By Richard Yew, Product Management – Security
Distributed denial-of-service (DDoS) attacks are getting bigger. The record for the "largest DDoS attack in history" has already been broken twice in 2018, the second time by an attack almost one and a half times larger than the Mirai botnet DDoS attack, which reached 1.2 terabits per second in 2016. As content delivery networks (CDNs) fend off attacks as massive as 1.7 terabits per second, it's clear that companies need to evolve new responses to this increasingly dangerous threat.
It's also true that the stakes have never been higher. In an environment where mobile websites must start rendering in under 200 milliseconds to meet Google's standards, any slowdown—much less outage—is unacceptable. And yet, security solutions that mitigate DDoS attacks have traditionally affected performance as well. What's the answer to this dilemma? Read on to find out how cloud-based security solutions can support content delivery that's both fast and secure.
The dilemma: Cybersecurity vs. speed
How does a company defend its applications against attacks? Not too long ago, the standard solution relied on security appliances installed on-premise within a customer's data center. The idea was to put as many layers of security as possible in front of the critical applications, so malicious traffic would have to pass through multiple filters before reaching it.
However, while these layers of security kept attackers out, they also increased the response time for user requests, which had to go through layer after layer of security rules before reaching its destination. Ironically, in its attempt to protect itself from getting slowed down or taken down by an attack, a company could potentially DoS itself by slowing its performance considerably or even causing service interruptions. This dilemma has been a problem for web developers for a long time.
Cyber attacks: Interception at the edge
Security solutions/appliances that live close to core infrastructures have another major downside: They can potentially be a single point of failure or bottleneck. If an appliance gets overwhelmed with attack loads, it could slow down or timeout, effectively causing an outage to the website or application behind it, frustrating users and losing revenue for companies. Most appliances only have a capacity of up to about one-tenth of a terabit per second, yet it’s not uncommon for DDoS attacks to be ten times that size. These days, security measures that are limited to a company's data center can be easily overwhelmed.
A more modern answer to mitigating cyber attacks at scale and performance issues is a cloud-based security solution, such as a CDN. Instead of filtering millions of website requests through a few appliances in a centralized location, a globally distributed cloud security solution on a CDN distributes its workload over tens of thousands of servers so it can easily absorb sudden spikes in traffic. With hundreds of points of presence (PoPs) around the globe, a CDN can also intercept attacks near their origination point – which is usually close to where end users and their malware-infected devices are – before the attack gets close to a company's core infrastructure. The result is a more resilient system that performs under pressure when it is under attack so that most users won't even notice a difference.
Cloud-based security: When bigger really is better
But what makes one cloud-based security solution better than another?
Most major cloud security platforms have a capacity of around 5 terabits per second. That sounds impressive until you consider that if just one of its customers is hit with a 1.7 Tbps DDoS attack, such a platform will see its overall capacity diminished by one third. There's just no way it can absorb an attack of that size without taking a performance hit, not just for the customer under attack but for every other customer on its platform. Verizon Digital Media Services, with our 125+ international points of presence and 59 Tbps capacity, is uniquely positioned to absorb significant traffic surges without users even noticing the strain.
Cyber defense: You make the rules
While there are some agreed-upon best practices for defending against an attack, the reality is that every website and application is different —and nobody knows their website better than its developers. That's why Verizon Digital Media Services isn't only concerned about being the most responsive CDN with the largest capacity. What sets us apart is that we allow our customers to manage all of their security rulesets quickly and efficiently using our API.
Let's say a customer wants to whitelist certain request parameters for multiple security rules. Typically, developers would have to work within a CDN's user interface to individually edit each rule, which is tedious, time-consuming and error-prone manual labor. But with our API, customers can make bulk changes to all of the rules at the same time. For no extra cost, customers can also use our real-time analytic API to pull historical data to generate reports or to integrate with their security information and event management (SIEM) tool. We give customers the freedom to manage their security in ways that make the most sense to them.
We haven't seen the last record-breaking DDoS attack yet, but fighting back against these massive threats doesn't have to come at a sacrifice to performance. By choosing a cloud-based solution that is equally large, customizable and everywhere at once, companies have a way to ensure their websites and apps maintain high performance and resiliency to handle any threats now and into the future.
Improve your website performance and protect against cybersecurity threats with our Managed Cloud Security service.
For additional information about the Edgecast CDN and all its security and performance features, please contact us.