Cloud-based services, by definition, only provide visibility into ingress – or inbound – traffic into the organization. They inspect traffic as it flows through to the origin, and scrub-out malicious traffic it identifies. While this is perfectly fine for most types of DDoS attacks, there are certain types of DDoS attacks that require visibility into both traffic channels in order to be detected and mitigated.
Examples of attacks that require visibility into egress traffic in order to detect include:
- Out-of-State Protocol Attacks: These attacks exploit weaknesses in protocol communication process (such as TCP’s three-way handshake) to create “out-of-state” connection requests which exhaust server resources. Although some attacks of this type – such as SYN floods – can be mitigated solely with visibility into ingress traffic only, other types of out-of-state DDoS attacks – such as an ACK flood – require visibility into the outbound channel, as well. Visibility into the egress channel will be required to detect that these ACK responses are not associated with a legitimate SYN/ACK response, and can therefore be blocked.
- Patching,” is similar to Tip #5. Patching may help your devices from becoming part of a DDoS botnet, for example, but this won’t help you defend from a DDoS attack that targets your network, services and applications.“Network segmentation and access distribution,” can help offload and protect some targets, such as your website – if it’s using a CDN – but that’s because many CDNs already include DDoS protection. This won’t defend against direct attacks on your own network or any resources that still need to operate on it.
