Building a DDos Protection Architecture
Distributed denial-of-service (DDoS) attacks are constantly changing. While the objective is still to cause a service outage, attacks and attackers are becoming more sophisticated. Motivations for attacks are increasingly financial or political—with more serious consequences for the targeted victims.
In the past, DDoS attacks focused on layers 3-4, and network firewalls were able to provide a basic line of defense. In response to that defense, attackers are moving up the stack and focusing on using SSL and application-layer attacks to overwhelm resources.
Conventional network firewalls have failed to keep up with the volume and intelligence of these attacks. These firewalls have no contextual understanding of the traffic they handle, and so they are powerless to defend against multi-layered attacks.
Cloud-based scrubbing services have emerged as a useful tool against large-scale volumetric attacks. Strong on-premises security is necessary to mitigate attacks targeted at application servers (such as business logic attacks) and DNS servers, as well as attacks hidden in SSL-encrypted communications.