Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been a prevalent method of disrupting service delivery from websites and other Internet based services for years. Akamai, a major provider of Content Delivery Network (CDN) services, recently reported a 116% increase in DDoS attacks in Q1 from 2014 to 2015.
Traditionally these attacks have used methods that target the network layer of web application infrastructure. Indeed the Akamai research showed that network layer attacks were up 125% over the year. However other types of DDoS attack that use methods targeting the Application Layer also grew by 59% in the same period. Even with this growth in Application Layer DDoS attacks they only made up about 10% of the total, with the remaining 90% comprising the more common network layer attacks. However, the use of Application Layer DDoS attacks is likely to increase in future as they provide another way for people with malicious intent to attack Internet hosted applications. It’s very likely that both the Network and Application Layer methods of attack will be used in combination to disrupt services in future. So it is vital that protection is put in place to guard against both. KEMP LoadMaster can be a key component in a defensive strategy against DDoS attacks.
Protecting Against Traditional DDoS Attacks
Deploying KEMP LoadMaster to provide load balancer and application delivery functionality on your network means you also have access to functionality that can help mitigate DDoS attacks. At the Network Layer it can help prevent many of the common types of DDoS attack including SYN Flood Attacks, TCP Reset Attacks, ICMP Attacks, UDP Storm Attacks, and Reflected Request (DNS/NTP) Attacks. The following features that are included with LoadMaster help protect against these kinds of attack:
- Network processing engine validates connections and checks protocol requests for correct structure and methods.
- Proxying connections to application servers.
- Web Application Firewall (WAF) rules and rule subscriptions.
- Site whitelists and blacklists.
- High capacity connection management during heavy loads typical during a DDoS attack.
- Connection rate limiting.
- Content switching.
- SSL/TLS termination and validation processing.
Coupled with your traditional edge security provision at the Network Layer, these LoadMaster features will help prevent and mitigate network layer DDoS attacks.