BLOG

The Fastest DDoS Mitigation in the West

Jay Kelley Miniatur
Jay Kelley
Published March 03, 2016

Every day, companies of all sizes are bombarded by hacks and network attacks. The frequency and volume of these attacks continues to spiral upward, seemingly out of control and without abatement. But, it’s not just the volume of the attacks that is significant, but their voracity and vindictiveness.

Some of the most basic, yet effective network attacks that can bring an organization and its applications to its knees are distributed denial of service (DDoS) attacks. There are several different types of DDoS attacks. A typical DDoS attack attempts to overpower network defenses using unceasing volumes of traffic, usually from multiple, compromised systems or devices acting like bots. These volumetric attacks have been designed to overwhelm a network’s capacity, especially its ability to handle connections per second (CPS); this is referred to as the ramp-up rate. They are meant to flood your network defenses, overwhelm and ultimately exhaust them, denying access to real, legitimate user traffic.

It’s sort of like how the human body deals with a serious infection. Our white blood cells try to fight the infection with all of their might; unfortunately, this leaves the body open to other, secondary infections, because the body’s defenses are overwhelmed trying to deal with the initial serious infection. The same happens with cyber-attacks. DDoS attacks can also be used as a distraction, forcing an organization to focus all of its defenses and efforts into resolving the known DDoS attack, while a secondary attack – like a secondary infection! – infiltrates the network, stealing data and more, while all of the defensive attention is paid to the more noticeable DDoS attack.

Another form of DDoS attack leverages large amounts of legitimate connections to flood and overload the memory of stateful defensive devices, forcing them to reject legitimate connections. Yet another type of DDoS attack doesn’t attempt to flood the network with requests, but instead sends its malicious data a character at a time, slowing the network down to a crawl by consuming all-important memory. And then, there are hybrid DDoS attacks, which can combine one or more of these different attack types. 

Let’s also contemplate the cost of these attacks. According to Neustar, an information services company, the cost to banking institutions of a simple DDoS attack is in the neighborhood of $100,000 per hour1! According to Kaspersky Labs’ DDoS Intelligence Report2, the longest duration DDoS attack in 2015 lasted 371 hours. If that DDoS attack was being inflicted on a banking institution, it could have cost that enterprise over $37.1 million!

And, just to add insult to injury, according to the Arbor Networks’ 11th Annual Worldwide Infrastructure Security Report3, the peak DDoS attack in 2015 was 500 Gbps.

Questioning Application Security

The onslaught and malevolence of these enterprise-aimed attacks can have even the most security conscious organizations questioning their application defenses. How can any enterprise be sure that their applications and data won’t fall victim to a malicious attack and its evil payload, leaving data destruction and devastation in its wake, or worse, leaving critical, sensitive data – particularly data of users, employees, patients, and others – to be held for ransom? How can enterprises be sure that they won’t be the next victim du jour of a dastardly DDoS attack? How will these attacks affect the enterprise’s resources, users, and potentially their brand and reputation?

Today and into the future, enterprises need superior levels of concurrency, connectivity, and throughput to address the always surging, innovating – and not in a good way – attacks. They will need powerful, layered defenses. They will require high scale, and even higher performance.

Enterprises, today and into the future, need F5.

Enterprise Empowerment with Fast DDoS Mitigation

With industry-leading concurrent connectivity and throughput, the 100GbE F5 VIPRION B4450 blade, announced on February 22nd, 2016, ensures enterprises their network, applications, and data remain secure. When deployed in concert with the full-proxy approach of BIG-IP Advanced Firewall Manager (AFM), F5’s high-performance, stateful, full-proxy firewall, the NEBS-compliant VIPRION B4450 blade, running in F5’s 4-blade VIPRION C4450 or 8-blade C4800 chassis, delivers fast DDoS mitigation, inoculating enterprises against myriad DoS and DDoS threats. This new blade quickly ramps to distinguish between malignant and legitimate connections during a DDoS attack, absorbing or discarding the malicious connections before they are able to consume and overwhelm network and application resources.

The need to fend off virulent attacks and defending networks, applications, and data further fuels enterprises to continue their already heavy investment in security. The F5 VIPRION B4450 blade, with the VIPRION C4480 and C4800 chassis, empowers enterprises. Its market-leading support for over a billion concurrent connections easily handles the ever-growing number of users, applications and data. Combining with BIG-IP AFM, the VIPRION B4450 blade with the C4450 or C4800 chassis assures the protection and safety of enterprises and their network, applications, and data.

Defending Against L7 Attacks

While volumetric DDoS attacks seem to garner a great deal of the spotlight, application attacks are also multiplying. And they are becoming even more dangerous and insidious. With layer 7 throughput that is exponentially higher than any other F5 blade and chassis, the VIPRION B4450 blade performs at a level necessary to mitigate even the most actively virulent application attacks. The VIPRION B4450 blade mitigates as well as provides an early warning of application attack vectors and defends against most multi-pronged, simultaneous vectors with superior efficacy.

When combined with BIG-IP Application Security Manager (ASM) – F5’s agile, scalable web application firewall (WAF) leveraging F5’s deep application fluency to detect and mitigate HTTP-based attacks, protect vital applications with comprehensive, policy-based web application security, and offering layer 7 DDoS defenses that detect, mitigate, and enable visibility into granular attacks – the F5 VIPRION B4450 blade mitigates and defends against nearly any L7 attack that comes its way.

With network and application attacks rising at record pace – a recent Ponemon Institute report sponsored by IBM4 claims that there are 1.5 million cyber attacks annually – and costing more than ever – Juniper Research5, in a recent report, stated that cybercrime will cost businesses over $2.1 trillion annually by 2019, enterprises must do all that they can to protect themselves, their employees, patients, their users, their network, applications, and data, and their reputation. Concurrent connections are driven by the increasing power of smart devices, the always-increasing number of apps per device, and the growing number of connected devices per person. To address these challenges, enterprises need a solution with the highest capacity, throughput, and performance, and one that can scale at will. But, innovation and technological growth, with the ability to address the now necessary lightning fast changes to security, without necessitating modifications and swap outs, which increase costs.

That’s why today’s enterprises need F5, and its 100GbE VIPRION B4450 blade!

References

1Neustar, “Banks Lose Up to $100K/Hour to Shorter, More Intense DDoS Attacks,” by Penny Crossman, American Banker, April 23, 2015

2DDoS Intelligence Report, Q4 2015, Kaspersky Labs

311th Annual Worldwide Infrastructure Security Report, Arbor Networks

42015 Cost of Data Breach, Ponemon Institute and IBM

5The Future of Cybercrime and Security:Financial and Corporate Threats and Mitigation, Juniper Research, May 2015