By Richard Yew, Product Management – Security
Distributed denial-of-service (DDoS) attacks are getting bigger. The record for "largest DDoS attack in history" has already been broken twice in 2018, the second time by an attack almost one and a half times larger than the Mirai botnet DDoS attack, which reached 1.2 terabits per second in 2016. As content delivery networks (CDNs) fend off attacks as massive as 1.7 terabits per second, it's clear that companies need to evolve new responses to this increasingly dangerous threat.
It's also true that the stakes have never been higher. In an environment where mobile websites must start rendering in under 200 milliseconds to meet Google's standards, any slowdown—much less outage—is unacceptable. And yet, security solutions that mitigate DDoS attacks have traditionally affected performance as well. What's the answer to this dilemma? Read on to find out how cloud-based security solutions can support content delivery that's both fast and secure.
The dilemma: Cyber security vs. speed
How does a company defend its applications against attacks? Not too long ago, the standard solution relied on security appliances installed on-premise within customer's data center. The idea was to put as many layers of security as possible in front of the critical applications, so malicious traffic would have to pass through multiple filters before reaching it.
However, while these layers of security kept attackers out, they also increased the response time for user requests, which had to go through layer after layer of security rules before reaching its destination. Ironically, in its attempt to protect itself from getting slowed down or taken down by an attack, a company could potentially DoS itself by slowing its performance considerably or even causing service interruptions. This dilemma has been a problem for web developers for a long time.
Cyber attacks: Interception at the edge
Security solutions/appliances that live close to core infrastructures have another major downside: They can potentially be a single point of failure or bottleneck. If it gets overwhelmed with attack loads, it could slow down or timeout, effectively causing an outage to the website or application behind it, frustrating users and losing revenue for companies. Most appliances only have a capacity of up to about one tenth of a terabit per second —today, DDoS attacks ten times that size are common. These days, security measures that are limited to a company's data center can be easily overwhelmed.
A more modern answer to mitigating cyber attacks at scale and performance issues is a cloud-based security solution like a CDN. Instead of filtering millions of site requests through a few appliances in a centralized location, a globally distributed cloud security solution on a CDN distributes its workload over tens of thousands of servers so it can absorb sudden spikes in traffic easily. With hundreds of points of presence (PoPs) around the globe, a CDN can also intercept attacks near its origination point which is usually near where end users are, through malware infected devices, before it even gets close to a company's core infrastructure. The result is a more resilient system that performs under pressure—when it is under attack, most users won't even notice a difference.
Cloud-based security: When bigger really is better
But what makes one cloud-based security solution better than another? For once, the answer really is simple: the larger its capacity, the better.
Most major cloud security platforms have a capacity of around 5 terabits per second. That sounds impressive until you consider that if just one of its customers is hit with a 1.7 Tbps DDoS attack, such a platform will see its overall capacity diminished by one third. There's simply no way it can absorb an attack of that size without taking any performance hit, not just for the customer under attack but for every other customer on its platform. Verizon Digital Media Services, with our 125+ international points of presence and 47 Tbps capacity, is uniquely positioned to absorb major traffic surges without users even noticing the strain.
Cyber defense: You make the rules
While there are some agreed-upon best practices for defending against an attack, the reality is that every website and application is different; —and nobody knows their website better than its own developers. That's why VDMS isn't only concerned about being the largest or most responsive CDN with the largest capacity. What sets us apart is that we allow our customers to manage all of their security rulesets quickly and efficiently using our API.
Let's say a customer wants to whitelist certain request parameters for multiple security rules. Normally, developers would have to work within a CDN's own user interface to individually edit each rule – tedious, time-consuming and error-prone manual labor. But with VDMS' API, customers can make bulk changes to all of the rules at the same time. For no extra cost, customers can also use our real-time analytic API to pull historical data to generate reports or to integrate with their own Security Information & Event Management (SIEM) tool. We give customers the freedom to manage their security in ways that make the most sense to them.
We haven't seen the last record-breaking DDoS attack yet, but fighting back against these massive threats doesn't have to come at a sacrifice to performance. By choosing a cloud-based solution that is equally large, customizable and everywhere at once, companies have a way to ensure their websites and apps maintain high performance and resiliency to handle any threats now and into the future.