As e-commerce continues to proliferate and deliver profitable results, more business is being done online. The growing adoption of online retailing, Internet banking, cloud-based data storage and other commercial services represents a natural evolution of Internet use. For online businesses, however, any downtime can dramatically impact the bottom line. As a result, the growing scale and frequency of Distributed Denial of Service (DDoS) attacks are taking a toll on these businesses. While DDoS attacks may have been driven by non-economic reasons in the past, they now have monetary drivers including extortion, competitive advantage and corporate revenge.
When it comes to DDoS protection, many enterprises and Internet data center (IDC) operators have a false sense of security. They think they have secured their key services against DDoS attacks simply by deploying intrusion prevention system (IPS) devices or firewalls in front of their servers. Unfortunately, such deployments can actually expose these organizations to service outages and irate customers. When business-critical services are not available, enterprises and IDC operators lose money and damage important customer relationships. What’s more, when services are unavailable due to external attacks, it can be sensational and unwelcome front-page news—especially when the damages could have been easily prevented.
This article examines why IPS devices and firewalls fail to stop DDoS threats. It also describes how an intelligent DDoS mitigation system (IDMS) offers an ideal solution by enabling a layered defense strategy to combat both volumetric and application-layer DDoS attacks.
Why IPS Devices and Firewalls Can’t Stop DDoS Attacks
IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products.
IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality”, they fail to address a fundamental concern regarding DDoS attacks—“network availability”. What’s more, IPS devices and firewalls are stateful, inline solutions,
which means they are vulnerable to DDoS attacks and often become the targets themselves.
How to fight DDoS Attacks
The ideal solution is an Intelligent DDoS Mitigation System (IDMS) that can stop both volumetric and application-layer DDoS attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise or data-center edge.
Key Features of an IDMS
The limitations in IPS devices and firewalls reveal the key attributes required in an IDMS solution. An IDMS must be “stateless,” in other words, it must not track state for all connections. As mentioned earlier, a stateful device is vulnerable to DDoS and will only add to the problem. The IDMS solution must also support various deployment configurations; most importantly, it must allow for out-of-band deployments when needed. This deployment flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.
To truly address “distributed” DoS attacks, an IDMS must be a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks. Moreover, an IDMS solution must not depend on signatures created after the attack has been unleashed on the targets; rather, it must support multiple attack countermeasures.
Finally, the IDMS must provide comprehensive reporting and be backed by a company that is a known industry expert in Internet-based DDoS threats. The key features of IDMS are:
– Inline and Out-of-Band Deployment Options
– Scalable DDoS Mitigation
– Ability to Stop “Distributed” DoS Attacks
– Multiple Attack Countermeasures
– Comprehensive Reporting
– Industry Track Record and Enterprise
To summarize, the security of a network depends on different elements which have their own purpose and scope. Network Firewalls and Intrusion Prevention Systems (IPS) are the cornerstone of the security of any network. They are excellent in enforcing the security policy and mitigating threats against unauthorized access, network integrity and confidentiality. However, they can not stop a Distributed Denial of Service attack. For this threat a more suitable defense mechanism is to use an Intelligent DDoS Mitigation System (IDMS) which detects those distributed attacks and takes proper action to stop them.