In October 2016, DNS service provider Dyn was attacked by a Distributed Denial of Service (DDoS) attack by an army of specially hacked IoT devices. More than 14,000 domains using Dyn's services have been saturated and inaccessible, including big names like Amazon, HBO and PayPal.
According to a study by Cloudflare, the average cost of infrastructure failures for businesses is $ 100,000 (£ 75,000) at the time. So how can you ensure that your organization will not fall victim to this type of attack? In this guide, you will learn about the leading infrastructure providers with the digital power to protect against attacks designed to overwhelm your network capacity.
You will also discover which vendors can offer protection against more sophisticated application attacks (layer 7), which can be done without a large number of hacked computers (sometimes called botnets).
1. Shield Project
Powerful protection against Google DDoS attacks, but not everyone is invited
Take advantage of Google's infrastructure.
Very easy setup
Available only for certain websites
Project Shield is the brainchild of Jigsaw, a Google subsidiary, Alphabet. Development began several years ago under George Conard, as a result of attacks on election monitoring and human rights websites in Ukraine.
Project Shield can filter potential malicious traffic by acting as a reverse proxy between a website and the wider Internet, filtering connection requests. If a connection appears to be from a legitimate visitor, Project Shield authorizes the connection request. If a connection request is considered bad, for example multiple connection attempts from the same IP address, it is blocked. This system makes Project Shield extremely easy to implement by simply modifying the DNS settings of your servers.
Anyone who can read may wonder how filtering traffic through a proxy with SSL will work. Fortunately, Jigsaw has thought about this and put together a comprehensive tutorial to ensure that secure connections to your site work smoothly. Various other tutorials are also available in the support section.
Currently, Project Shield is only available for media, election monitoring, and human rights websites. There is also an emphasis on small and underfunded websites that cannot afford expensive hosting solutions to protect themselves from DDoS attacks. If your organization does not meet these requirements, you may need to consider another solution, such as Cloudflare.
2. Cloudflare
The behemoth of DDoS protection.
Industry leader in DoS solutions.
The free tier includes basic protection.
Business packages are relatively expensive
Anyone who has used the internet in recent years will be familiar with Cloudflare because many of the major websites use its protection. Although Cloudflare is based in the United States, it manages 165 data centers around the world - an infrastructure comparable to Google. This maximizes the chances that your sites will stay online.
Each Cloudflare user can choose to enable the "I am being attacked" mode, which can protect against the most sophisticated denial of service attacks by presenting a Javascript challenge. Cloudflare also typically acts as a reverse proxy between visitors and your site host to filter traffic in the same way as Jigsaw Project Shield. In March 2019, Spectrum for UDP was introduced, providing protection against DDoS attacks and a firewall for untrustworthy protocols.
Visitors making connection requests should run a sophisticated glove of filters, including on site reputation, if their IP is blacklisted, and if the HTTP header looks suspicious. HTTP requests are fingerprints to protect against known zombie networks. As an industry giant, Cloudflare can easily leverage its position by sharing information on more than 7 million websites.
Cloudflare offers a free basic package that includes a limitation of DDoS attacks without measurement. For those who are willing to pay for a Cloudflare business membership (prices start at $ 200 or £ 149 per month), more advanced protection is available, such as downloading custom SSL certificates.
3. AWS Shield
Excellent basic mitigation of DDoS attacks with more
The free standard tier protects against the most common attacks.
Easy installation
The advanced level is very expensive
AWS Shield Protection is provided by competent persons in Amazon web services. The "Standard" tier is available at no additional cost to all AWS customers. This is ideal because many small businesses choose to host their websites with Amazon. AWS Shield Standard is available to all customers at no additional cost. Protects against more typical network (Layer 3) and transport (Layer 4) attacks when using Amazon's Cloud Front and Route 53 services.
This should deter everyone except the most determined pirates. However, your bandwidth, for example 15 Gbps, will still be limited by the size of your Amazon instance, allowing hackers to perform a DoS-like attack if they have enough resources. Worse still, you are still responsible for paying additional traffic to your instance.
To mitigate this, Amazon also offers AWS Shield Advanced. A subscription includes cost protection against DDoS attacks, which can save you from a steep increase in your monthly bill if you are the victim of an attack. AWS Shield Advanced can also deploy your access control lists (ACLs) at the edge of the AWS network, protecting you against the most important attacks.
Advanced subscribers also benefit from a 24-hour DRT (DDoS response team), as well as detailed measurements of all attacks on their instances. The spirit offered by AWS Shield Advanced, however, is expensive. You must be ready to subscribe for a minimum of one year at a price of $ 3,000 (£ 2,200) per month. This is in addition to the costs of using data transfer that you can cover "pay as you go".
4.Microsoft Azure
Excellent basic protection with affordable and payment level.
Standard protection is extremely easy to configure
Automated threat mitigation
Protective DDoS coverage for all resources.
Like Amazon, Microsoft offers the ability to rent service spaces through its Azure service. All members benefit from basic protection against DDoS attacks. Features always include traffic monitoring and real-time network attack mitigation (layer 3) for all public IP addresses you use. This is the same type of protection as Microsoft's online services, and all Azure network resources can be used to absorb DDoS attacks.
For companies that need more sophisticated protection, Azure also offers a "Standard" tier. This has been widely praised for being very easy to activate, requiring only a few mouse clicks. Most importantly, Azure does not require you to modify your applications, although the standard level provides protection against DDoS attacks by applications (Layer 7) through the application gateway web application firewall. Azure Monitor can show you real-time statistics if an attack occurs. These are kept for 30 days and can be exported for further study if desired.
Azure constantly checks web traffic on your resources. If these exceed a predefined threshold, DDoS mitigation starts automatically. This includes inspecting packages to ensure they are not mistrained or counterfeit, as well as the use of flow limiting.
Standard protection is currently US $ 2,944 (£ 2,204) per month, plus data charges for up to 100 resources. Protection also applies to all resources. In other words, you cannot customize mitigation measures for DDoS attacks.
5.Verisign DDoS Protection
The best protection against DDoS attacks from security veterans.
Easy to install via DNS
Laundry centers dedicated to protection against attacks.
Can be deployed on site
The interface takes time to master
Update: Verisign security services carry over to Neustarbut the features and characteristics mentioned in this review have remained relatively the same.
Verisign is almost as old as the Internet itself. Since 1995, it has grown from a single certificate authority to a major player in the network services industry.
Verisign DDoS protection works in the cloud. Users can choose to redirect login attempts by simply changing the Domain Name Server (DNS) settings. The traffic is sent to Verisign for verification to prevent network attacks. Verisign carefully analyzes all traffic before redirecting it.
Given that Verisign operates two of the 13 global path nameservers, it is not surprising that the organization also runs several dedicated DDoS "clean centers." These analyze the traffic and filter out bad connection requests. The combined infrastructure reaches almost 2 TB / s and can block the most damaging DDoS attacks.
This is largely accomplished through Athena, Verisign's threat mitigation platform. Athena is largely divided into three elements. The "shield" filters network (layer 3) and transport (layer 4) attacks through DPI (deep packet inspection), blacklists and whitelists, and site reputation management. The Athena "proxy" inspects HTTP headers for bad traffic during initial login attempts. The "proxy" and "shield" are compatible with Athena's "load balancer", which helps prevent application attacks (layer 7).
The Customer Portal displays detailed traffic reports and allows you to configure your threat management, for example by creating connection blacklists. Verisign also offers OpenHybrid to users who are reluctant to deploy everything in the cloud and can be installed on site.
Image Credit: Wikimedia Commons (Antoine Lamielle)