DDoS attacks may only make up a small percentage of security threats, but their consequences can be devastating. The country of Estonia was brought offline a few years back by a DDoS attack. Over the past year or so, Google, Amazon and Microsoft have been subjected to massive DDoS incursions. And DDoS attackers have adopted a tactic from ransomware groups and are seeking payment from victims and potential victims.
While there are some things security teams can do to lessen the impact of DDoS attacks, the growing sophistication of such attacks has sparked strong growth in the market for DDoS solutions, driven by the growth in DDoS itself.
Research by Cisco estimates the volume of DDoS attacks will surge from more than 10 million in 2021 up to 15 million by 2023. Meanwhile, the 2021 State of the Data Center Industry research report placed DDoS behind ransomware as the threats that most worry the enterprise.
According to Imperva Research Labs, DDoS attacks tend to come in waves. Recently, ransom DDoS attacks are being launched with the intent of disrupting the target by launching a DDoS attack to cripple the victim’s network and applications unless a ransom is paid. Often, the cybercriminals behind these threats will carry out a small attack to show that they are capable of what they’re threatening to do.
The most recent wave happened in December 2021. NetScout’s latest Threat Intelligence Report found more DDoS attacks in the first half of 2021 compared to the whole of 2020. This includes multi-vector DDoS attacks to amplify their efforts, with 31 vectors deployed in a single attack against one organization in 2021. On average, multi-vector attacks using 20-plus vectors spiked by 106%.
The sheer amount of bandwidth available at any attacker’s disposal means that organizations must now commonly defend against large-scale massive attacks. Since 2020, through various waves of DDoS extortion campaigns we’ve witnessed, this trend holds true. For instance, the initial wave of attacks averaged about 200 Gbps, but by the third wave, Akamai observed and mitigated attacks upward of 800 Gbps, and some have cleared 2 Tbps.
“Since the barrier-to-entry for threat actors is now lower than ever with easily accessible DDoS-for-hire services and IP stressers, compromised IoT devices can and will drive this growth,” said Charles Choe, Senior Product Marketing Manager at Akamai. “IoT devices coupled with the growth of edge computing endpoints that can be exploited alongside new amplification and reflection techniques will continue to drive larger and more sophisticated attacks.”
For more information on DDoS Mitigation Services check out this market guide!
Key DDoS Protection Features
Core DDoS solution features include detection of the early stages of an attack, the scale to absorb the volume of traffic, and the ability to mitigate the source of the attack. This can be done via static or custom rules, or through an evolving set of defensive actions as the attack morphs toward additional targets.
A good DDoS protection solution should offer:
- A service level agreement with a guaranteed time to mitigation (TTM)
- Consistent application uptime and availability
- Quality and accuracy of mitigation
- Fast and simple on-boarding
- Integrations with Terraform and other APIs
In addition, most DDoS mitigation solution providers bundle Web Application Firewall functionality to prevent DDoS attacks at the application layer. However, voice over IP (VoIP) and telecom-based DDoS campaigns are very much on the rise. As it is not a traditional web application, IT teams should verify that VoIP protection is included in their DDoS solution to effectively protect voice, communication, and collaboration applications.
More on DDoS protection:
Top 8 DDoS Protection Services
Most of the vendors listed here scored well in the Forrester DDoS Wave. In addition to handling traditional DDoS attacks, they incorporate cloud, mobile and IoT features, as well as a number of advanced features and services.
Akamai offers three purpose-built cloud solutions to provide end-to-end DDoS defense for organizations. The combination of Prolexic, Edge DNS, and App & API Protector would be recommended for the highest quality of DDoS mitigation to keep applications, data centers, and internet-facing infrastructure (public or private) protected. Effective mitigation techniques are available for all classes of application-layer DDoS/DoS attacks, including those designed to exhaust resources, those which exploit vulnerabilities that can cause availability issues (such as buffer overflows), those which exploit flaws in application business logic, compromise API infrastructure, and attacks performed by bots.
- Akamai’s Prolexic global security operations centers (SOCCs) provide fully managed DDoS protection, backed by industry-leading service level agreements and support. It combines mitigation with Akamai’s security operations centers to stop attacks across all ports and protocols before they become business-impacting events.
- Edge DNS is a DNS service that moves DNS resolution from on premises or data centers to the Akamai Intelligent Edge. It is architected for nonstop DNS availability and high performance, even across the largest DDoS attacks. It can be deployed as a primary or secondary solution with optional DNSSEC support to protect against DNS forgery and manipulation.
- Akamai also offers extremely robust protection against DDoS attacks at the application layer via its WAAP solution known as App & API Protector.
- Prolexic offers over 10+ Tbps of dedicated DDoS scrubbing capability to mitigate attacks instantly via its zero-second SLA.
- Over 225+ Akamai SOCC frontline responders that act as an extension of a customer’s incident response team to balance automated detection and response with human engagement.
- Custom runbook/tabletop attack drills are provided to optimize incident response and maintain operational readiness.
Imperva DDoS Protection can deal with any type of asset with a 3-second time to mitigation for any type of attack. Onboarding is said to be easy and fast, while the operation is simplified with out-of-the box policies and self-adaptive tuning capabilities. Visibility and reporting are augmented by Imperva Attack Analytics. This approach provides a holistic view of all attack types and layers, and correlates these to accelerate the investigation process while reducing alert fatigue. Imperva works across a range of industries, including: eCommerce, energy, financial services, gaming, healthcare, manufacturing and technology.
- Protects websites, networks, DNS and individual IPs
- Stops Layer 3, 4 and 7 attacks
- Capacity of 9 Tbps, 65 GPPs
- 24×7 Support and SOC with global coverage
- A single stack architecture reduces latency and results in fast remediation of DDoS attacks and other web application threats
- Each of the 50 points of presence (PoPs) within the Imperva global network runs all security services (DDoS, WAF, API security, bot management)
- Imperva provides a 3-second mitigation SLA for any DDoS attack, regardless of type, size or duration, without disrupting legitimate traffic
- Delivers real-time visibility into DDoS threats with reporting and attack correlation through Imperva Attack Analytics or a SIEM integration
- Self-adaptive security policies, self-service configuration and Terraform and API support
Radware offers DDoS protection across any infrastructure implementation for the public cloud, the enterprise, and specifically for service providers. It secures the data center, private cloud, public cloud and 5G infrastructure using a solution that is agnostic to the environment and was designed to help service providers protect large-scale networks.
- Radware’s attack mitigation architecture is flexible and extensible
- Can be tailored to customers such as telecom and cloud operators
- Wide security coverage with automated zero-day DDoS attack protection
- Offers hybrid, always-on and on-demand cloud DDoS service deployment options
- Cloud SSL-attack protection that maintains user data confidentiality
- Single pane of glass with unified portal and fully managed service by Radware’s Emergency Response Team
- Also offers web application security for integrated application and network security
- Combines always-on detection and mitigation with cloud-based volumetric DDoS attack prevention, scrubbing, and 24×7 cyberattack and DDoS security
Cloudflare’s cloud-based DDoS protection system can deal with layer 7 attacks as well as layer 3 and layer 4 attacks. Instead of using dedicated anti-DDoS hardware, every machine in its global network takes part in DDoS mitigation. Its DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
- Cloudflare’s 100 Tbps network blocks an average of 76 billion threats per day, including some of the largest DDoS attacks in history
- Its unmetered, always-on DDoS protection for web assets (HTTP/HTTPs) is backed by intelligence harnessed from Cloudflare’s global network
- Works in tandem with Cloudflare’s cloud web application firewall (WAF), Bot Management, and other L3/4 security services to protect assets from cyber threats
- Cloudflare Spectrum is a reverse proxy service that provides DDoS protection for any application (not just the web), such as FTP, SSH, VoIP, gaming, or any application running over a TCP/UDP protocol, and comes with built-in load balancing and traffic acceleration for L4 traffic
- Cloudflare Magic Transit provides BGP-based DDoS protection for network infrastructure, either in always-on or on-demand deployment modes
- Data centers in all 250 cities across 100 countries announce customer subnets to ingest network traffic and mitigate threats close to the source of attack
- Centralized and decentralized mitigation systems work in concert to identify and mitigate most DDoS attacks in under 3 seconds
- Preconfigured static rules are deployed in less than 1 second
- Built-in analytics give insights into traffic patterns, threats observed (and blocked) from the dashboard or via the Cloudflare GraphQL API
- Can be integrated with third-party SIEMs
Neustar UltraDDoS Protect offers 12+ Tbps of DDoS mitigation and a global dedicated data scrubbing network to help maintain an online presence, reduce the threat of theft, and protect the bottom line. Neustar offers on-premises hardware to stop smaller attacks instantly, plus the UltraDDos Protect cloud when attack volume and complexity explode.
- Automation that moves attacks into mitigation quickly
- Always ready options for DNS, BGP, and hybrid configurations
- Carrier-class DDoS mitigation that includes a massive network of dedicated scrubbing capacity
- OSI Layer 3, Layer 4, Layer 7 and IPv6 capable
- Globally positioned scrubbing infrastructure
- Harnesses multiple DDoS mitigation vendor technologies including Arbor, Cisco, Citrix, Juniper, HP, Neustar
- Multiple Tier 1 internet network providers
- Offers on-premises hardware and cloud-based protection
- Neustar can secure VPN connections via VPN Protect
- Can connect to 61 global data centers for traffic control and increased security
To stop sophisticated DDoS attacks, NetScout offers a portfolio of DDoS attack protection products and services that enable organizations to customize a solution, either hosted in the cloud and on premises. Hybrid stateless, on-premises and cloud protection can stop today’s high-volume attacks, which often exceed 600GB/sec, as well as stealthy application-layer attacks against stateful infrastructure devices, such as firewalls, IPSs, and ADCs.
- Located on premises, the NetScout Arbor Edge Defense (AED) is an in-line, always-on product that can automatically detect and stop all types of DDoS attacks – especially low and slow application-layer attacks
- Placed on the network edge between the router and network firewall to provide best-of-breed DDoS protection, AED screens incoming and outgoing traffic using stateless packet processing technology
- Can easily scale and block in bulk inbound DDoS attacks and indicators of compromise
- Its Cloud Signaling capability automatically routes traffic to one of 14 scrubbing centers for analysis and mitigation to stop the attack within minutes
- The ATLAS Security Engineering and Response Team (ASERT) provides real-time attack information that enables it to automatically block up to 90% of DDoS attack traffic before it starts inspecting the first attack packet
- Suite of automated countermeasures that identify and block more complex attacks at the network or application layers
- Stops threats such as scanning, brute force password attempts, and known Indicators of Compromise (IoCs)
- Blocks outbound traffic from compromised internal device communications with known bad sites (e.g. attacker command & control infrastructure)
Ribbon offers a suite of core Session Border Controllers with advanced DDoS detection and mitigation capabilities. It provides DDoS detection and mitigation through configuration and dynamic adaptation at scale, with little to no impact on traffic throughput or packet processing.
- ACL policing applies access level control to allow traffic from trusted pre-configured IP addresses
- IP address learning: When IP addresses used by valid peers/endpoints are not known prior or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
- Media packet policing accepts media packets only if they correspond to a session negotiated via SIP/SDP signaling
- Media address learning: If a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
- Priority aware packet policing: rate limit SIP signaling packets on a microflow basis and give higher priority to packets from authenticated sources than those from unknown sources to increase the likelihood that desired traffic gets let through while malicious traffic is stopped
- Application-level call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level and can also be provided to limit bandwidth usage
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It defends against the most common, frequently occurring network and transport layer attacks that target web sites or applications. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
- No need to engage AWS Support to benefit from DDoS protection
- All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge to defend against most of the common, frequently occurring network and transport layer DDoS attacks
- Using AWS Shield Standard with Amazon CloudFront and Amazon Route 53 provides comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks
- For higher levels of protection against attacks targeting applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, the company offers AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against sophisticated and large DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.
- AWS Shield Advanced offers 24×7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.