eBooks

OreillyMultiCloudFinalEBOOK

Learn all you need to know about email best practices, deliverability, and tools with email whitepapers and ebooks.

Issue link: https://hub.dyn.com/i/1119883

Contents of this Issue

Navigation

Page 52 of 57

Another way to protect against some types of application-layer DDoS attacks is to use different types of challenges. We discussed this type of protection earlier when we took a look at bot protection. Some types of application layer DDoS attacks behave similarly to bots. In fact, they often use the same underlying technology. This means that they can be stopped by using many of the same techni‐ ques. Presenting suspicious traffic with a CAPTCHA or a JavaScript chal‐ lenge before they can proceed to the targeted web application will allow you to quickly distinguish between malicious and legitimate traffic. These types of interrogating behaviors don't need to be applied universally. Instead, you can build rules that look for traffic patterns outside the norm and deploy the checks only when those patterns are identified. The advantage to this methodology is that you don't need to identify suspicious traffic, only traffic that lies out‐ side of normal behavior. A disadvantage of this approach is that you run the risk of slowing down legitimate requests, which can cause clients to abandon the web application entirely. Network-Layer DDoS Protection The second type of DDoS attack is one that occurs at the network layer. These attacks use network protocols, such as DNS, Network Transfer Protocol (NTP), or Memcached to flood an entire network with so much traffic that all of the systems are overwhelmed. The largest network-layer DDoS attack ever reported generated 1.35 ter‐ abits per second of sustained traffic, which is more than all but the largest of networks can handle. Network-layer DDoS protection involves different types of security measures that should be implemented at the network layer. Most cloud providers will not be able to stop these attacks at your edge. The trick is to put DDoS protections in place that will intercept malicious network traffic and stop it before it has a chance to even reach the cloud provider. DDoS protection services monitor for malicious traffic and stop it even before it can reach the edge of your architecture. Unlike application-layer DDoS attacks, network-layer attacks don't "blend in" with existing traffic in your network, so there is little chance of disrupting legitimate traffic to your web application while stopping the DDoS attack. Network-Layer DDoS Protection | 47

Articles in this issue

view archives of eBooks - OreillyMultiCloudFinalEBOOK