INSUBCONTINENT EXCLUSIVE:
In October 2016 DNS provider Dyn was hit by a major DDoS (Distributed Denial of Service) attack by an army of IoT devices which had been
hacked specially for the purpose
Over 14,000 domains using Dyn's services were overwhlemed and became unreachable including big names like Amazon, HBO, and
PayPal. According to research by Cloudflare the average cost of infrastructure failure to businesses is $100,000 (£75,000) per hour
How then can you make sure that your organization doesn't fall victim to this kind of attack
In this guide you'll discover major infrastructure providers who have the necessary digital muscle to protect against attacks designed to
flood your network capacity. You'll also discover which providers can offer protection against more sophisticated application (layer 7)
attacks, which can be carried out without a huge number of hacked computers (sometimes known as a botnet). Project Shield 1
Project ShieldPowerful DDoS protection from Google, but not everyone's invitedHarnesses Google's infrastructure Very easy setup Only
available for select websites Project Shield is the creation of Jigsaw, an offshoot Google's parent company Alphabet
Development began several years ago under George Conard in the wake of attacks on election monitoring and human rights related websites in
the Ukraine.Project Shield is able to filter potential malicious traffic by acting as a reverse proxy which sits between a website and the
internet at large, filtering connection requests
If a connection seems to be from a legitimate visitor Project Shield permits the connection request
If a connection request is determined to be bad e.g
multiple connection attempts from the same IP address, then it is blocked
This system makes Project Shield extremely easy to implement simply by changing your servers DNS settings. Any power users reading may
wonder how filtering traffic via a proxy will work with SSL
Fortunately, Jigsaw has thought of this and has put together a comprehensive tutorial to make sure secure connections to your site work
Several other tutorials are also available in the support section.Currently Project Shield is only available for media, election monitoring
and human rights related websites
The primary focus is also on small under resourced websites which cannot afford expensive hosting solutions to protect themselves for DDoS
If your organization doesn't match these requirements you may have to consider an alternative solution such as Cloudflare. Cloudflare 2
CloudflareThe juggernaut of DDoS protectionIndustry leader in DoS solutions Free tier includes basic protection Business packages are
relatively expensive Anyone who has used the Internet in the last few years will be familiar with Cloudflare as many major websites make
Although Cloudflare is based in the US it maintains over 180 data centers around the world: an infrastructure to rival Google's
This maximizes your sites chances of staying online.Every Cloudflare user can choose to activate the 'I'm under attack' mode which can
protect against even the most sophisticated of DoS attacks by presenting a Javascript challenge
As a matter of routine Cloudflare also acts as a reverse proxy sitting between visitors and your site host to filter traffic in much the
same way as Jigsaw's Project Shield
In March 2019, Cloudflare introduced Spectrum for UDP, which provides DDoS protection and firewalling for unreliable protocols.Visitors
making connection requests have to run a gauntlet of sophisticated filters including site reputation, whether their IP has been Blacklisted
and if the HTTP header seems suspicious
HTTP requests are finger printed to protect against known Botnets
As an industry giant, Cloudflare can easily leverage its position by sharing intel across the 7+ million websites it manages
Cloudflare offers a free basic package which includes unmetered DDoS mitigation
For those who are willing to pay for a Cloudflare business subscription (prices start at $200 or £149 a month), more advanced protection is
available such as custom SSL certificate uploads. AWS Shield 3
AWS ShieldExcellent basic DDoS mitigation with more besidesStandard free tier protects against most common attacks Easy setup Advanced
tier is very expensive AWS Shield protection is provided by the good people of Amazon web services
The 'Standard' tier is available to all AWS customers at no extra charge
This is ideal as many small businesses choose to host their websites with Amazon
AWS Shield Standard is available to all customers at no extra charge
It protects against more typical network (layer 3) and transport (layer 4) attacks when used Amazon's Cloud Front and Route 53 services
This should put off all but the most determined hackers
However, your bandwidth e.g
15Gbp/s will still be limited by the size of you Amazon instance making it feasible for hackers to carry out a DoS attack if they have
Worse still you remain responsible for paying for the extra traffic to your instance.To mitigate this Amazon also offers AWS Shield Advanced
A Subscription include DDoS cost protection, which can save you from a huge spike in your monthly usage bill if you are the victim of an
AWS Shield Advanced can also deploy your ACL's (Access Control Lists) to the border of the AWS network itself giving you protection against
even the largest of attacks
Advanced Subscribers also benefit from a round the clock DRT (DDoS response team) as well as detailed metrics on any attacks on your
The piece of mind afforded by AWS Shield Advanced is expensive however
You must be willing to subscribe for a minimum of one year for a price of $3,000 (£2,200) a month
This is in addition to data transfer usage costs which you can cover on a 'pay as you go' basis. Microsoft Azure 4
Microsoft AzureBrilliant basic protection with an affordable paid tierStandard protection is extremely easy to setup Automated threat
mitigation Blanket DDoS protection for all resources Like Amazon, Microsoft offers the option to rent service space via their service
All members benefit from basic DDoS protection
Features include always on traffic monitoring and real time mitigation of network (layer 3) attacks for any public IP addresses you use
This is the very same type of protection afforded to Microsoft's own online services and the entire resources of Azure's network can be used
For organisations in need of more sophisticated protection Azure also offers a 'Standard' tier
This has been widely praised for being very easy to enable, requiring just a few clicks of your mouse
Crucially Azure does not require you to make any changes to your apps although the standard tier does offer protection against application
(layer 7) DDoS attacks via the app gateway web app firewall
Azure monitor can show you real time metrics if an attack does take place
These are retained for 30 days and can be exported for further study if you wish
Azure constantly checks web traffic to your resources
If these exceed a pre-defined threshold, DDoS mitigation is automatically launched
This includes inspecting packets to make sure they aren't malformed or spoofed as well as using rate limiting
Standard protection is currently $2,944 (£2,204) per month plus data charges for up to 100 resources
Protection applies equally to all resources
In other words you cannot tailor DDoS mitigation for individual ones. Verisign DDoS Protection 5
Verisign DDoS ProtectionThe best in DDoS protection from security veteransEasy to setup via DNS Dedicated scrubbing centers to protect
against attacks Can be deployed on premises Interface takes time to master Update: Verisign's security services are transferred to
Neustar, but the features and functionality mentioned in the review stayed relatively the same.Verisign is almost as old as the Internet
Since 1995 it has grown from a simple Certificate Authority to a major player in the Network Services industry
Verisign DDoS protection operates in the Cloud
Users can choose to redirect connection attempts with a simple change of their DNS (Domain Name Server) settings
Traffic is sent to Verisign for checking to prevent network attacks
Verisign analysis all traffic thoroughly before redirecting
As Verisign operates two of the thirteen global route name servers it should come as no surprise that the organization also maintains
several dedicated DDoS "scrubbing centers"
These analyze traffic and filter out bad connection requests
The combined infrastructure runs to almost 2TB/s and can block even the most overwhelming DDoS attacks
This is largely achieved via Athena, Verisign's threat mitigation platform
Athena is broadly divided into three elements
The 'Shield' filters network (layer 3) and transport (layer 4) attacks via DPI (Deep Packet Inspection), blacklists - whitelists and site
The Athena 'proxy' inspects HTTP headers for bad traffic during initial connection attempts
The 'proxy' and 'shield' are supported by Athena's 'load balancer' which helps to prevent application (layer 7) attacks.The customer portal
displays detailed reports on traffic and allows you to configure your threat management, for example by creating connection blacklists
For users who are reluctant to deploy everything to the Cloud, Verisign also offers OpenHybrid which can be installed onsite. Image Credit:
Wikimedia Commons (Antoine Lamielle) xYdDNNV8i97fdmQVuEATU6.jpg?#
