HTTP CACHE BYPASS FLOOD

THINK APP SECURITY FIRST

CHOOSING THE RIGHT MODEL

A GUIDE TO DDoS PROTECTION

DNS AMPLIFICATION
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

INTRODUCTION RECENT DATA INDICATES THAT

BUSINESSES OF ALL SIZES IN
NEARLY EVERY INDUSTRY RUN
By thinking proactively about DDoS defense, organizations can build THE RISK OF A DDoS ATTACK.
a comprehensive strategy to mitigate attacks.

Until recently, security teams for organizations in many industries believed they didn’t need to worry about
DDoS attacks, but the latest data from the Verizon 2017 Data Breach Investigations Report indicates that
businesses of all sizes in nearly every industry run the risk of being attacked.¹ IoT devices are increasingly
compromised, recruited into botnets, and offered up by their creators as for-hire DDoS services. Additionally,
there are numerous DDoS tools and services that are easily accessible and easy to use, even for the
untechnical novice.

Modern denial-of-service attacks not only interrupt or bring down websites and applications, but also serve
to distract security operations teams from even larger threats. Attackers combine a variety of multi-vector
attacks—including volumetric floods, low-and-slow application-targeted techniques, and authentication-based
strategies—in hope of identifying weak spots in an organization’s defense.

Whether your organization has already been hit by a DDoS attack or you’ve witnessed a partner or another
organization struggle to mitigate one, planning is the key to survival. Building a DDoS-resistant architecture
can help your organization keep its critical applications available and mitigate network, application, and
volumetric attacks. With options such as on-premises protection, cloud-based scrubbing services, and hybrid
solutions, the question is not whether you should prepare for a DDoS attack, but which strategy best helps
your organization ensure service continuity and limit damage in the face of an attack.

1 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

2
 DDoS IMPACTS ALL LAYERS OF THE
APPLICATION STACK

A BRIEF OVERVIEW OF APP SERVICES

DDoS ATTACKS TYPES

• HEAVY (RESOURCE-INTENSIVE) URL ATTACKS
• SLOWLORIS (LOW-AND-SLOW) ATTACKS
• GET FLOODS
• HTTP CACHE BYPASS FLOODS
Before considering which DDoS protection strategy makes the most sense for your organization, consider
the various types of DDoS attacks, which constantly change as attackers become more and more
sophisticated. It helps to picture the components that make up the threat surface of an application and ACCESS/IDENTITY
then match them to individual attack types. • ACCOUNT LOCKOUT FLOODS

While the type of attack(s) you experience will not solely determine which model is right for you, it’s
important to understand that a DDoS attack can take many forms. And remember that vast swarms of bots
(botnets) are most often the delivery mechanism for the attacks. Recognizing bot activity on a
per-component level makes it easier to recognize attacks, no matter the type. TLS/SSL
• SSL FLOODS
It’s possible, too, that an attacker might employ several of these attack types in concert, which means that • SSL RENEGOTIATION ATTACKS
• SSL PROTOCOL MISUSE
organizations must develop a comprehensive—and flexible—DDoS protection strategy.

On the following pages, we’ll explore your options, beginning with the standard on-premises solution.
DNS
• DNS AMPLIFICATION
• DNS REFLECTION
• DNS NXDOMAIN ATTACKS

NETWORK
• TCP SYN FLOODS
• UDP & ICMP FLOODS
• FIN/RST FLOODS
• NETWORK PROTOCOL ABUSE

3
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

MODEL OPTION 1:
ON-PREMISES DDoS PROTECTION

The value of an on-premises solution is clear for many
organizations. By deploying point products in your
data centers, you can maintain direct control over your
infrastructure, allowing you to update, change, add, or
remove any piece of it at any time. You also reap the
benefit of immediate mitigation of an attack through
the instant response of your security devices followed
by reporting on the details of the attack. Your in-house
IT team can architect custom solutions that scale
independently of each other. In addition, low-level DDoS
attacks such as Slowloris, as well as exploits that target
your applications, are much more efficiently identified
and mitigated in your data center close to the application.
Furthermore, many organizations—especially large
financial institutions—are reluctant to share their private
keys with outside vendors, such as a cloud-scrubbing
DDoS service.

ON-PREMISES DDoS PROTECTION

Maintain direct control of DDoS mitigation by owned and
1 operated devices, but remain vulnerable to large attacks
HIGH-CAPACITY, DDoS that overwhelm bandwidth capacity.
PROTECTION DEVICE 2
WEB APPLICATION
FIREWALL

3
ONLY THE CLEAN TRAFFIC
IS ROUTED BACK TO THE
APPLICATION

• S UPPORTS MILLIONS OF • S TOPS HTTP FLOODS AND

SIMULTANEOUS CONNECTIONS TLS-BASED ATTACKS

• R EPELS FLOOD ATTACKS WHILE • TERMINATES TLS

ADMITTING LEGITIMATE TRAFFIC
• I DENTIFIES AND STOPS MALICIOUS
• AUTOMATICALLY BLOCKS LAYER 7 BOT TRAFFIC WITH
KNOWN BAD ACTORS (WITH IP BEHAVIORAL ANALYSIS
INTELLIGENCE INTEGRATION)
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

ON-PREMISES DDOS PROTECTION, CONT. IF YOUR ORGANIZATION GETS

By keeping DDoS mitigation in house, you always
have optimal visibility and control over your
protection strategy. The bottom line is that if your
organization gets targeted repeatedly, you will save
money and time by having an on-premises solution
that’s fine-tuned and ready to spring into action at
the first sign of an attack.
TARGETED REPEATEDLY, YOU
WILL SAVE MONEY AND TIME
BY HAVING A FINE-TUNED
which detracts from your security operations team’s
ability to focus on other threats. Furthermore, some ON-PREMISES SOLUTION.
of these individual solutions are not extensible and
provide value only when you are attacked, which
means that you’ve spent a large amount of money
for something you might use only once or twice (if
you’re lucky).

Finally, not all on-premises solutions are designed

1 TBPS
to work with upstream cloud solutions—this is an
important point to consider as your organization’s
needs change. Having a vendor that can provide
seamless integration from on-premises defense

TODAY’S LARGE-SCALE DDOS ATTACKS
ARE
EXCEEDING 1 TBPS IN TOTAL THROUGHPUT,
WHICH EASILY OUTCLASSES ALL BUT THE
LARGEST ON-PREMISES ENTERPRISE DEFENSES.
to cloud scrubbing (when needed) helps you
streamline your network architecture, reduce time
from attack detection to mitigation, and avoid
manual steps that can introduce errors.

On-premises solutions do have some limitations.

For example, even the most robust on-premises
DDoS solution would be overwhelmed by the size
of some
of today’s large volumetric attacks. In
addition, while there are many point products on the
market, there are very few comprehensive DDoS
solutions, which means that organizations must
work with multiple vendors to develop a full-featured
solution. Managing several products from several
different vendors requires a lot of varying technical
knowledge and can be a time-consuming process,

5
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

MODEL OPTION 2:
CLOUD-BASED MANAGED SERVICES

For some organizations, employing a cloud-based
scrubbing service and web application firewall (WAF) to
outsource (or simply upgrade) your DDoS protection is
the best strategy. If you’re managing “born in the cloud”
applications, you many not operate a traditional data center
where on-premises security devices could be placed. In
addition, you may not have the technical staff to deploy
and manage an on-premises DDoS protection solution.
According to the F5 State of Application Delivery 2018
report, 87% of companies surveyed operate applications
in multiple clouds.² Cloud-based DDoS solutions offer
a centralized solution, no matter how many clouds you
use. Whether operating in multiple clouds, an in-house
data center, or a combination of both, a cloud-scrubbing
service ingests your traffic; directs it to massive, globally
2 https://interact.f5.com/2018_SOAD.html

CLOUD-BASED MANAGED SERVICES

All traffic flows through the cloud provider with 24x7
1
expert monitoring and mitigation.
CLOUD-SCRUBBING
SERVICE 2
CLOUD-BASED
MANAGED WAF

3
ONLY THE CLEAN TRAFFIC
IS ROUTED BACK TO THE
APPLICATION

• H IGH-VOLUME, CLOUD-BASED • S TOPS HTTP FLOODS AND

TRAFFIC SCRUBBING TLS-BASED ATTACKS

• R EAL-TIME VOLUMETRIC DDOS • I DENTIFIES AND STOPS MALICIOUS

ATTACK DETECTION AND LAYER 7 BOT TRAFFIC WITH
MITIGATION BEHAVIORAL ANALYSIS

• 24x7 EXPERT MONITORING • F LEXIBLE ACROSS HYBRID

AND SUPPORT ENVIRONMENTS

• 24x7 EXPERT MONITORING

AND SUPPORT
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

CLOUD-BASED MANAGED SERVICES, CONT.

dispersed scrubbing centers; blocks malicious traffic;
and then delivers clean traffic to your on-premises or
cloud data center(s). And for the attacks aimed at layer
7, application security experts provide continuously
updated WAF policies to ensure only legitimate traffic
reaches your application.
Cloud-based DDoS protection solves the problem that
no on-premises solution can: pipe-saturating DDoS
your protection against application-level DDoS attacks.
You’ll have a solution for the many variations of HTTP
floods or heavy URL resource attacks, including complex
database queries that can quickly overwhelm your
app. With the average salary of an application security
engineer in the U.S. now up to $138,000 a year³, it’s
expensive to build a team that can be available during
nights, weekends, and holidays to fine-tune policies
and stay on top of alerts. While this will round out your
you are considering a cloud-scrubbing service, look for
one that also offers a web application firewall option for
application attacks so you can remove the chance of
conflict between multiple vendors. Lastly, to effectively
protect an application with a managed WAF, your
provider will need to terminate TLS which will require
them to host your private key.

33
events. Cloud-based DDoS protection services work

to block attacks closest to the source of the attack,
ensuring that attack traffic never reaches your data
center(s) and application(s). In today’s world of massive
DDoS attacks generated from global IoT botnets, it
is imperative to block those attacks as close to the
origination point as possible.
IF YOU’RE CONSIDERING A
CLOUD-SCRUBBING SERVICE,
LOOK FOR ONE THAT ALSO
%
complete DDoS solution in the cloud, you’ll also get
many more benefits to your application security, such
as defense against OWASP top 10 threats, credential
stuffing, and API protection just to name a few.
Managed cloud-based security services can often IN 2017, 33% OF ALL ORGANIZATIONS FACED AT LEAST
ONE DDoS ATTACK.⁴
improve operational efficiency and decrease IT
overhead as they can be deployed in minutes. In
addition, the best services offer 24x7 attack support
from security experts, which can free your security
team to focus on other issues. These services protect
many customers, so the overall equipment cost is

OFFERS A WEB APPLICATION shared among a pool of customers. And because your
organization only pays for the services it uses, you often
FIREWALL OPTION. reap significant CapEx savings.

While the majority of the attacks seen today are
volumetric attacks aimed at layers 3 and 4, the
application layer (layer 7), is seeing an increase in
attacks. A cloud-based managed WAF can augment
However, if all your network traffic is being scrubbed—
and you are bound by the terms of the service
agreement you sign with the cloud-scrubbing service—
3 
https://www.glassdoor.com/Salaries/applications-security-engineer-
there’s less flexibility in customizing your solution. If salary-SRCH_KO0,30.htm
4 
https://www.techrepublic.com/article/33-of-businesses-hit-by-ddos-
attack-in-2017-double-that-of-2016/

7
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

MODEL OPTION 3
HYBRID DDoS PROTECTION STRATEGY
While both on-premises solutions and cloud-based
services offer protection from DDoS attacks, many
organizations will want to consider the benefits of a hybrid
strategy that employs combined on-premises and cloud
protection to stop all varieties of DDoS attacks. Once
architected, a hybrid solution delivers a closed feedback
loop between on-premises and cloud components,
which allows for fine-tuned mitigation as well as granular
reporting of attack details.
Perhaps the strongest approach to hybrid DDoS
protection involves a multi-tiered architecture where
layer 3 and layer 4 attacks are mitigated at
the network
tier with robust firewalls and IP reputation database
integration. The application tier handles high-CPU
security functions such as SSL termination and web
application firewall functionality. And a cloud-based tier
protects against large volumetric attacks by filtering the

HYBRID DDoS PROTECTION

Retain control of mitigation timing and techniques, but
1 have on-demand help from a cloud provider for the
CLOUD-SCRUBBING large, bandwidth-consuming attacks.
SERVICE
2
ON-PREMISES DDOS
PROTECTION 3
WEB APPLICATION
FIREWALL

4
ONLY THE CLEAN TRAFFIC
IS ROUTED BACK TO THE
APPLICATION

• H IGH-VOLUME, CLOUD- • L AYER 3 AND 4 • S TOPS HTTP FLOODS AND

BASED TRAFFIC SCRUBBING PROTECTION TLS-BASED ATTACKS

• R EAL-TIME VOLUMETRIC • M ITIGATION OF LOW- • TERMINATES TLS

DDOS ATTACK DETECTION VOLUME ATTACKS
AND MITIGATION • I DENTIFIES AND STOPS
• IP REPUTATION DATABASE MALICIOUS LAYER 7 BOT TRAFFIC
• 24X7 EXPERT MONITORING WITH BEHAVIORAL ANALYSIS
AND SUPPORT
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

HYBRID DDOS PROTECTION STRATEGY, CONT.

traffic generated by the attacker while returning Completely outsourcing your DDoS protection
legitimate traffic to your data center. This true requirements to a cloud-based service
is the
hybrid solution delivers DDoS defense at all layers, simplest way to achieve a high degree of
protecting protocols (including those employing protection, while managing a hybrid solution does
SSL and TLS encryption) as well as stopping DDoS require some in-house technical resources. In
bursts, randomized HTTP floods, cache bypass, and addition, some businesses have spent considerable
other attacks that can disrupt application behavior. time and money architecting strong volumetric
solutions on-premises, which works well as long as
A hybrid approach to DDoS protection can also lead
your in-house devices aren’t overwhelmed by the
to cost savings and greater efficiency. Automatically
growing size of DDoS attacks. The last caveat about
shifting large attacks to the cloud requires fewer in-
a hybrid solution is that your organization may need
house technical resources, while boosting mitigation
to employ multiple incident managers to address
speed, which results in less downtime. There are
attacks on-premises and in the cloud.
also benefits to only engaging the cloud-scrubbing
service when you need it, instead of sending traffic
through it continuously. This “always-available”
architecture allows traffic to flow normally to your
data center(s), which reduces complexity, until
engagement of cloud-based protections is needed.
A true hybrid solution offers expedient cloud-
engagement to reroute traffic through the cloud-
scrubbing platforms. And, ideally, both parts of your A HYBRID APPROACH TO
hybrid solution can share a combined fabric that
controls whether attacks are handled on-premises
DDOS PROTECTION CAN ALSO
or in the cloud—thus enabling the optimal balance LEAD TO COST SAVINGS AND
for any given attack or series of attacks.
GREATER EFFICIENCY.

9
 CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

IS THERE AN IDEAL SOLUTION?

HAVING A SINGLE VENDOR
THAT PROVIDES CONSISTENT
PROTECTION SERVICES ACROSS In today’s climate of ever-evolving DDoS attacks, it’s increasingly
ALL MODELS CAN HELP MEET clear that every organization needs to consider and adopt a DDoS
YOUR NEEDS TODAY AND AS protection strategy.
THEY EVOLVE.
Integrated on-premises solutions offer tight control Whatever you decide, be proactive in your DDoS
and flexibility, but can be quickly overwhelmed defense. Ensure the continuity of your site and your
by a large volumetric attack. Managed cloud- services by putting your solution in place—before
based services deliver protection from those large you experience an attack.
attacks, but can be expensive if used for all traffic,
For more information about protecting your
all the time. By using a combination of on-premises
organization against DDoS attacks, visit
security devices and a cloud-based scrubbing
f5.com/security.
service to handle volumetric attacks, organizations
maintain control, while spinning up cloud-protection
services as needed to handle the largest volumetric
floods.

In choosing how to best protect your organization

from DDoS attacks, you should weigh the likelihood
of experiencing an attack against the ability of your
organization to effectively mitigate it. Having a
single vendor that provides consistent protection
services across all models to meet your needs today
and as they evolve can be a key advantage.

10
CHOOSING THE RIGHT MODEL: A GUIDE TO DDoS PROTECTION

THINK APP SECURITY FIRST

Always-on, always-connected apps can help power and transform your business–
but they can also act as gateways to data beyond the protections of your firewalls.
With most attacks happening at the app level, protecting the capabilities that drive
your business means protecting the apps that make them happen.

US Headquarters: 401 Elliott Ave W, Seattle, WA 98119 | 888-882-4447 // Americas: [email protected] // Asia-Pacific: [email protected] // Europe/Middle East/Africa: [email protected] // Japan: [email protected]
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of the irrespective owners with no endorsement or affiliation, expressed or implied, claimed by F5. EBOOK-SEC-197489895 | 2.18