SlideShare une entreprise Scribd logo

F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)

F5 Networks
F5 Networks

CIOs want harmony. Security directors loathe point products. Network operations won’t buy into anything new. CIOs can get the harmony they need around DDoS mitigation by extending the F5 Application Delivery Controller into a hybrid solution: on-premises with a new cloud component. F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)

Technologie
1  sur  8
Télécharger pour lire hors ligne
The Right Way to Protect Against DDoS Attacks CIOs want harmony. Security directors loathe point products. Network operations won’t buy into anything new. CIOs can get the harmony they need around DDoS mitigation by extending the F5 Application Delivery Controller into a hybrid solution: on-premises with a new cloud component. White Paper by David Holmes
2 White Paper The Right Way to Protect Against DDoS Attacks Contents Introduction 3 What Every CIO Really Wants 3 The Right Way to Protect Against DDoS Attacks 4 CIOs Should Get What They Want 5 Why the CIO Needs On-Premises DDoS Protection 5 Why the CIO Needs Cloud 5 On-Premises and in the Cloud: the Ultimate Solution 7 Conclusion 8
3 White Paper The Right Way to Protect Against DDoS Attacks Introduction DDoS attacks are constantly changing. While the objective of the attack is still to cause a service outage, attacks and attackers are becoming more sophisticated. The motivation behind the attacks is increasingly financial or political—with more serious consequences for the targeted victims. High-profile organizations, such as financial institutions, governments, and service providers, continue to be targets. But a rising number of everyday businesses also report DDoS attacks. The escalating incidence and severity of these attacks has made DDoS expertise a high priority for many a CIO when searching LinkedIn profiles. The problem CIOs face now is how to choose a solution. Media frenzy around DDoS has also brought many vendors into the market, but with mixed results. The efforts of content delivery networks (CDNs) to extend into the market have largely fallen flat. Other cloud solutions have mismanaged themselves into isolation and obscurity by acquisition. Meanwhile, on-premises DDoS solutions have been unable to expand outside their point products to deliver any value beyond mitigation. To this day, if they aren’t being used for a DDoS attack, they are just drawing power, subtracting budget, and adding latency. Service providers are in the right place at the right time with a narrow scope of volumetric protection, typically at a low cost. But anecdotal reports from many customers suggest that with regard to quality, the adage applies: You get what you pay for. What Every CIO Really Wants CIOs and their security directors want confidence in their DDoS mitigation system. To achieve this, they need a solution with the following properties: • Defend: Must have a cloud component for volumetric attacks. • Block: Must be able to block application DDoS without requiring SSL key surrender. • Deploy: Must be acceptable to the network operations team. The CIOs and the security directors are tired of point products. For example, security directors have reported that while their organizations have purchased as many as 200 different point products for security and analysis, it’s not uncommon for operations teams to install only a few. The rest remain shelfware. 3
4 White Paper The Right Way to Protect Against DDoS Attacks Many CIOs have been unable to turn to the cloud for their application security needs because of a critical factor—SSL. As more and more applications become protected with SSL, cloud solutions are prevented from monitoring and mitigating application-level attacks such as GET floods. An on-premises solution is required for SSL and a cloud component is required for volumetric attacks. The Right Way to Protect Against DDoS Attacks F5 has championed a unique on-premises value proposition. By integrating a network firewall into the Application Delivery Controller (ADC) and combining SSL termination with OWASP Top-Ten mitigation at a second tier, F5 has met two of three critical needs. And with F5® Silverline™ DDoS Protection—a service delivered via the F5 Silverline cloud-based platform—F5 now has the final piece of the puzzle that gives the CIOs exactly what they’re looking for. F5’s unique, hybrid DDoS mitigation solution protects against volumetric attacks from the cloud, handles application level attacks on premises, and is instantly acceptable to network operations teams, many of which already trust F5. VXLAN NVGRE VLANS Physical • SDN • OpenStack • Overlay High-Performance Services Fabric VE SoftwareHardware Cloud Software-Defined Application Services Customer Scenarios iApps iCall iRules Control Plane Data Plane F5 Platform ProfessionalServicesandSupport +GBBLicensing:Best+IPIntelligence+SilverlineDDoSProtection Programmability iControl RESTiControl SOAP Network DDoS Attack DNS DDoS Attack SSL DDoS Attack Application DDoS Attack Orchestration ScaleN DDoS Protection Data Center Firewall Figure 1: A comprehensive DDoS solution includes both cloud and on-premises components.
5 White Paper The Right Way to Protect Against DDoS Attacks CIOs Should Get What They Want Why the CIO Needs On-Premises DDoS Protection When F5 first provided DDoS protection in 2001, the attacks were crude, with many SYN floods and simple network-level attack vectors. Attackers have since become more sophisticated, with multiple methods for bringing down a host (or network) or clogging an ingress (or even an egress) pipe. The most common attack today is the customized GET flood. In this attack, the perpetrator will spider the target website to find all the expensive database queries and large PDF files that might litter the brochureware section of the marketing site on the server. With this list in hand, the attacker will then repeatedly request these resources. It can be difficult to distinguish between malevolent and legitimate requests for data. Increasingly, these requests are delivered via SSL-encrypted connections. The encryption prevents cloud solutions from being used to mitigate or even analyze the problems. CIOs need on-premises protection that can decrypt the traffic, see the aggregate of the malicious requests, and then attempt to mitigate. The F5 solution inserts itself into the traffic, making the analysis and then injecting challenges into the steam itself. Security teams have leveraged the programmability of the F5 platform to do exactly this kind of work for years. Why the CIO Needs Cloud Recently, three different types of so-called amplification attacks were used to cast enormous storms of volumetric traffic. In 2013, the DNS infrastructure was weaponized during an attack against the Spamhaus project. The attack leveraged over 20 million misconfigured DNS servers. The Open Resolver Project handily provides a list of the servers, which are basically a public botnet for anyone smart enough to figure out how to forge spoofed DNS requests. Despite some early publicity, the number of open resolvers is actually continuing to grow at an alarming rate. Given the effectiveness of these DNS amplification attacks, it’s a wonder that we’re not seeing these open servers in attacks used more often.
6 White Paper The Right Way to Protect Against DDoS Attacks Just a few months after the Spamhaus event, another Internet protocol was found to be susceptible to mass manipulation. This time it was the dated Network Time Protocol (NTP). An administrative door had been left open that allowed anyone to request that the NTP server reply with a list of the previous 600 clients. The source of the request was never validated, so thousands of NTP servers could easily be asked to blast a target with millions of responses, quickly filling the target’s ingress avenue. On February 11, 2014, the DERP Trolling group used this technique to attack the gaming servers being used by a gaming rival. Finally, attackers have been abusing the clunky SNMP protocol. In one case documented by the SANS institute, video conferencing systems amplified SNMP “GetBulk” requests to attack with a multiplier of nearly 700 times. This led SANS to suggest that the attack may be a showcase for a whole new Internet category: the “Internet of DDoS Things.” [CPU] 350,000 0 300,000 250,000 200,000 150,000 100,000 50,000 DEC 13 100 GBPS JAN 14 150 GBPS FEB 14 325 GBPS Figure 2: 2014 volumetric attack trend. The trend shows that attackers keep inventing ways to turn the Internet against itself. The sizes of their peak volumetric attacks continue to grow. No amount of JavaScript challenges or rate-limiting is going to deal with all the traffic on premises. A cloud solution with terabits of capacity is the only solution for these attacks.
7 White Paper The Right Way to Protect Against DDoS Attacks These types of volumetric attacks are exactly what F5 Silverline DDoS Protection is designed to defend against. Organizations can use the Silverline DDoS Protection subscription offering, Always Available™, as a primary level of defense, or use the Ready Defense™ option as a secondary, backup cloud service. On-Premises and in the Cloud: the Ultimate Solution CIOs need an on-premises solution that is acceptable to the network operations team. They also need a cloud component to be an insurance policy against hurricane-sized DDoS storms. What would be even better? A hybrid solution where each side is aware of the other. Until flow-based detection and mitigation standards are in place, CIOs must rely on a vendor solution. • F5’s on-premises component has value beyond mitigating attacks. All other on- premises solutions are specific to DDoS mitigation, whereas the F5 DDoS technology is integrated into components that serve other functions such as network firewall protection or PCI compliance through the web application firewall. This means that the solution is not just a policy; it provides value every day, delivering the business application and protecting it from OWASP Top Ten. A CIO can then leverage the investment in the F5 solution, rather than in a point product, to solve other problems for the organization. • The acceptance and successful deployment of the solution by the network operations team must be considered. Because F5 is ubiquitous throughout major data centers, it is already an accepted and embraced vendor. In many cases, implementing DDoS solutions for F5 is as simple as activating code that is already resident at the ADCs. • F5 offers defensive technologies such as SSL tunnels, global load balancing, application monitoring, user authentication, and context tracking. Imagine these technologies working together across the barrier between on-premises and cloud. Or between data centers. Or orchestrating the mitigation of application DDoS attacks among multiple data centers—from a cloud built around the same F5 solutions that exist in each of the data centers. With its cloud operation centers and professional services, F5 is a veteran in DDoS mitigation. The experience of owning the data center solution and the cloud solution—and understanding trends in both attacks and in the marketplace—makes F5 uniquely positioned to execute on its vision of comprehensive DDoS protection.
White Paper The Right Way to Protect Against DDoS Attacks ©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 1014 WP-SEC-31418-ddos-update Americas info@f5.com F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com Conclusion CIOs should get what they want—assurance. For DDoS, that assurance will come when these needs are met: • The data center is able to block network volumetric attacks and application DDoS attacks, ideally without using point products. • The CIO knows that the chosen solution will be embraced by the operations team. • The organization has a cloud component for volumetric attacks. The answer to these needs has crystallized into the F5 DDoS Protection solution. Consider: The on-premises solution provides the value of delivery applications every day of the year. It will also be deployed, since it isn’t just another point product and F5 is a trusted vendor. F5’s application security protection, which is counterbalancing the OWASP Top Ten, can also provide the application layer DDoS protection. The F5 cloud component provides that final insurance policy against volumetric attacks, too. Only F5 is putting all of these factors together in a single, unified solution—protecting your organization now and into the future.

Recommandé

The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
F5 Networks
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachScaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
F5 Networks
 
The F5 Networks Application Services Reference Architecture (White Paper)
The F5 Networks Application Services Reference Architecture (White Paper)The F5 Networks Application Services Reference Architecture (White Paper)
The F5 Networks Application Services Reference Architecture (White Paper)
F5 Networks
 
Using Docker container technology with F5 Networks products and services
Using Docker container technology with F5 Networks products and servicesUsing Docker container technology with F5 Networks products and services
Using Docker container technology with F5 Networks products and services
F5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
Peter Silva
 
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
F5 Networks
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery Optimization
F5 Networks
 
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
Intrinsic Security—The Key to Effective Hybrid DDoS ProtectionIntrinsic Security—The Key to Effective Hybrid DDoS Protection
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
F5 Networks
 

Recommandé

The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
F5 Networks
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachScaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
F5 Networks
 
The F5 Networks Application Services Reference Architecture (White Paper)
The F5 Networks Application Services Reference Architecture (White Paper)The F5 Networks Application Services Reference Architecture (White Paper)
The F5 Networks Application Services Reference Architecture (White Paper)
F5 Networks
 
Using Docker container technology with F5 Networks products and services
Using Docker container technology with F5 Networks products and servicesUsing Docker container technology with F5 Networks products and services
Using Docker container technology with F5 Networks products and services
F5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
Peter Silva
 
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
F5 Networks
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery Optimization
F5 Networks
 
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
Intrinsic Security—The Key to Effective Hybrid DDoS ProtectionIntrinsic Security—The Key to Effective Hybrid DDoS Protection
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
F5 Networks
 
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery ModelIntegrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
F5 Networks
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
Cisco Security
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
F5 Networks
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
F5 Networks
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
F5 Networks
 
Cloud Security Best Practices - Part 2
Cloud Security Best Practices - Part 2Cloud Security Best Practices - Part 2
Cloud Security Best Practices - Part 2
Cohesive Networks
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
white paper
 
Operationalize all the Network Things
Operationalize all the Network ThingsOperationalize all the Network Things
Operationalize all the Network Things
F5 Networks
 
Ensure Application Availability Between Hybrid Data Centers
Ensure Application Availability Between Hybrid Data CentersEnsure Application Availability Between Hybrid Data Centers
Ensure Application Availability Between Hybrid Data Centers
F5 Networks
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
Cisco Security
 
F5 BIG-IP: Secure Application and Data Security Services
F5 BIG-IP: Secure Application and Data Security Services F5 BIG-IP: Secure Application and Data Security Services
F5 BIG-IP: Secure Application and Data Security Services
Amazon Web Services
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)
F5 Networks
 
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Cisco Canada
 
Cisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterCisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data Center
F5NetworksAPJ
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Array Networks
 
DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
Tushar Mathur
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
Neil Hinton
 

Contenu connexe

Tendances

Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery ModelIntegrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
F5 Networks
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
F5 Networks
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
white paper
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)
F5 Networks
 
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Cisco Canada
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Array Networks
 

Tendances (20)

Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery ModelIntegrated SDN/NFV Framework for Transitioning to Application Delivery Model
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
 
F5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference ArchitectureF5’s VMware Horizon View Reference Architecture
F5’s VMware Horizon View Reference Architecture
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
 
Cloud Security Best Practices - Part 2
Cloud Security Best Practices - Part 2Cloud Security Best Practices - Part 2
Cloud Security Best Practices - Part 2
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
 
Operationalize all the Network Things
Operationalize all the Network ThingsOperationalize all the Network Things
Operationalize all the Network Things
 
Ensure Application Availability Between Hybrid Data Centers
Ensure Application Availability Between Hybrid Data CentersEnsure Application Availability Between Hybrid Data Centers
Ensure Application Availability Between Hybrid Data Centers
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
F5 BIG-IP: Secure Application and Data Security Services
F5 BIG-IP: Secure Application and Data Security Services F5 BIG-IP: Secure Application and Data Security Services
F5 BIG-IP: Secure Application and Data Security Services
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)F5 Application Services Reference Architecture (Audio)
F5 Application Services Reference Architecture (Audio)
 
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
Driving Innovation: A Path to Digitization, Speed and Visibility in an Applic...
 
Cisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterCisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data Center
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
 

Similaire à F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)

The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
Neil Hinton
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
Cloudflare
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
R. Blake Martin
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDFThe_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDF
Dominik Suter
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
STO STRATEGY
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7
Mark Interrante
 
wp-security-dbsec-cloud-3225125
wp-security-dbsec-cloud-3225125wp-security-dbsec-cloud-3225125
wp-security-dbsec-cloud-3225125
Gabor Bokor
 
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKSMAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
IJCNCJournal
 

Similaire à F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper) (20)

DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud Journey
 
Protecting against modern ddos threats
Protecting against modern ddos threatsProtecting against modern ddos threats
Protecting against modern ddos threats
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDFThe_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDF
 
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
DDoS Mitigation Training | DDoS Mitigation Guide | Learn DDoS Mitigation Conc...
 
HaltDos DDoS Protection Solution
HaltDos DDoS Protection SolutionHaltDos DDoS Protection Solution
HaltDos DDoS Protection Solution
 
Stopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South AfricaStopping DDoS Attacks In South Africa
Stopping DDoS Attacks In South Africa
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense StrategyBKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
 
Solution Brief
Solution BriefSolution Brief
Solution Brief
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
Introduction to Cloud computing
Introduction to Cloud computingIntroduction to Cloud computing
Introduction to Cloud computing
 
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfSolution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7
 
wp-security-dbsec-cloud-3225125
wp-security-dbsec-cloud-3225125wp-security-dbsec-cloud-3225125
wp-security-dbsec-cloud-3225125
 
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKSMAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
MAINTAINING CLOUD PERFORMANCE UNDER DDOS ATTACKS
 

Plus de F5 Networks

F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhere
F5 Networks
 
F5 Application Services Reference Architecture
F5 Application Services Reference ArchitectureF5 Application Services Reference Architecture
F5 Application Services Reference Architecture
F5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
F5 Networks
 
BIG-IP Policy Enforcement Manager
BIG-IP Policy Enforcement ManagerBIG-IP Policy Enforcement Manager
BIG-IP Policy Enforcement Manager
F5 Networks
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADF
F5 Networks
 

Plus de F5 Networks (18)

F5 Networks Quick Poll Research: HTTP/2 Survey Results
F5 Networks Quick Poll Research: HTTP/2 Survey ResultsF5 Networks Quick Poll Research: HTTP/2 Survey Results
F5 Networks Quick Poll Research: HTTP/2 Survey Results
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
F5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhereF5 networks the_expectation_of_ssl_everywhere
F5 networks the_expectation_of_ssl_everywhere
 
F5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks: The Internet of Things - Ready InfrastructureF5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks: The Internet of Things - Ready Infrastructure
 
F5 Networks Threat Analysis: Madness
F5 Networks Threat Analysis: MadnessF5 Networks Threat Analysis: Madness
F5 Networks Threat Analysis: Madness
 
F5 Certified! Program Overview and Update
F5 Certified! Program Overview and UpdateF5 Certified! Program Overview and Update
F5 Certified! Program Overview and Update
 
Key Findings from the State of Application Delivery 2015
Key Findings from the State of Application Delivery 2015Key Findings from the State of Application Delivery 2015
Key Findings from the State of Application Delivery 2015
 
F5 Application Services Reference Architecture
F5 Application Services Reference ArchitectureF5 Application Services Reference Architecture
F5 Application Services Reference Architecture
 
An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)
An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)
An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)
 
F5 Networks Intelligent DNS Scale
F5 Networks Intelligent DNS ScaleF5 Networks Intelligent DNS Scale
F5 Networks Intelligent DNS Scale
 
DNS: Challenges in a Changing Landscape (Infographic)
DNS: Challenges in a Changing Landscape (Infographic)DNS: Challenges in a Changing Landscape (Infographic)
DNS: Challenges in a Changing Landscape (Infographic)
 
5 Ways to use Node in the Network
5 Ways to use Node in the Network5 Ways to use Node in the Network
5 Ways to use Node in the Network
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
F5 Intelligent DNS Scale
F5 Intelligent DNS ScaleF5 Intelligent DNS Scale
F5 Intelligent DNS Scale
 
BIG-IP Policy Enforcement Manager
BIG-IP Policy Enforcement ManagerBIG-IP Policy Enforcement Manager
BIG-IP Policy Enforcement Manager
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADF
 
BIG-IP 4200v Hardware Platform
BIG-IP 4200v Hardware PlatformBIG-IP 4200v Hardware Platform
BIG-IP 4200v Hardware Platform
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)

  • 1. The Right Way to Protect Against DDoS Attacks CIOs want harmony. Security directors loathe point products. Network operations won’t buy into anything new. CIOs can get the harmony they need around DDoS mitigation by extending the F5 Application Delivery Controller into a hybrid solution: on-premises with a new cloud component. White Paper by David Holmes
  • 2. 2 White Paper The Right Way to Protect Against DDoS Attacks Contents Introduction 3 What Every CIO Really Wants 3 The Right Way to Protect Against DDoS Attacks 4 CIOs Should Get What They Want 5 Why the CIO Needs On-Premises DDoS Protection 5 Why the CIO Needs Cloud 5 On-Premises and in the Cloud: the Ultimate Solution 7 Conclusion 8
  • 3. 3 White Paper The Right Way to Protect Against DDoS Attacks Introduction DDoS attacks are constantly changing. While the objective of the attack is still to cause a service outage, attacks and attackers are becoming more sophisticated. The motivation behind the attacks is increasingly financial or political—with more serious consequences for the targeted victims. High-profile organizations, such as financial institutions, governments, and service providers, continue to be targets. But a rising number of everyday businesses also report DDoS attacks. The escalating incidence and severity of these attacks has made DDoS expertise a high priority for many a CIO when searching LinkedIn profiles. The problem CIOs face now is how to choose a solution. Media frenzy around DDoS has also brought many vendors into the market, but with mixed results. The efforts of content delivery networks (CDNs) to extend into the market have largely fallen flat. Other cloud solutions have mismanaged themselves into isolation and obscurity by acquisition. Meanwhile, on-premises DDoS solutions have been unable to expand outside their point products to deliver any value beyond mitigation. To this day, if they aren’t being used for a DDoS attack, they are just drawing power, subtracting budget, and adding latency. Service providers are in the right place at the right time with a narrow scope of volumetric protection, typically at a low cost. But anecdotal reports from many customers suggest that with regard to quality, the adage applies: You get what you pay for. What Every CIO Really Wants CIOs and their security directors want confidence in their DDoS mitigation system. To achieve this, they need a solution with the following properties: • Defend: Must have a cloud component for volumetric attacks. • Block: Must be able to block application DDoS without requiring SSL key surrender. • Deploy: Must be acceptable to the network operations team. The CIOs and the security directors are tired of point products. For example, security directors have reported that while their organizations have purchased as many as 200 different point products for security and analysis, it’s not uncommon for operations teams to install only a few. The rest remain shelfware. 3
  • 4. 4 White Paper The Right Way to Protect Against DDoS Attacks Many CIOs have been unable to turn to the cloud for their application security needs because of a critical factor—SSL. As more and more applications become protected with SSL, cloud solutions are prevented from monitoring and mitigating application-level attacks such as GET floods. An on-premises solution is required for SSL and a cloud component is required for volumetric attacks. The Right Way to Protect Against DDoS Attacks F5 has championed a unique on-premises value proposition. By integrating a network firewall into the Application Delivery Controller (ADC) and combining SSL termination with OWASP Top-Ten mitigation at a second tier, F5 has met two of three critical needs. And with F5® Silverline™ DDoS Protection—a service delivered via the F5 Silverline cloud-based platform—F5 now has the final piece of the puzzle that gives the CIOs exactly what they’re looking for. F5’s unique, hybrid DDoS mitigation solution protects against volumetric attacks from the cloud, handles application level attacks on premises, and is instantly acceptable to network operations teams, many of which already trust F5. VXLAN NVGRE VLANS Physical • SDN • OpenStack • Overlay High-Performance Services Fabric VE SoftwareHardware Cloud Software-Defined Application Services Customer Scenarios iApps iCall iRules Control Plane Data Plane F5 Platform ProfessionalServicesandSupport +GBBLicensing:Best+IPIntelligence+SilverlineDDoSProtection Programmability iControl RESTiControl SOAP Network DDoS Attack DNS DDoS Attack SSL DDoS Attack Application DDoS Attack Orchestration ScaleN DDoS Protection Data Center Firewall Figure 1: A comprehensive DDoS solution includes both cloud and on-premises components.
  • 5. 5 White Paper The Right Way to Protect Against DDoS Attacks CIOs Should Get What They Want Why the CIO Needs On-Premises DDoS Protection When F5 first provided DDoS protection in 2001, the attacks were crude, with many SYN floods and simple network-level attack vectors. Attackers have since become more sophisticated, with multiple methods for bringing down a host (or network) or clogging an ingress (or even an egress) pipe. The most common attack today is the customized GET flood. In this attack, the perpetrator will spider the target website to find all the expensive database queries and large PDF files that might litter the brochureware section of the marketing site on the server. With this list in hand, the attacker will then repeatedly request these resources. It can be difficult to distinguish between malevolent and legitimate requests for data. Increasingly, these requests are delivered via SSL-encrypted connections. The encryption prevents cloud solutions from being used to mitigate or even analyze the problems. CIOs need on-premises protection that can decrypt the traffic, see the aggregate of the malicious requests, and then attempt to mitigate. The F5 solution inserts itself into the traffic, making the analysis and then injecting challenges into the steam itself. Security teams have leveraged the programmability of the F5 platform to do exactly this kind of work for years. Why the CIO Needs Cloud Recently, three different types of so-called amplification attacks were used to cast enormous storms of volumetric traffic. In 2013, the DNS infrastructure was weaponized during an attack against the Spamhaus project. The attack leveraged over 20 million misconfigured DNS servers. The Open Resolver Project handily provides a list of the servers, which are basically a public botnet for anyone smart enough to figure out how to forge spoofed DNS requests. Despite some early publicity, the number of open resolvers is actually continuing to grow at an alarming rate. Given the effectiveness of these DNS amplification attacks, it’s a wonder that we’re not seeing these open servers in attacks used more often.
  • 6. 6 White Paper The Right Way to Protect Against DDoS Attacks Just a few months after the Spamhaus event, another Internet protocol was found to be susceptible to mass manipulation. This time it was the dated Network Time Protocol (NTP). An administrative door had been left open that allowed anyone to request that the NTP server reply with a list of the previous 600 clients. The source of the request was never validated, so thousands of NTP servers could easily be asked to blast a target with millions of responses, quickly filling the target’s ingress avenue. On February 11, 2014, the DERP Trolling group used this technique to attack the gaming servers being used by a gaming rival. Finally, attackers have been abusing the clunky SNMP protocol. In one case documented by the SANS institute, video conferencing systems amplified SNMP “GetBulk” requests to attack with a multiplier of nearly 700 times. This led SANS to suggest that the attack may be a showcase for a whole new Internet category: the “Internet of DDoS Things.” [CPU] 350,000 0 300,000 250,000 200,000 150,000 100,000 50,000 DEC 13 100 GBPS JAN 14 150 GBPS FEB 14 325 GBPS Figure 2: 2014 volumetric attack trend. The trend shows that attackers keep inventing ways to turn the Internet against itself. The sizes of their peak volumetric attacks continue to grow. No amount of JavaScript challenges or rate-limiting is going to deal with all the traffic on premises. A cloud solution with terabits of capacity is the only solution for these attacks.
  • 7. 7 White Paper The Right Way to Protect Against DDoS Attacks These types of volumetric attacks are exactly what F5 Silverline DDoS Protection is designed to defend against. Organizations can use the Silverline DDoS Protection subscription offering, Always Available™, as a primary level of defense, or use the Ready Defense™ option as a secondary, backup cloud service. On-Premises and in the Cloud: the Ultimate Solution CIOs need an on-premises solution that is acceptable to the network operations team. They also need a cloud component to be an insurance policy against hurricane-sized DDoS storms. What would be even better? A hybrid solution where each side is aware of the other. Until flow-based detection and mitigation standards are in place, CIOs must rely on a vendor solution. • F5’s on-premises component has value beyond mitigating attacks. All other on- premises solutions are specific to DDoS mitigation, whereas the F5 DDoS technology is integrated into components that serve other functions such as network firewall protection or PCI compliance through the web application firewall. This means that the solution is not just a policy; it provides value every day, delivering the business application and protecting it from OWASP Top Ten. A CIO can then leverage the investment in the F5 solution, rather than in a point product, to solve other problems for the organization. • The acceptance and successful deployment of the solution by the network operations team must be considered. Because F5 is ubiquitous throughout major data centers, it is already an accepted and embraced vendor. In many cases, implementing DDoS solutions for F5 is as simple as activating code that is already resident at the ADCs. • F5 offers defensive technologies such as SSL tunnels, global load balancing, application monitoring, user authentication, and context tracking. Imagine these technologies working together across the barrier between on-premises and cloud. Or between data centers. Or orchestrating the mitigation of application DDoS attacks among multiple data centers—from a cloud built around the same F5 solutions that exist in each of the data centers. With its cloud operation centers and professional services, F5 is a veteran in DDoS mitigation. The experience of owning the data center solution and the cloud solution—and understanding trends in both attacks and in the marketplace—makes F5 uniquely positioned to execute on its vision of comprehensive DDoS protection.
  • 8. White Paper The Right Way to Protect Against DDoS Attacks ©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 1014 WP-SEC-31418-ddos-update Americas info@f5.com F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com Conclusion CIOs should get what they want—assurance. For DDoS, that assurance will come when these needs are met: • The data center is able to block network volumetric attacks and application DDoS attacks, ideally without using point products. • The CIO knows that the chosen solution will be embraced by the operations team. • The organization has a cloud component for volumetric attacks. The answer to these needs has crystallized into the F5 DDoS Protection solution. Consider: The on-premises solution provides the value of delivery applications every day of the year. It will also be deployed, since it isn’t just another point product and F5 is a trusted vendor. F5’s application security protection, which is counterbalancing the OWASP Top Ten, can also provide the application layer DDoS protection. The F5 cloud component provides that final insurance policy against volumetric attacks, too. Only F5 is putting all of these factors together in a single, unified solution—protecting your organization now and into the future.