Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link: https://hub.dyn.com/i/1077963

Contents of this Issue

Navigation

Page 35 of 53

latency caused by DoS attacks can be disastrous for organizations, so having a caching line of defense can not only protect cloud-based applications feeding static content, but also protect downstream ori‐ gins providing dynamic content. Although caching is not always thought of as a line of defense, it can play an important role. One reason for this is that, at times, the upstream lines of defense might not immediately block all unwanted traffic, which is primarily due to the time from detection to "engaging" mitigation. For exam‐ ple, when suspected malicious bots are being challenged by the bot manager implementation in defensive line 5, small amounts of the bot traffic might leak through before mitigation is engaged. When caching is enabled, the bots in many cases are repetitively gaining access to only content that is being cached. This protects origin servers while mitigation is being engaged upstream. Example of Caching's Value Recently, the website of a well-known internet service provider came under an application layer (L7) DDoS attack. Because the attack was initiated by malicious bots, the upstream bot manager line of defense they had deployed was capable of mitigating the vast majority of the DDoS attack. There was a minor amount of attack leakage that occurred due to the time from detection to attack miti‐ gation. However, the leakage was fully defeated by the caching line of defense, and the origin servers did not see the L7 DDoS attack at all. The provider's website was fully protected, and no impact was experienced. Conclusion In this chapter, we looked closely at the various lines of defense that are desperately needed to protect public-facing web applications deployed in cloud environments. Because each defensive line pro‐ vides different functionality, and they block attacks at different lay‐ ers of the overall protocol stack (that is, the OSI Model), if one defensive line is missing, not operational, or not functioning opti‐ mally, the entire defensive posture can be severely affected. Therefore, I recommend that when your organization begins search‐ ing for a cloud provider to host your public-facing web applications, 26 | Chapter 3: Cloud-Based Lines of Defense for Web Application Security

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth