Managed DDoS detection – the human element
Most IT organizations do not have the specialist skill set to perform around-the-clock DDoS monitoring and DDoS detection. A specialized DDoS detection service as part of a larger cloud security service can provide advanced visibility into global Internet traffic and traffic at your website or data center. Dedicated technicians in a specialized Security Operations Center (SOC) can monitor customers’ networks 24/7 for early DDoS detection of malicious application-layer and network-layer traffic.
Seasoned web security experts on the DDoS detection provider’s security team can also serve as web security consultants who ensure that web applications and network systems are always up-to-date and protected against emerging threats.
Detect DDoS attacks that target web applications
Application-based monitoring is a form of DDoS detection that alerts on application-layer DDoS attacks. Equipment on the customer premises passively monitors web traffic to detect denial of service efforts to impair application response. Data is gathered and correlated across multiple dimensions to provide insight into user interactions with your applications. Security Operations Center staff use this data to identify and analyze malicious application layer traffic to detect DDoS attacks.
Customer premise equipment (CPE) can provide non-intrusive monitoring, such as from a network tap or switch SPAN to avoid interruption or slowing down of web traffic.
Application-based DDoS detection provides early detection and notification of layer 7 DDoS attacks, such as GET floods, POST floods and low-and-slow attacks such as Slowloris.
Although application traffic may be encrypted, detection of DDoS as attacks hidden in HTTPS traffic is possible. FIPS-140-2 can be used on premise to decrypt SSL traffic and identify malicious IP addresses generating encrypted Layer 7 attacks.
Detect DDoS attacks that target the network with high traffic volume
Flow-based monitoring is used to detect volumetric DDoS attacks at the network layer. Edge routers on your network feed data to Security Operations Center (SOC) staff, allowing them to understand your normal traffic. Drawing on that knowledge, SOC staff can immediately identify significant deviations from your profile as they occur, analyze anomalies, and alert you of the detection of a DDoS attack.
Edge routers provide non-intrusive network monitoring that minimizes any potential impact to services.
Flow-based DDoS detection provides early detection and notification of volumetric network-layer DDoS attacks, such as SYN floods, UDP floods and ICMP floods.
IP reputation – valuable data for DDoS monitoring
Some IP addresses are more likely to produce malicious traffic than others – they’ve done it in the past, probably to someone else. IP reputation is a scoring system that looks at a site’s propensity to source attack traffic – DDoS attacks, web application attacks and vulnerability scanning. This data can be used to automatically alert on or filter traffic from sites based on their score to enhance DDoS monitoring. A cloud security service with access to more web traffic will likely produce better IP reputation data.
What to look for in a DDoS detection service
- A large staff of DDoS detection experts;
- 24/7/365 coverage;
- Continual monitoring of netflow and/or applications, depending on your site’s requirements;
- Hardware that protects your encryption keys and confidential information while providing a secure way to monitor and stop HTTPS attacks;
- Fast response – in minutes or less;
- Use of IP reputation data;
- Quick notification or immediate DDoS mitigation when a malicious denial of service/DDoS traffic threatens your network;
- Clear communication and action plan.
DDoS detection and monitoring
- DDoS threat advisories;
- DDoS white papers;
- DDoS trends and statistics;
- Blogs: Insight into current cybersecurity issues;
- Global map of DDoS attacks;
- About DDoS protection;
- FAQs and best practices.