Shielding Applications to Prevent DDoS Attacks

A software-defined perimeter can be an integral tool in protecting against DDoS attacks

One common security threat that corporate networks, applications and web-based services have been failing to effectively defend against is distributed denial of service (DDoS) attacks. In this form of attack, the perpetrator purposely overloads an application with requests, rendering it unavailable. This type of distributed attack is challenging to block. DDoS attacks involve hackers attempting to prevent users from accessing and utilizing a service by either causing it to crash or overwhelming it with traffic/requests.

In a recently publicized DDoS attack, the UK’s Labour Party experienced two such DDoS-related shutdowns during the 2019 general election campaign. In fact, two separate DDoS attacks hit simultaneously and disabled campaigning tools, which impacted the party’s ability to execute election activities efficiently. Given that this was a DDoS attack, the source likely came from hijacked and remotely controlled servers and/or computers. As a result, the countries of origin where the attack originated have no connection with the actual perpetrator of the attacks. Such computer hijacking, where control malware has gained access to an unsuspecting computer or server and remotely operates DDoS attack programs, is exceedingly common, making the identification of the criminals extremely difficult.

In the U.S., Sergiy P. Usatyukof Orland Park, Illinois, was recently arrested and jailed for conspiracy to cause damage to internet-connected computers and for the ownership, administration and support of illegal “booter” and “stresser” services designed to take down web-based applications/sites. Usatyuk admitted to developing, controlling and operating DDoS attack services starting in August 2015. Usatyuk was established as a DDoS service for hire and his customers ordered more than 3.8 million DDoS attacks on sites globally.

While there are several kinds of DDoS attacks including the common volumetric attack, application-layer attack and protocol attack, all have one thing in common when impacting a web-connected application: access to the application. Volumetric attacks overpower an application’s throughput by saturating it with thousands or tens of thousands of false requests. Because of this, the application loses the ability to quickly and efficiently accept legitimate traffic, thereby rendering it useless. Application-layer attacks leverage floods of GET/POST requests with the goal of crashing the web server. Finally, protocol attacks, such as SYN Flood, consume actual server resources or intermediate communication equipment. Regardless, all of these DDoS threats achieve success by gaining access to the site and/or application they are targeting.

Many companies give employees or partners access to an application on the network by simply giving the user an internet address, then relying on the application’s security defenses to ward off cyberthreats. However, this approach is not at all effective against today’s most egregious DDoS attacks. Instead, administrators should not expose an application to the internet but have their employees, partners or customers access these resources over a software-defined perimeter (SDP).  If the SDP solution is based on a network as a service (NaaS), the platform effectively acts as a buffer between the application or other IT resources and the outside world.

By leveraging a software-defined perimeter to orchestrate a defense against DDoS and other threats, the SDP shields the application from direct connectivity to internal or external traffic, protecting the application from unscreened network traffic. The SDP thus bars all unauthorized traffic from penetrating, so that only accepted/pre-approved digital communications are delivered to the approved, specific resource on the network. User devices accessing the network undergo a zero-trust vetting process before being allowed onto the network. With such an approach, internal applications are invisible to non-authorized perpetrators.

This is a big difference from the conventional “castle-and-moat” approach that organizations have long relied on for network security, which trusts any and all communications/digital traffic inside the network’s gates. Bestowing this level of blanket trust becomes increasingly risky as enterprises enter the world of data distribution via multiple apps and clouds. With traditional network infrastructure, all it takes for data to be compromised is for a perpetrator to get through your firewall since this approach grants users full access to the network once they’re in the system. To protect your data from the likes of DDoS attacks and other threats to cybersecurity in the current distributed environment, SDPs become imperative.

Focusing on perimeter security alone is no longer an effective strategy in a cloud-dominated world. But enterprises or any cloud-based organization can mitigate the DDoS cybersecurity threat and directly confront it by deploying an always-on SDP solution. SDPs defend and fortify the perimeter in a way that moves beyond traditional limitations and makes sense in a world of multi-cloud and hybrid configurations. By following this approach and securing gateways at the application level rather than the network level, SDP solutions create a reliable security framework that ensures no entity or traffic can access the organization’s computing infrastructure without first being cleared.

Micha Rave

Avatar photo

Micha Rave

Micha Rave is the Senior Director of Zero-Trust Product Management for Proofpoint and former VP of Products of Meta Networks. Mr. Rave is an experienced strategic product manager and team leader with substantial experience managing innovative product lines such as Proofpoint’s Software Defined Perimeter (SDP) platform.

micha-rave has 1 posts and counting.See all posts by micha-rave