Introducing Fully Managed Behavioural Application DDOS Protection Solution
Blog Series 1 out of 2.
Application DDOS are sophisticated attacks and very hard to mitigate. Unlike network layer attacks, where most attacks are manipulation of protocol which could be identified based on method employed, in case of application DDOS the most prominent type of attack is volumetric attacks which have no real patterns to identify. These are legitimate requests sent at high volume to the application, clogging up resources which otherwise would have been used by other users and making the application inaccessible to regular users.
The most common technique employed to detect Application DDOS is rate limiting where limits are set on number of requests a user can make. The two basic and only fundamentals of protecting against such kind of volumetric DDOS attacks are:
- Ability to observe the volume of requests, as initial defence against volumetric app DDOS is to scale and observe requests sent to the application without running out of resources
- Identify unwanted requests and drop them quickly. These detections are done by identifying unusual spikes and blocking them
To accomplish both, the best possible solution is a cloud WAF like AppTrana which has DDOS protection capacity. A well designed cloud WAF will be able to auto scale very quickly to ensure it is able to absorb unusual spikes in request. AppTrana leverages highly scalable infrastructure known to block large attacks up to 2.3 Tbps and 700K requests per second to provide protection against the largest attack possible.
The next challenge is to detect unwanted requests and drop them. If WAF does an effective job of this, the backend will be protected from request spikes and its resources will be free to serve legitimate requests.
Unfortunately static rate limits do not work and most attacks go under the radar. To understand the problem with static rate limiting rules, one needs to understand how these rate limits work.
- Rate limits can be configured only on certain identity. i.e. It can be configured to not allow more than x requests in a time period from 1 IP/user etc. but it cannot be configured to only forward y requests to an application in that time period since that would lead to legitimate users being blocked
The problem with such static rate limiting rules is that it does not take into account natural variance of a site. For example one of our sites has spikes during end of a month when a lot of data is uploaded & read by users; generally the increase in number of requests from single user during month end is in the range of 3–4 times more than normal traffic. Now if static rate limits need to be configured for this case, month end spikes have to be taken into account, which then means that during normal days, even a spike of 4 times would go undetected and requests would be passed on to origin, leading to heavy load on origin. It is to address these problems that AppTrana has introduced its Behavioural Application DDOS Protection Solution.
AppTrana’s Behavioural Application DDOS Protection solution takes advantage of its ability to process a huge volume of requests in seconds and provides policies that are configured based on behaviour of the application requests instead of hard limits.
- Behavioural DDOS can be configured to be triggered if behaviour of requests to application changes, which means any normal variance in request is accounted for and alerts are triggered only when there is an abnormality
- By default, three policies that monitors traffic on host, IP and session level are configured
- When an application is onboarded, these policies are configured with generic values that works for most applications
- Within a few days of onboarding the application, based on behaviour observed, appropriate values are derived which provides optimal protection
- Customers can configure additional policies based on their need. Policies can be configured to take various actions when triggered including blocking the requests outright.
Originally published at https://www.indusface.com on August 6, 2021.