Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Hybrid DDoS protection: the most effective architecture against multivector attacks
Denial-of-Service attacks are the most common threat to service availability, and hybrid protection delivered from the operator’s network combined with a local solution is the most effective way to stay protected.
The new DDoS attack landscape
Distributed Denial-of-Service (DDoS) attacks aim to cause service disruption through sustained streams of packets sent from distributed locations to a company’s IP address space, with the objective of overwhelming services and creating downtime, resulting in financial impact and reputational damage for the targeted organization.
In a recent previous post, we described in detail what DDoS attacks are, the different types of attacks that exist, what a DDoS protection solution must deliver, and the need to acquire a managed service from a company that, from an optimal network position and with highly qualified personnel specialized in this type of threat, will properly protect network traffic against DDoS attacks.
However, new attack vectors and multivector attacks are now emerging.
DDoS attacks are no longer static or single vector: today they are dynamic, multivector and increasingly sophisticated.
Cybercriminals and botmasters continue to exploit vulnerabilities and search for new ways to hijack networks and gain access to corporate data. Every day, media headlines report highly sophisticated DDoS attacks that cause significant impact.
All traffic and data circulating across networks are under constant threat from hackers launching highly sophisticated multivector DDoS attacks. The number of DDoS attacks has increased at every level, from single vector attacks to those leveraging up to 25 vectors. In particular, there is a growing prevalence of attacks using more than 15 vectors. Attackers often combine between 15 and 25 vectors to launch complex, high volume attacks targeting different layers of enterprise and service provider infrastructures.
In addition, the use of botnets to launch complex and large scale attacks is now automated. Numerous attacks target critical infrastructures such as routers, firewalls, DNS and VPN concentrators, and many organizations do not have the appropriate infrastructure to mitigate or resolve them effectively.
According to Netscout data, the threshold of 10 million attacks in 2025 has already been surpassed, establishing a new normal that reaches one million DDoS attacks per month.
More dynamic and harder to detect attacks
Cybercriminals are finding new ways to make their attacks more efficient, making them increasingly dynamic and harder to detect. There is a clear trend towards direct to IP attacks instead of amplification and reflection techniques, while DDoS attacks targeting the application layer and those embedded within encrypted HTTPS traffic have grown significantly.
This new approach, combined with traditional volumetric attacks, creates an increasingly volatile DDoS landscape where attack frequency continues to rise. As DDoS protection systems have become highly effective, attackers have enhanced their capabilities and increased the frequency of attacks against the application layer and edge devices, combining these techniques with traditional volumetric attacks.
Network scans are being launched to identify the most direct attack points, and attacks are no longer static over time. They are now dynamic, with multiple attack vectors, and instead of targeting the same IP continuously, they shift to multiple specific IP addresses that change during the attack.
Examples of new attacks
Carpet Bombing
This is an example of a Carpet Bombing attack, which consists of targeting all IP addresses within a network and continuously rotating between them. Traffic directed at each IP is low, but aggregated across all of them it generates a very high volume, with targeted IPs changing approximately every three minutes.
DNS Water Torture
Another very common example is DNS Water Torture, a DNS attack that generates queries for non existent domain names, overloading DNS processing as servers attempt to resolve these names by querying higher level DNS servers outside the company.
Slow Loris
An example of an application layer attack is the so called Slow Loris, which consists of sending packet traces, not necessarily malformed, very slowly, creating multiple connections with the application server that will remain waiting for the completion of a packet that never arrives, eventually exhausting the connection stack.
For all the reasons described above, traditional DDoS protection is no longer sufficient.
The need for local ‘always-on’ protection
The number of purely volumetric attacks is decreasing, while direct to IP attacks, attacks embedded within encrypted HTTPS traffic, Carpet Bombing attacks targeting multiple company IP addresses, DNS Water Torture attacks, and network scans to identify vulnerabilities are increasing. At the same time, due to the traffic they generate, these scans themselves constitute DDoS attacks.
To address this growth in sophisticated new attacks with lower volume and focused on overwhelming applications or edge devices, it is necessary to deploy a device that operates inline within the traffic flow, in always-on mode, analyzing all network traffic including encrypted traffic.
By deploying a local Anti-DDoS security protection module inline, implemented on-premise at the perimeter of the customer’s Data Center network, that is, between the internet router and the firewall, robust protection can be achieved against this increase in new attack types.
The on-premise device acts as both the first and last line of defense, protecting against inbound and outbound threats.
This network position, combined with a stateless packet processing engine powered by threat intelligence, enables the solution to automatically detect and stop both inbound threats and outbound communications from compromised internal hosts, effectively acting as the first and last line of defense for organizations.
This device does not implement firewall functionality. The main reason is that, if it did, it would need to operate as a stateful device and maintain a session table that could become overwhelmed. Stateful devices such as firewalls are sensitive to DDoS attacks and are, in themselves, targets.
The local on-premise protection device must be deployed after the internet router in order to protect the firewall as well as any other edge devices on the network, such as IDS, IPS or load balancers.
Benefits of the local Anti-DDoS protection module
- First line of defense: blocks inbound DDoS attacks to protect network availability, services and stateful security devices.
- Last line of defense: blocks outbound communications from compromised devices to command and control infrastructures.
- Protection against all types of DDoS attacks, including volumetric attacks up to link capacity.
- Continuous traffic inspection, adding protection against attacks within encrypted traffic.
Hybrid protection: operator network plus local solution
In coordination with a DDoS protection solution provided by the internet service provider, hybrid protection is achieved, ensuring that high capacity volumetric attacks continue to be mitigated upstream, while more sophisticated attacks are handled by the local on-premise equipment.
Hybrid protection is the most effective and automated way to defend against Denial-of-Service attacks.
On-premise devices can operate independently, detecting and mitigating volumetric and application layer DDoS attacks. When they detect that an attack may exceed link capacity, they send an alert to the ISP’s Anti-DDoS Service, enabling additional automatic mitigation from the network.
Traffic diversion to the ISP’s network based service is automated when a volumetric attack exceeding certain configurable intensity thresholds is detected.
In this way, a hybrid protection model is achieved that combines a local device with Telefónica’s network based Anti-DDoS Service, enabling defense against sophisticated attacks mitigated on premise as well as large volumetric attacks, without adding latency to legitimate traffic.
Key features of hybrid protection
- Greater effectiveness in detecting volumetric, state exhaustion and sophisticated application layer attacks.
- Integration of protection layers and automatic synchronization of the mitigation list.
- Unlimited scalability leveraging Telefónica’s mitigation capacity.
- Optimization of local resources.
- Detection and mitigation of outbound attacks originating from the Data Center itself.
- Ability to incorporate SSL and Malware inspection services.
- Dedicated DNS protection.
- Cost reduction and improved resilience.
Conclusions
Implementing DDoS protection from the operator combined with a local solution integrated with the operator’s network is the best architectural approach to address Denial-of-Service attacks, mitigating volumetric, application layer and multivector attacks alike.
The on-premise server operates in always-on mode and detects and mitigates attacks within its scope immediately, both inbound and outbound, with the additional capability to inspect SSL traffic in order to detect and mitigate threats hidden within encrypted traffic.
Acquiring a managed service for the fully integrated solution is the most effective way to address DDoS attacks, given the high level of expertise of ISP personnel operating these technologies.
