How to Protect From DDOS in 2021


Advertisement

In October 2016, DNS provider Dyn was hit by a major DDoS (Distributed Denial of Service) attack by an army of IoT devices that had been hacked specifically for this purpose. Over 14,000 domains using Dyn’s services were overwhelmed and no longer accessible, including big names such as Amazon, HBO and PayPal.

According to a study by Cloudflare, the average cost of infrastructure outages to businesses is $ 100,000 (£ 75,000) per hour. Then how can you ensure that your organization does not fall victim to this type of attack? This guide will help you find key infrastructure providers who have the digital means to protect themselves from attacks that are designed to flood your network capacity.

You will also learn which vendors can offer protection against more complex (Layer 7) application attacks that can run without a large number of hacked computers (sometimes called a botnet).

1.      Project Shield

Project Shield is the creation of Jigsaw, an offshoot of Google’s parent company Alphabet. The development began a few years ago under George Conard after attacks on election observation and human rights-related websites in Ukraine.

Project Shield can filter potential malicious traffic by acting as a reverse proxy that sits between a website and the internet, filtering connection requests. If a connection is from a legitimate visitor, Project Shield will allow the connection request. If it is determined that a connection request is bad, e.g. multiple connection attempts from the same IP address, then it will be blocked. With this system, Project Shield is extremely easy to implement by simply changing your server’s DNS settings.

Any power user who reads may wonder how filtering traffic through a proxy with SSL works. Fortunately, Jigsaw thought about this and put together a comprehensive tutorial to ensure that secure connections to your site work seamlessly. Further support tutorials can be found in the support area.

Currently, Project Shield is only available for media, election observation, and human rights related websites. The main focus is also on small websites with limited resources that cannot afford expensive hosting solutions to protect themselves from DDoS. If your organization doesn’t meet these requirements, you may need to consider an alternative solution like Cloudflare.

Giga ComputerZ

2. Cloudflare

Anyone who has used the internet in the past few years is familiar with Cloudflare as many large websites make use of its protection. Although Cloudflare is based in the US, Cloudflare has over 180 data centers worldwide: an infrastructure that can compete with that of Google. This will maximize your website’s chances of staying online.

Any Cloudflare user can enable the “I’m under attack” mode, which protects against even the most sophisticated DoS attacks by presenting a JavaScript challenge. As a routine, Cloudflare also acts as a reverse proxy between visitors and your site host to filter traffic similar to Jigsaw’s Project Shield. In March 2019, Cloudflare introduced Spectrum for UDP, which provides DDoS protection and a firewall for unreliable protocols.

Visitors making connection requests must run a number of sophisticated filters, including the reputation of the site, whether their IP address has been blacklisted, and whether the HTTP header looks suspicious. HTTP requests are fingerprinted to protect against known botnets. As an industry giant, Cloudflare can easily leverage its position by sharing information on more than 7 million websites it manages.

Cloudflare offers a free basic package with unmeasured DDoS mitigation. For those willing to pay for a Cloudflare business subscription (prices start at $ 200 or £ 149 per month), advanced protection is available such as: B. Uploading custom SSL certificates.

3. AWS Shield

AWS Shield protection is provided by the good folks at Amazon Web Services. The standard level is available to all AWS customers at no extra charge. This is ideal because many small businesses host their websites on Amazon. AWS Shield Standard is available to all customers at no additional charge. It protects against more typical network (Layer 3) and transport (Layer 4) attacks when using Amazon’s Cloud Front and Route 53 services.

This should deter all but the most determined hackers. Your bandwidth, e.g. 15 Gbps is still limited by the size of your Amazon instance, so hackers can perform a DoS attack if they have sufficient resources. Worse still, you remain responsible for paying for the additional traffic to your instance.

To mitigate this, Amazon also offers AWS Shield Advanced. A subscription includes DDoS cost protection that can save you from a huge spike in your monthly usage bill if you are the victim of an attack. AWS Shield Advanced can also deploy your ACLs (Access Control Lists) at the edge of the AWS network itself, offering you protection against even the most severe attacks.

Advanced subscribers also benefit from a DRT (DDoS response team) available around the clock as well as detailed measurement data on attacks on your instances. However, AWS Shield Advanced is expensive to hire. You must be willing to sign up for at least a year at a cost of USD 3,000 (£ 2,200) per month. This applies in addition to the usage costs for data transmission, which you can assume on the basis of “Pay as you go”.

Gaming Chair in Pakistan

4. Microsoft Azure

Like Amazon, Microsoft offers the option of renting service areas through its Azure service. All members benefit from basic DDoS protection. The functions include constant monitoring of data traffic and defense against network attacks (layer 3) in real time for all public IP addresses you use. This is the same type of protection that Microsoft’s own online services offer, and all of the resources on the Azure network can be used to defend against DDoS attacks.

For businesses that need more sophisticated protection, Azure also offers a standard tier. This has been widely recognized for being very easy to activate and requiring just a few clicks of the mouse. It is crucial that you do not have to make any changes to your apps in Azure, although the standard layer offers protection against DDoS attacks by the application (layer 7) via the web app firewall of the app gateway. The Azure monitor can show you real-time metrics when an attack occurs. These are kept for 30 days and can be exported for further investigation if desired.

Azure is constantly checking the web traffic to your resources. If these exceed a predefined threshold, DDoS mitigation starts automatically. This includes checking packages to make sure they aren’t buggy or counterfeit, as well as using rate limiting.

Standard protection is currently $ 2,944 (£ 2,204) per month plus data charges for up to 100 resources. The protection applies equally to all resources. In other words, you cannot adjust DDoS mitigation on an individual basis.

5. Verisign DDoS Protection / Neustar

Verisign is almost as old as the internet. Since 1995 it has grown from a simple certification body to a major player in the network services industry.

Verisign’s DDoS protection runs in the cloud. Users can redirect connection attempts by simply changing their Domain Name Server (DNS) settings. Traffic is sent to Verisign for review to prevent network attacks. Thoroughly review all traffic before redirecting it.

With Verisign operating two of the thirteen global route name servers, it should come as no surprise that the company also has several dedicated DDoS “scrubbing centers”. These analyze the data traffic and filter out incorrect connection requests. The combined infrastructure reaches nearly 2 TB / s and can block even the most overwhelming DDoS attacks.

Much of this is accomplished through Athena, Verisign’s threat prevention platform. Athena is roughly divided into three elements. The ‘Shield’ filters network (Layer 3) and transport (Layer 4) attacks via DPI (Deep Packet Inspection), Blacklists & Whitelists and Site Reputation Management. The Athena proxy checks HTTP headers for bad traffic the first time it tries to connect. The “proxy” and the “shield” are supported by Athena’s load balancer, which prevents attacks by the application (layer 7).

The customer portal shows detailed reports on traffic and allows you to configure your threat management, for example by creating connection blacklists. For users who do not want to deploy everything in the cloud, Verisign also offers Open Hybrid, which can be installed on site.