Radware this week launched a new service that protects against the latest crop of distributed denial-of-service (DDoS) attacks that target applications hosted on Amazon Web Services (AWS) and Microsoft Azure.
The application delivery and security vendor's DDoS protection service is available in always-on or on-demand basis. In addition to a single interface that unifies anti-DDoS management and reporting for both on-premises and cloud environments, it offers protection against sophisticated techniques, according to Haim Zelikovsky, vice president of cloud services at Radware.
Flooding web services with junk traffic is a thing of the past, at least for attackers that prefer a more surgical approach.
"One of the most prominent trends that we saw in our global Cloud DDoS Protection services in 2016 was a sharp increase in the number SSL [Secure Sockets Layer] and application DDoS attacks. This is the result of attackers shifting from trying to overwhelm the internet pipes of organizations, towards more targeted DDoS attacks on the stateful servers in the networks, such as the network's SSL gateway and application servers," Zelikovsky told eSecurity Planet.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Since SSL and application DDoS attacks target bottlenecks in the network architecture, they require significantly less attack resources compared to a network-level volumetric DDoS attack," continued Zelikovsky. "However, protecting from SSL and application DDoS attacks is much more complex than protecting from simple network-level DDoS attacks.
Methods used to uncover these types of attacks typically incur a performance penalty and come with their share of computational overhead.
"The regular technique for detecting and mitigating SSL DDoS attacks is to install a stateful detection and mitigation device that serves as a full reverse SSL proxy for all SSL connections -- it decrypts all SSL connections, inspects them, blocks any attack traffic, and then encrypts them again to resume the SSL session," Zelikovsky said. "This approach is pegged with multiple drawbacks, as it requires all SSL traffic, including the legitimate SSL traffic, to be decrypted, thus adding significant latency."
Like the DDoS attackers Radware defends against, the company's new service also adheres to a more targeted, resource-efficient approach.
"Our Cloud DDoS Solution involves decrypting only SSL connections that seems to 'misbehave' and are identified as potential SSL DDoS attackers based on their traffic patterns. In this approach, only the suspicious SSL connections are decrypted and inspected, which significantly lowers latency and increases overall performance."
Radware's new DDoS protection service is available now for applications on AWS and will be available for Microsoft Azure sometime in the second quarter.