DDoS Protection: The 5 Commandments

•Download as PPTX, PDF•

1 like•19,498 views

When choosing DDoS protection solution that will best ensure your business’ survival in the hostile virtual jungle, you should make sure this solution adheres to the following fundamental commandments...

Technology

DDoS Protection
The 5 Commandments of
DDoS Mitigation

Confidential

DDoS – The Basics

Volume Based Attacks
• Method: Include UDP floods, ICMP floods, and other spoofed packet
floods.
• Objective: Saturate the bandwidth of the attacked site.
• Magnitude: Typically measured in Bits per second.

Protocol Attacks:
• Method: Primarily SYN floods, but also fragmented packet attacks.
• Objective: Consume web server resources or intermediate communication
equipment, such as firewalls and load balancers.
• Magnitude :These are usually measured in Packets per second.

Application Layer Attacks
• Method: Unlike protocol attacks, these are comprised of legitimate and
seemingly innocent requests.
• Objective: Bring the application servers down.
• Magnitude: Requests per second.

Confidential

DDoS – Current and Future Trends

Volume Based Attacks are getting bigger
• More and more attacks over 20Gbps

Application Layer Attacks are becoming more frequent
• Targeting specific website platforms
• Targeting smaller websites

New Attack Types
• IP Range Blanket Bombing DOS Techniques
• Amplification through DNS requests to an Open DNS or open “public” SNMP

Confidential

The 5 Commandment of DDoS Mitigation

Confidential

Commandment 1:
Thou shall be invisible

Your users don’t need to know and don’t care
that you are under attack

People Don’t like to hang around in
“dangerous” places

People should be allowed to enter:
• Without delays
• Without being sent through holding areas &
splash screens
• Without being served outdated cached content

Confidential

Commandment 2:
Let he who is innocent step forward

Self Redemption is Key!!!

All users should be able to exonerate
themselves.

At the very least users should be
able to:
Shout out (complain)
Redeem themselves by
completing a CAPTCHA.

Confidential

Commandment 3:
Spare no bot but beware of those holier than thou

Block all Application Layer Bot Requests
• There is very little head room for most sites
• Even 50 excess page views/second can take
down your site, or slow it down.

Transparency should not come at the expense of
airtight protection

However, you must grant the “Internet Gods”
(Google, Bing, Pingdom, etc.) access at all times

Confidential

Commandment 4:
Absorb all that is cast upon you

Take Cover! Network attacks are getting
bigger

You must be able to take a
“20Gbps +” hit standing

You must have isolation
capabilities to prevent others from
trembling with you

Confidential

Commandment 5:
To err is Human. Precise Detection is divine

Automatic & Accurate DDoS detection is
just as important as effective mitigation

One shouldn’t be in “DDoS Mode”
unnecessarily and you can’t watch your
site 24x7x365

Real-time protection activation is
crucial, otherwise you’re going down

Confidential

Stay Safe
Marc Gaffan
Co-Founder, VP Marketing & Business-Development
marc@incapsula.com

Confidential

More from Imperva Incapsula

D3NY17- Customizing Incapsula to Accommodate Single Sign-On

Imperva Incapsula

D3NY17 - Migrating to the Cloud

Imperva Incapsula

IncapRules are an integral method to customize Incapsula for your specific applications and environment. However, we find that our enterprise clients may have questions on building advanced rules or need help understanding how to write them for complex scenarios. In this session, Jeff Serota, Technical Account Manager, discusses the interface, some of the most common filters and actions, and how a large client collaborated with our security team to thwart credential stuffing on their client self-service portal.

D3NY17- Using IncapRules to Customize Security

Imperva Incapsula

IncapRules are an integral method to customize Incapsula for your specific applications and environment. However, we find that our enterprise clients may have questions on building advanced rules or need help understanding how to write them for complex scenarios. In this session, Peter Klimek, Principal Security Engineer, discusses the interface, some of the most common filters and actions, and how a large client collaborated with our security team to thwart credential stuffing on their client self-service portal.

D3SF17- Using Incap Rules to Customize Your Security and Access Control

Imperva Incapsula

D3SF17- Boost Your Website Performance with Application Delivery Rules

Imperva Incapsula

D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...

Imperva Incapsula

D3SF17- Improving Our China Clients Performance

Imperva Incapsula

Moving your critical applications from on-premises servers to the cloud can be a daunting prospect — but it doesn't need to be. Drawing on over 5 years of experience bringing some of the largest CMS sites on the Web into the cloud, Vasken Hauri, VP of Engineering at 10up, covers the key aspects you'll need to consider to ensure a smooth and successful migration. He also touches on some best practices you can apply post-migration to keep your sites secure, performant, and worry-free in an era where our toasters can launch DDoS attacks.

D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned

Imperva Incapsula

D3SF17 -Keynote - Staying Ahead of the Curve

Imperva Incapsula

As more people shop online, it’s critical that your website meets—and even exceeds—their expectations. Online shoppers want sites that are easy to use and don’t waste their time. According to a recent Imperva Incapsula survey, more than 60% of users said they wouldn’t wait more than five seconds for a site to load. And almost 70% said that poor website performance would cause them to leave a site and never return. If you’re serious about reaping the benefits of the significant growth in online shopping, it’s time to get your web “house” in order. And a new free webinar from Imperva can help.

E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...

Imperva Incapsula

A secure web server isn’t really secure if the infrastructure supporting it remains vulnerable. Unless you implement infrastructure protection, your non-HTTP assets are vulnerable and you may not be as protected as you think you are. You may be like others who need to get better DDoS protection but haven’t been able to or had to settle for an imperfect solution because of deployment limitations such as protocol dependencies and BGP restrictions. Incapsula IP Protection has now overcome these barriers — and we are the only service that can do it. At this webinar our product experts will discuss how Incapsula customers are adopting IP Protection and bringing their DDoS protection to the next level. We’ll also have a discussion with Imperva CISO Shahar Ben-Hador who will share insights on how we use IP Protection and real-world lessons learned. You need to protect more than just your web servers from DDoS attacks. We’ll address these questions: Why do you need to protect more than just your web servers? What were the limitations others ran into when they tried to do it? How did Incapsula help them overcome the limitations? ...and much more!

Protect Your Assets with Single IP DDoS Protection

Imperva Incapsula

DDoS attacks are bigger and more sophisticated than ever before. Odds are your business is going to be attacked – and without an effective mitigation strategy, you don't stand a chance. In this webinar Andrew Shoemaker a DDoS simulation expert from NimbusDDOS gives you a rare glimpse into how hackers find the weak points in your defenses and exploit them to level devastating DDoS attacks. You'll see real world examples of the tactics and methods used to create tailored DDoS attacks that can bring down a targeted network or application, and learn how best to defend them.

[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...

Imperva Incapsula

By Nabeel Saeed This presentation explores the current DDoS attack landscape, it covers the basics of DDoS attacks, current trends including the most recent results from the newly published 2015 Imperva Incapsula DDoS Report. It also discusses a detailed analysis of one of today’s modern, multi-vector DDoS attacks. While dissecting this DDoS attack, this presentation explores the anatomy and timeline of the attack, as well as the steps used to mitigate each phase of the assault. This session will close with a review of the aspects of effective DDoS protection solutions used to combat these sophisticated denial of service attacks.

An Inside Look at a Sophisticated Multi-Vector DDoS Attack

Imperva Incapsula

Migrating from Akamai to Incapsula: What You Need to Know

Imperva Incapsula

All too often, online threats such as DDoS attacks, scrapers, or traffic that consumes too much bandwidth are disrupting or slowing down SaaS websites. It is now more important than ever to keep website traffic flowing quickly without service interruptions. Tempus Technologies’ president, Jason Sweitzer, talks about the technological challenges his company faced and the solutions his team adopted to increase website acceleration and uptime. Join us for Incapsula’s free 30-minute webinar to learn how you can increase your website’s uptime and enhance its performance. We’ll be discussing opportunities SaaS companies can explore through WAF protection, frontend SSL, failover ISPs, and against DDoS attacks and using Incapsula solutions.

Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance

Imperva Incapsula

Application delivery controllers provide load balancing, acceleration, traffic shaping and other services that improve the performance, availability and security of web applications. But with more and more web application developers hosting their applications in the cloud, using application delivery hardware is often a non-starter. This presentation discusses the architecture of a new type of service called the Application Delivery Cloud. This new cloud service not only offers critical performance, availability and security capabilities to web application vendors, it goes beyond its hardware analog to deliver new capabilities that today’s applications require, including regional content policies and up-to-the-minute security intelligence.

Is the Cloud Going to Kill Traditional Application Delivery?

Imperva Incapsula

Joomla Security Simplified — Seven Easy Steps For a More Secure Website

Imperva Incapsula

Understanding Web Bots and How They Hurt Your Business

Imperva Incapsula

You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers". These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . . If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat? This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them. This presentation will discuss: • The major security breaches of 2014 • Web application threats and common attack types • How to defend against today’s common attacks • Automated tools to help simplify website security

A DevOps Guide to Web Application Security

Imperva Incapsula

Mondrian, MySQL, Mongo, Casandra, Lucene. You name it, we tried it. As a startup looking for cost-efficient and scalable solutions to power our event processing and statistics backend, we gave almost every Big Data technology out there a go. What we learned from these experiences is that doing it yourself is better than using plug-and-play black box solutions. This presentation details the building of Incapsula’s Big Data system as a case study, examining the requirements and the different evolutionary phases it went through before becoming what it is today.

From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...

Imperva Incapsula

More from Imperva Incapsula (20)

D3NY17- Customizing Incapsula to Accommodate Single Sign-On

D3NY17 - Migrating to the Cloud

D3NY17- Using IncapRules to Customize Security

D3SF17- Using Incap Rules to Customize Your Security and Access Control

D3SF17- Boost Your Website Performance with Application Delivery Rules

D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...

D3SF17- Improving Our China Clients Performance

D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned

D3SF17 -Keynote - Staying Ahead of the Curve

E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...

Protect Your Assets with Single IP DDoS Protection

[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...

An Inside Look at a Sophisticated Multi-Vector DDoS Attack

Migrating from Akamai to Incapsula: What You Need to Know

Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance

Is the Cloud Going to Kill Traditional Application Delivery?

Joomla Security Simplified — Seven Easy Steps For a More Secure Website

Understanding Web Bots and How They Hurt Your Business

A DevOps Guide to Web Application Security

From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...

Recently uploaded

ICT role in 21st century education and its challenges

rafiqahmad00786416

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

Architecting Cloud Native Applications

WSO2

Recently uploaded (20)

ICT role in 21st century education and its challenges

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

AWS Community Day CPH - Three problems of Terraform

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Introduction to use of FHIR Documents in ABDM

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

CNIC Information System with Pakdata Cf In Pakistan

How to Troubleshoot Apps for the Modern Connected Worker

MINDCTI Revenue Release Quarter One 2024

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Six Myths about Ontologies: The Basics of Formal Ontology

Corporate and higher education May webinar.pptx

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

presentation ICT roal in 21st century education

Strategies for Landing an Oracle DBA Job as a Fresher

JohnPollard-hybrid-app-RailsConf2024.pptx

Architecting Cloud Native Applications

DDoS Protection: The 5 Commandments

1. DDoS Protection The 5 Commandments of DDoS Mitigation Confidential

2. DDoS – The Basics Volume Based Attacks • Method: Include UDP floods, ICMP floods, and other spoofed packet floods. • Objective: Saturate the bandwidth of the attacked site. • Magnitude: Typically measured in Bits per second. Protocol Attacks: • Method: Primarily SYN floods, but also fragmented packet attacks. • Objective: Consume web server resources or intermediate communication equipment, such as firewalls and load balancers. • Magnitude :These are usually measured in Packets per second. Application Layer Attacks • Method: Unlike protocol attacks, these are comprised of legitimate and seemingly innocent requests. • Objective: Bring the application servers down. • Magnitude: Requests per second. Confidential

3. DDoS – Current and Future Trends Volume Based Attacks are getting bigger • More and more attacks over 20Gbps Application Layer Attacks are becoming more frequent • Targeting specific website platforms • Targeting smaller websites New Attack Types • IP Range Blanket Bombing DOS Techniques • Amplification through DNS requests to an Open DNS or open “public” SNMP Confidential

4. The 5 Commandment of DDoS Mitigation Confidential

5. Commandment 1: Thou shall be invisible Your users don’t need to know and don’t care that you are under attack People Don’t like to hang around in “dangerous” places People should be allowed to enter: • Without delays • Without being sent through holding areas & splash screens • Without being served outdated cached content Confidential

6. Commandment 2: Let he who is innocent step forward Self Redemption is Key!!! All users should be able to exonerate themselves. At the very least users should be able to: Shout out (complain) Redeem themselves by completing a CAPTCHA. Confidential

7. Commandment 3: Spare no bot but beware of those holier than thou Block all Application Layer Bot Requests • There is very little head room for most sites • Even 50 excess page views/second can take down your site, or slow it down. Transparency should not come at the expense of airtight protection However, you must grant the “Internet Gods” (Google, Bing, Pingdom, etc.) access at all times Confidential

8. Commandment 4: Absorb all that is cast upon you Take Cover! Network attacks are getting bigger You must be able to take a “20Gbps +” hit standing You must have isolation capabilities to prevent others from trembling with you Confidential

9. Commandment 5: To err is Human. Precise Detection is divine Automatic & Accurate DDoS detection is just as important as effective mitigation One shouldn’t be in “DDoS Mode” unnecessarily and you can’t watch your site 24x7x365 Real-time protection activation is crucial, otherwise you’re going down Confidential

10. Stay Safe Marc Gaffan Co-Founder, VP Marketing & Business-Development marc@incapsula.com Confidential

DDoS Protection: The 5 Commandments

Recommended

Recommended

More Related Content

More from Imperva Incapsula

More from Imperva Incapsula (20)

Recently uploaded

Recently uploaded (20)

DDoS Protection: The 5 Commandments