Dave Blakey recently stated in another blog post (CDNs vs ADCs: What are the differences?) that “No on-premise ADC can truly prevent a DDoS attack!” and he’s exactly right, but what is a DDoS attack and how does it differ from a DoS attack?
This post aims to break down Denial of Service as a whole, as well as the difference between DoS and DDoS and all the types of exploits in-between.
Firstly, DoS stands for Denial of Service and refers to any exploit that attempts to block legitimate users from accessing a service. A Distributed Denial of Service (DDoS) attack has the same end goal but makes use of multiple hosts to attack the same service at the same time.
There are three main types of DoS/DDoS attacks
- Volumetric attacks - This type attack floods the target with high volumes of traffic with the intention of saturating the sites available bandwidth.
- Protocol attacks - These target your servers/network infrastructure by exploiting various protocols to consume resources on the servers or network devices.
- Application layer attacks - These attacks target vulnerabilities within the operating system or the web server application itself.
The first two are typically launched as distributed attacks, usually making use of botnets, while attacks that fall into the last category can often be perpetrated by a single host with a minimal traffic footprint.
Application layer attacks are often referred to as low-and-slow due to the fact that they generate a very small amount of traffic and usually look like legitimate requests. Making them really hard to detect with traditional monitoring tools.
Slowloris is a great example of a targeted application layer attack. With this attack a single host can bring down a vulnerable web server in a matter of seconds. It does this by establishing many HTTP connections to the target server but only sends a partial request. It’ll then hold those connections open for as long as possible by periodically sending more HTTP headers but never actually completing the request. Once the “max connections” value is met, the web server is no longer able to accept any new connections, rendering the service unavailable.
The Snapt ADC prevents this, and similar attacks, in a number of ways. Firstly, it acts as a reverse proxy. Which means that when a request comes in, Snapt terminates that request on the ADC and establishes a new request to the web server to fetch resources on behalf of the connecting client. Meaning that nobody can ever establish direct connections to your web servers. On top of this, you have granular control over timeout values and connection/request limits per connecting client.
To protect against the other two types of attacks, especially volumetric attacks, you will need to incorporate the services of a CDN like Cloudflare for example. Most CDN’s nowadays include DDoS protection and are able to deflect massive volumetric attacks and most protocol-based attacks too.
Of course, there are numerous other attacks and exploits that the Snapt ADC is prepared for. IP and GeoIP blacklisting features are available through our Web Application Firewall (WAF) module, allowing you to configure simple source IP based access control for ranges of IP address or entire countries. Included with this feature is the “Snapt Blacklist”, a managed database of known bad hosts, botnets, command and control servers, web spam servers and so on.
We also include a full layer-7 firewall which inspects HTTP/S traffic on the fly, looking for patterns within the HTTP connection like SQL queries (SQL injection), attempts to access protected system files, encoding based evasion techniques, cross site scripting (XSS), remote file inclusion (RFI) and more!
Lastly, the Snapt WAF comes with an Attack Mitigation mode feature. Allowing you to immediately place any service into “Attack Mitigation mode” if and when you ever come under attack. This will automatically limit requests per second, per minute and total active connections per source IP address. It’s designed as an emergency countermeasure to manage the brunt of the attack while your incident response teams spring into action.
Snapt offers an ADC that's radically different. We keep ADC functions out of the way of the modern engineer – everything should just work!
We add real value by focusing on what you need: performance metrics, pro-active monitoring, alerting, profiling and more.