Connection-based DDoS is less Impactful with a Advanced Ip Layer

Written by: Francesco Trama | Published on: January 26th, 2016

About The Author

Francesco Trama
As Chief Executive Officer and Founder, Francesco is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

There are a number of different types of cyber-attacks that can cripple your network if you’re not careful. For instance, a Denial of Service (DoS) attack floods the network with more traffic than it can handle, in order to bring it down. Even more harmful is a Distributed Denial of Service (DDoS) attack. After gaining access to one network, the attacker then uses it to bombard another network with a myriad of traffic, to get that one under its control as well. The use of multiple, separate IPs, to attempt to gain access makes the attackers that much more difficult to block.

Volumetric Vs. Connection-Based DDoS

There are two different type of DDoS: Volumetric and Connection-based. Let’s take a look at the difference. Volumetric involves simply sending enough data to overload the network. If the target has a 1MB pipe and the attacker has a 100MB pipe, they’ll simply send 100MB of traffic at once, and crush the circuit.

Connection-based is more common. In connection-based DDoS, the attacker doesn’t have the volume capacity to crush the target’s network. What they do have, however, is an army of 10,000 or so bots. The attacker tells those bots to send 100 requests apiece to the target. The web server gets stuck answering each of these fake requests and storing processes. By doing this, they can generate enough traffic to take down the web server. It’s a simple attack, that anyone with a computer could pull off, from anywhere.

The Advanced IP Layer

The problem with a firewall in these situations is that it can’t recognize the threat until it’s already overloaded. The only way to respond to that volume of requests is to shut down the server, annihilating the rest of your customer base in the process.

From a single computer, an attacker can spoof IPs from all over the world. Your firewall can’t deal with these requests one at a time without being overloaded. So instead, a Advanced Ip layer can filter out requests en masse based on their locations, before they reach your firewall. The attacker can no longer send their full payload to the web-servers. The requests are dropped at synchronization, and the server doesn’t respond to them.

This may not eliminate the ten thousand bot army, but it will greatly reduce it. The remaining bots go onto a threat intelligence list that tracks bots, botnets, proxies, etc., which can reduce the army even more. There may be a few hundred bots left after that, from the U.S. and Canada, but they become much easier to deal with. There is no longer enough volume to kill the server. The threat is watered down, and your customers can still access your website.

Connection-based DDoS creates a global army of attackers. The only way to address a threat like that is with tools that can work on a global scale. A Advanced Ip layer is the simplest and most effective method of protecting yourself against an army much larger than yours, to stop them from overloading your server.