In October 2016, DNS provider Dyn was hit with a major Distributed Denial of Service (DDoS) attack by an army of IoT devices that had been hacked specifically for this purpose. More than 14,000 domains using Dyn's services have become overloaded and inaccessible, including big names like Amazon, HBO, and PayPal. According to a Cloudflare study, the average cost of an infrastructure failure to businesses is $100,000 ($75,000) per hour. How can you ensure that your organization does not fall victim to this type of attack? In this guide, you'll learn about the leading infrastructure providers that have the digital power to protect against attacks designed to flood your network capacity. You'll also learn which providers can offer protection against more sophisticated (Layer 7) application attacks, which can be done without a large number of hacked computers (sometimes called a botnet).
![Escudo del proyecto]()
Project shield
1. Shield of the project
Powerful DDoS protection from Google, but not all guests Take advantage of Google's infrastructure Very simple setup Only available to certain websites Project Shield is the brainchild of Jigsaw, a subsidiary of Google's parent company Alphabet. Development began several years ago under George Conard following attacks on election observation and related human rights websites in Ukraine. Project Shield is capable of filtering potential malicious traffic by acting as a reverse proxy that sits between a website and the Internet in general, filtering connection requests. If a connection appears to be from a legitimate visitor, Project Shield allows the connection request. If a connection request is determined to be unsuccessful, such as multiple connection attempts from the same IP address, it is blocked. This system makes Project Shield extremely easy to implement by simply changing the DNS settings of your servers. Any experienced user reading through this may wonder how filtering traffic through a proxy with SSL will work. Fortunately, Jigsaw has thought of that and put together a comprehensive tutorial to make sure secure connections to your site work like a charm. Various other tutorials are also available in the support section. Project Shield is currently only available to dedicated media, election monitoring, and human rights websites. There is also a focus on small and underfunded websites that cannot afford expensive hosting solutions to protect against DDoS attacks. If your organization does not meet these requirements, you may need to consider an alternative solution like Cloudflare.
![Flama de nube]()
Cloud flame
2. Cloud flame
The heavyweight of DDoS protection Industry leader in DoS solutions Free tier includes basic protection Commercial packages are relatively expensive Anyone who has used the Internet for the past few years will be familiar with Cloudflare, as many major websites use its protection. Although Cloudflare is headquartered in the United States, it operates more than 180 data centers around the world – an infrastructure that rivals that of Google. This maximizes the chances of your sites staying online. Each Cloudflare user can choose to activate the ``I'm under attack'' mode which can protect against the most sophisticated DoS attacks by presenting a JavaScript challenge. Cloudflare also typically acts as a reverse proxy between visitors and your site host to filter traffic in the same way as Jigsaw's Project Shield. In March 2019, Cloudflare released Spectrum for UDP, which provides DDoS protection and a firewall for untrusted protocols. Visitors making connection requests must run a gauntlet of sophisticated filters, including site reputation, if their IP address has been blacklisted and the HTTP header looks suspicious. HTTP requests are fingerprinted to protect against known botnets. As an industry giant, Cloudflare can easily leverage its position by sharing information across the more than 7 million websites it manages. Cloudflare offers a free basic plan that includes unlimited DDoS mitigation. For those willing to shell out for a commercial Cloudflare subscription (prices start at €200 or €149 per month), more advanced protection is available, such as downloading custom SSL certificates.
![AWS Shield]()
AWS Shield
3. AWS Shield
Excellent benchmark DDoS mitigation with more The standard free tier protects against the most common attacks Easy installation The advanced tier is very expensive. AWS Shield protection is provided by the right people at Amazon Web Services. The "Standard" tier is available to all AWS customers at no additional cost. This is ideal because many small businesses choose to host their websites with Amazon. AWS Shield Standard is available to all customers at no additional cost. Protects against more traditional network (Layer 3) and transport (Layer 4) attacks when used with Amazon Cloud Front and Route 53 services. This should put off all but the most determined hackers. However, your bandwidth, say 15 Gbp/s, will always be limited by the size of your Amazon instance, allowing hackers to carry out a DoS attack if they have enough resources. Worse yet, you are still responsible for paying for any additional traffic to your instance. To mitigate this issue, Amazon also offers AWS Shield Advanced. A subscription includes DDoS cost protection, which can save you a big increase in your monthly usage bill if you're the victim of an attack. AWS Shield Advanced can also deploy your ACLs (Access Control Lists) at the edge of the AWS network, giving you protection against the biggest attacks. Advanced subscribers also benefit from a 24-hour DRT (DDoS Response Team) as well as detailed metrics about attacks on their instances. However, the peace of mind that AWS Shield Advanced offers comes at a cost. You should be prepared to subscribe for a minimum of one year for a price of €3,000 (€2,200) per month. This is in addition to the costs of using data transfer which you may cover on a "pay as you go" basis.
![Microsoft Azure]()
Microsoft Azure
4.Microsoft Azure
Brilliant basic protection at an affordable premium level Standard protection is extremely easy to configure Automated threat mitigation Global DDoS protection for all resources Like Amazon, Microsoft offers the option to rent service space through its Azure service. All members have basic DDoS protection. Features include 3/7 traffic monitoring and real-time (Layer 30) network attack mitigation for all public IP addresses you use. This is the same type of protection offered to Microsoft's own online services, and all resources in the Azure network can be used to absorb DDoS attacks. For organizations that need more sophisticated protection, Azure also offers a "Standard" tier. This has been widely praised for being very easy to activate, requiring only a few mouse clicks. It is important to note that Azure does not require you to make any changes to your applications, although the standard tier provides protection against application DDoS attacks (layer 2,944) through the Application Gateway web application firewall. Azure Monitor can show you real-time metrics if an attack occurs. These are kept for 2,204 days and can be exported for further study if you wish. Azure constantly checks web traffic to your resources. If these exceed a predefined threshold, DDoS mitigation starts automatically. This includes inspecting packets to make sure they are not malformed or forged, as well as the use of rate limiting. Standard protection is currently €100 (€XNUMX) per month plus data charges for up to XNUMX resources. The protection also applies to all resources. In other words, you cannot tailor DDoS mitigation to individual measures.
![Protección DDoS de Verisign]()
Verisign DDoS Protection
5. Verisign / Neustar DDoS Protection
Best of DDoS protection against security veterans Easy to configure via DNS Dedicated cleanup centers to protect against attacks Can be deployed on-site Interface takes time to learn Update: Verisign security services move to Neustar, but the features and functionality mentioned in the review have remained relatively the same. Verisign is almost as old as the Internet itself. Since 1995, it has grown from a simple certificate authority to a major player in the network services industry. Verisign's DDoS protection works in the cloud. Users can choose to redirect connection attempts with a simple change to their Domain Name Server (DNS) settings. The traffic is sent to Verisign for verification to prevent network attacks. Verisign carefully analyzes all traffic before redirecting. Since Verisign operates two of the world's thirteen route nameservers, it is not surprising that the organization also operates several dedicated DDoS "cleanup centers." These analyze traffic and filter bad connection requests. The combined infrastructure runs at nearly 2TB/s and can block even the most devastating DDoS attacks. This is largely accomplished through Athena, Verisign's threat mitigation platform. Athena is broadly divided into three elements. The "Shield" filters network (layer 3) and transport (layer 4) attacks through DPI (Deep Packet Inspection), blacklisting and whitelisting, and site reputation management. The Athena "proxy" inspects HTTP headers for bad traffic during initial connection attempts. Both "proxy" and "shield" support Athena's "load balancer" which helps prevent application (layer 7) attacks. The Customer Portal displays detailed traffic reports and allows you to configure your threat management, for example, by creating connection blacklists. For users who are reluctant to implement everything in the cloud, Verisign also offers OpenHybrid that can be installed on-premises. Image credit: Wikimedia Commons (Antoine Lamielle) Roundup of the best deals of the day