Application security

Top 10 solutions to protect against DDoS attacks and increase security

David Balaban
May 11, 2018 by
David Balaban

According to statistics, 33% of businesses fall victim to DDoS attacks. It is almost impossible to predict such attacks. Some of them can be powerful and reach 1.35 TBps. According to Incapsula, DDoS attacks cost businesses around $40,000 per hour. Based on the Akamai security report, most DDoS attacks come from China.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

The following resources will help you calculate the losses caused by DDoS:

Cybercriminals resort to different methods of conducting DDoS attacks that may include:

  • UDP Fragmentation
  • CharGEN attacks
  • NTP, DNS, UDP, SYN, ACK, SSPD flood
  • TCP anomalies

So, you need to take care not only of layer 7 attacks but ensure that all web applications are protected at all layers.

To protect against DDoS attacks, businesses and individual website owners can use specialized services. Some of the best solutions are listed below.

1. Cloudflare

Cloudflare is one of the most popular defense services. When using FREE and PRO tariffs, you can rely on basic DDoS protection. To get protection against 3, 4 and 7 level attacks, it is necessary to have a business or corporate account.

Clients pay a fixed amount of money on a monthly basis no matter how many attacks they face and how strong those attacks are. Nasdaq, Cisco, Salesforce are among the customers of this reputable service.

The Cloudflare network is spread across 102 datacenters. It is capable of handling more than 10 TBps and copes with all known types of attacks.

Cloudflare provides a 24-hour emergency service, which can be used during the attack.

2. Incapsula

This service offers comprehensive protection against attacks of various types. Customers may select between on-demand and always-on types of service, which is very convenient.

For now, the Incapsula network consists of 32 datacenters and offers 3 TBps overall capacity.

A trial version of Incapsula Business and Enterprise plans is available. It includes DDoS protection as well as CDN, SSL, and WAF.

Once under attack victims may contact the emergency support staff over the phone. Service boasts it can mitigate any attacks in less than 10 seconds.

3. Akamai

Akamai is one of the leaders in the field of cybersecurity and CDN. According to the administration of Akamai, the service can cope with up to 1.3 TBps attack. The biggest attack their customers faced was 620 Gbps. It was successfully and quickly mitigated.

DDoS protection service called Kona DDoS Defender is built on the Akamai intelligent platform and provides 24x7 support. Service boasts of stopping attacks on the periphery of the network before it can reach web applications.

Akamai DDoS protection consists of about 1300 network nodes located in more than 100 countries all over the world.

4. AWS Shield

The Shield service is designed to protect applications running on the AWS platform. It is free; however, for advanced protection, it is worth switching to the Shield Advanced plan.

Shield Advanced has several advantages over the standard version:

  • Application traffic monitoring
  • Additional DDoS mitigation capacity for large attacks
  • Layer 7 mitigations
  • Extended reporting
  • Custom mitigations during attacks

5. BeeThink Anti-DDoS Guardian

This tool protects Windows servers from most DDoS attacks. It may stop SYN flood, TCP flood, ICMP flood, UDP flood, HTTP Get&Post attacks, 7 level attacks and others. It can also protect Windows Remote Desktop Connection from password brute force attacks.

In addition to protection from DDoS attacks, Anti-DDoS Guardian:

  • Monitors network operations in real-time
  • Helps control UDP bandwidth as well as connection and packet rates
  • Supports black and white lists
  • Detects and blocks IP-addresses
  • Provides information about IP owners

BeeThink Anti-DDoS Guardian is compatible with Windows 10, Windows 8, Windows 7, Windows Server 2016, Windows Server 2012, Windows Server 2008, Windows Server 2003, Windows Server 2000, Windows XP, and Vista.

The full version costs $99.95. The 5-day free trial is available.

6. Sucuri

Sucuri is a specialized cloud solution for protecting a wide variety of sites including WordPress, Drupal, Joomla, Magento, and others. DDoS protection is included in antivirus and firewall packages.

This service is specialized in blocking layer 7 attacks, but also successfully covers layer 3 and 4 attacks.

The service detects and removes malicious programs, improves site performance, protects against brute force attacks and bots. Sucuri will also help optimize and increase website speed. Sucuri

is for customers who are looking for complete website security solutions. The minimum monthly plan is $19.88.

7. Cloudbric

This tool works with all CMS platforms. It is very easy to use, has an intuitive interface. It takes just two minutes to configure its settings - you just need to change the DNS.

Cloudbric is a full website security solution. Its control panel displays information about the level of protection and allows to identify and eliminate a lot of threats quickly. Cloudbric developers guarantee protection from all cyber-attacks.

The service cost depends on the amount of traffic. Customers pay only for what they use. You must pay $29 for 10 Gb of web traffic. 100 Gb will cost you $149. If the traffic volume does not exceed 4 Gb, the service can be used for free.

Such large companies like eBay, Samsung, and ING are among the customers of the service.

8. Alibaba

Anti-DDoS Pro from the Chinese giant Alibaba will protect you from powerful attacks of up to 2 TBps.

Anti-DDoS Pro can be used not only with Alibaba Cloud but also with AWS, Google Cloud, MS Azure, etc.

For small websites like blogs, Anti-DDoS Basic is free. For larger sites (and it is understandable) Anti-DDoS Pro will be cheaper if you are from Chine and connected to China Telecom or China Unicom.

As with other top service providers Anti-DDoS Pro works around the clock and in case of problems, you can contact their support staff or security experts.

9. F5

F5 DDoS protection services will mitigate application, network, and volumetric attacks.

The F5 hybrid DDoS protection solution includes two parts: cloud and local. In the cloud part, F5 Silverline DDoS Protection is used. The on-premises solution uses BIG-IP and DHD devices. Deployment options include flexible inline and out-of-band modes.

Silverline monitors incoming traffic substantially weakens DDoS attacks and reduces the number of false positives in 24/7 mode. If BIG-IP and DHD devices are installed on the customer's site, then when an attack is detected, information about it is transmitted to the cloud and suppression of the attack begins at the cloud level.

10. Radware DefensePro

Radware DefensePro is a line of network devices designed to protect against DDoS attacks of any type. In addition, Radware may offer DDoS protection based on SaaS.

Radware DefensePro advantages are:

  • Dedicated hardware platform to prevent high volume DDoS attacks, without impacting legitimate traffic
  • SSL attack mitigation solutions that protect from all types of encrypted attacks.
  • Behavioral analysis of attacks and automatic routing to ensure the best mitigation.
  • The ability to protect against most attacks with default settings without the need for complex configuration.

Conclusion

Today's market offers a wide range of protection solutions. If the company's infrastructure is not limited to the website and is constantly exposed to external attacks, it is worth considering a hardware solution for autonomous protection against DDoS attacks and signing a contract with a telecom operator.

A universal option is to use cloud protection services. It is suitable for small companies that run just websites and do not have sufficient funds or qualified personnel for self-protection.

When choosing a DDoS protection service, businesses should first evaluate their online audience and possible monetary impact from DDoS attacks.

Pricing structure in this niche differs greatly. Some services are based on a total number of monthly mitigations; others are based on hours of mitigation, some are priced according to the bandwidth, etc. Each pricing model favors different needs.

Selecting a DDoS protection solution, the choice should be based on the size of the infrastructure and budget. The best quality of protection is promised by Akamai Technologies, but their services are rather expensive. CloudFlare is the leader in the low-price segment, while Imperva is in middle position.

When choosing hardware solutions, it is worth paying attention to their cost, technical characteristics, and efficiency. Radware is among recognized market leaders, but its solutions are not cheap.

David Balaban
David Balaban