Mitigation Mechanisms and DDoS Attacks
Azion’s Edge platform has native or programmable automated threat detection and blocking mechanisms that can be integrated with third-party security services and intelligence databases for complete, low-latency protection. This way, complex attacks on your content, applications, and DNS service can be prevented directly at the edge, even if you are still using an on-premise or cloud origin infrastructure, since mitigation will be extended to the edge regardless of whether your network is ipv4, ipv6, or hybrid.
DDoS protection is integrated into each of our edge locations. It is also connected to multiple mitigation centers around the world for effective mitigation as close as possible to the origin of the attack. As a founding participant in MANRS initiative led by the Internet Society, we strengthen network routing security by using stringent AS-path filters, thereby applying due diligence to verify customer advertisements as well as our own, and perform origin address validation for customer networks, end-users and infrastructure to prevent IP address spoofing.
With such software-based network routing (SDN Routing) practices, associated with real-time network packet analysis (DPI or Deep Packet Inspection) at the edges, with traffic anomaly and signature analysis algorithms for automatic attack mitigation, as well as higher-level algorithms for the detection and mitigation of the most complex and varied types of attacks in real-time, we neutralize BGP hijacking threats, denial of service attacks (DoS and DDoS) without impacting delivery latency.
DDoS protection covers all products and services, including Azion’s DNS service, thus providing security and availability for address resolution.
In a best effort to non-exhaustively enumerate some mitigatable attacks, we begin by classifying DDoS attacks:
Volume-based attacks: Also known as flood attacks, this type of attack uses a form of amplification or malware and worm requests potentially coordinated by a botnet to create large amounts of traffic and overload a system.
Protocol attacks: also known as state exhaustion attacks, protocol attacks focus on exploiting vulnerabilities in network resources, overloading the processing of critical services and infrastructure such as security and load balancing.
Application layer attacks: also known as layer 7 attacks, this type of attack aims to make the application unavailable, affecting services such as DNS and HTTP.
In a best effort, we have listed below in a non-exhaustive way some DDoS attacks that can be mitigated with Azion:
- Botnet attacks
- Brute force attacks
- Connection flood attacks
- DNS flood (including well-formed DNS Queries)
- HTTP floods (including HTTP well-formed POST / GET URL requests)
- HTTP Slow Reads
- ICMP Flood
- IGMP Flood
- IP Bogons
- IP Fragmentation
- Low and Slow attacks
- MALFORMED ICMP Flood (Ping of death)
- MIXED Floods (TCP+UDP, ICMP+UDP, etc.)
- OWASP top 10
- Reflected ICMP / UDP
- TCP ACK Flood
- TCP ACK-PSH Flood
- TCP SYN-ACK Flood
- TCP FIN Flood
- TCP Out of state Flood
- TCP RESET Flood
- TCP SYN Flood
- TCP Fragmentation
- TCP Invalid
- UDP Flood
- Zero-day attacks
As an example of detection and mitigation techniques employed, with no intention of fully covering the topic, we can mention:
- allowlists, blocklists and greylists;
- blocking, redirecting or dropping according to HTTP headers, geolocation, among other parameters;
- blocking, redirecting or dropping according to reputation, network lists, etc;
- botnet lists, cloud providers, malware, proxies, etc;
- bots mitigation and management techniques;
- challenge-response techniques;
- captcha and recaptcha for identifying human users;
- cookie tampering;
- dynamic IP reputation, fingerprints, IP+user agents, etc;
- HTTP redirect;
- malformed packets discarding;
- origin access restriction for Azion IP addresses only;
- pattern analysis and anomaly detection;
- score-based blocking;
- security token, JWT, etc.
- session timeout;
- signature/fingerprint-based blocking;
- simple (local) and advanced (global, contextual) rate limit;
- standby rules (to be used in response to incidents as they happen);
- techniques to prevent brute force attacks;
Attack records and monitoring can be done through Azion’s Real-Time Metrics or a large number of SIEMs (Security Information and Event Management). In addition, they rely on market-known Big Data services that can be easily integrated with Azion.
Azion applies a security-centric strategy to our products and services, providing customers with programmable and extensible zero-trust security that is always protected and visible, with end-to-end encryption.
We prioritize algorithm development for automatic detection and blocking of attacks. Once a threat is identified, our Security Response Team tracks threats end-to-end and may come to apply customized rules to mitigate sophisticated network, transport, and application layer attacks. These rules will be instantly enforced by the real-time architecture of Azion’s Edge platform, allowing you to quickly and efficiently protect your content or application. As such, we build and support, together with our customers, efficient and effective attack mitigation mechanisms.
Didn’t find what you were looking for? Open a support ticket.