the unique combination of hardware and the software based processing they cover the techniques that are frequently used in DDoS attacks. An FPGA is a dedicated hardware chip that enables these UASGs to deliver powerful DDoS protection against volumetric attacks like the SYN Flood attack. Another benefit of using an ADC for DDoS protection is that it allows organizations to introduce security measures at low costs, while putting the right solution in the right place, in combination with other security products such as firewalls and IPSs. In conventional networks, an ADC and a security product must be deployed separately. By leveraging an ADC, security product cost is lowered because its workload is offloaded and a high bandwidth capacity is not necessarily required (figure 3). Figure 3: Effective DDoS Mitigation Using ADC Conclusion The latest trends in DDoS attacks show that every businesses at risk, forcing businesses to expand security solutions. However, installation of high-performance dedicated security devices is not always possible because of budget restriction and the issue of performance degradation, making it a difficult decision for organizations. Under such circumstances,it could be worthwhile considering DDoS mitigation solution on an ADC as a realistic option that satisfies both the competing need for performance and security at low cost while covering the majority of methods for DDoS attacks.