DDoS Mitigation

Azion Edge Firewall has native or programmable automated threat detection and blocking mechanisms that can be integrated with third-party security services and intelligence databases for complete, low-latency protection. This way, complex attacks on your content, applications, and Domain Name System (DNS) service can be prevented directly at the edge, even if you’re still using an on-premise or cloud origin infrastructure, since mitigation will be extended to the edge regardless of whether your network is ipv4, ipv6, or hybrid.

Distributed Denial of Service (DDoS) Protection is integrated into each of our edge locations. It’s also connected to multiple mitigation centers around the world for effective mitigation as close as possible to the origin of the attack. As a founding participant in MANRS initiative led by the Internet Society, we strengthen network routing security by using stringent AS-path filters, thereby applying due diligence to verify customer advertisements as well as our own, and perform origin address validation for customer networks, end-users, and infrastructure to prevent IP address spoofing.

With such Software-defined networking (SDN) routing practices, associated with real-time network packet analysis at the edges and traffic anomaly and signature analysis algorithms for automatic attack mitigation, in addition to higher-level algorithms for the detection and mitigation of the most complex and varied types of attacks in real-time, we neutralize BGP hijacking threats and denial of service attacks (DoS and DDoS) without impacting delivery latency.

DDoS Protection covers all products and services, including Azion Edge DNS, thus providing security and availability for address resolution.

In the best effort to non-exhaustively enumerate some mitigable attacks, we begin by classifying DDoS attacks:

  • Volume-based attacks: also known as flood attacks, this type of attack uses a form of amplification or malware and worm requests, potentially coordinated by a botnet, to create large amounts of traffic and overload a system.
  • Protocol attacks: also known as state exhaustion attacks, protocol attacks focus on exploiting vulnerabilities in network resources, overloading the processing of critical services and infrastructure such as security and load balancing.

In the best effort, we have listed below in a non-exhaustive way some DDoS attacks that can be mitigated with Azion:

  • Bogons
  • Botnet attacks
  • Brute force attacks
  • Connection flood attacks
  • DNS flood (including well-formed DNS Queries)
  • HTTP floods (including HTTP well-formed POST / GET URL requests)
  • HTTP Slow Reads
  • ICMP Flood
  • IGMP Flood
  • IP Bogons
  • IP Fragmentation
  • Low and Slow attacks
  • MALFORMED ICMP Flood (Ping of death)
  • MIXED Floods (TCP+UDP, ICMP+UDP, etc.)
  • Nuke
  • OWASP top 10
  • Reflected ICMP / UDP
  • Slowloris
  • Smurf
  • Spoofing
  • TCP ACK Flood
  • TCP ACK-PSH Flood
  • TCP SYN-ACK Flood
  • TCP FIN Flood
  • TCP Out of state Flood
  • TCP RESET Flood
  • TCP SYN Flood
  • TCP Fragmentation
  • TCP Invalid
  • Teardrop
  • UDP Flood
  • Zero-day attacks

As an example of detection and mitigation techniques employed, we can mention:

  • Allowlists, blocklists and greylists.
  • Blocking, redirecting or dropping according to HTTP headers, geolocation, among other parameters.
  • Blocking, redirecting or dropping according to reputation, network lists, etc.
  • Botnet lists, cloud providers, malware, proxies, etc.
  • Bots mitigation and management techniques.
  • Challenge-response techniques.
  • Captcha and recaptcha for identifying human users.
  • Cookie tampering.
  • Dynamic IP reputation, fingerprints, IP+user agents, etc.
  • Fingerprinting.
  • HTTP redirect.
  • Malformed packets discarding.
  • Origin access restriction for Azion IP addresses only.
  • Pattern analysis and anomaly detection.
  • Score-based blocking.
  • security token, JWT, etc.
  • Session timeout.
  • Signature/fingerprint-based blocking.
  • Simple (local) and advanced (global, contextual) rate limit.
  • Standby rules (to be used in response to incidents as they happen).
  • Techniques to prevent brute force attacks.

Attack records and monitoring can be done through Azion Real-Time Metrics or a large number of Security Information and Event Management (SIEM). In addition, they rely on market-known Big Data services that can be easily integrated with Azion.

Azion applies a security-centric strategy to our products and services, providing customers with programmable and extensible zero-trust security that is always protected and visible with end-to-end encryption.

We prioritize algorithm development for automatic detection and blocking of attacks. Once a threat is identified, our Security Response Team tracks threats end-to-end and may come to apply customized rules to mitigate sophisticated network and transport layer attacks. These rules will be instantly enforced by the real-time architecture of Edge Firewall, allowing you to quickly and efficiently protect your content or application. As such, we build and support, along with our customers, efficient and effective attack mitigation mechanisms.

Contributors