Professional Documents
Culture Documents
+
volumetric DDoS attacks. Thats because the Can Protect Against Volumetric or
Flood Attacks
saturation occurs upstream and can only be remediated
in the providers cloud. However, relying exclusively on a Because these attacks occur upstream, they
cloud-based DDoS managed service leaves your network are best remediated in the providers cloud.
vulnerable to todays growing number of low-bandwidth
application-layer attacks that can easily escape detection Cannot Detect and Mitigate
Application-Layer Attacks
by cloud-based managed security services.
This type of attack can be very effective with
as few as one attacking machine generating a
Why Firewalls and IPS Devices Fail to Stop low traffic rate. This makes them very difficult
DDoS Attacks to proactively detect and mitigate without a
Firewalls and IPS devices are essential elements of a purpose-built, on-premise device.
layered-defense strategy, but they are designed to solve
security problems that are fundamentally different from Cannot Protect Existing Infrastructure
dedicated DDoS detection and mitigation products. A Stateful security infrastructure such as
firewall, for example, acts as policy enforcer to prevent firewalls/IPS are frequent targets of DDoS as
unauthorized access to data. Meanwhile, IPS devices attackers attempt to consume the connection
block break-in attempts that cause data theft. state tables that are present in these devices.
Even high-capacity devices capable of main-
DDoS is a different problem. DDoS attacks consist of taining state on millions of connections can be
legitimate traffic from multiple sources crafted to exhaust taken down by these attacks.
critical resources, such as link capacity, session capacity,
application service capacity (e.g., HTTP and DNS) or Cannot Deal with Multi-Vector Attacks
back-end databases. Because such traffic is authorized Attackers are increasingly turning to multi-
and does not contain the signature content of known vector attacks that employ combinations of
malware, it is not stopped by firewalls and IPS. As a volumetric, state-exhaustion and application-
result, these devices fail to address the fundamental layer attack vectors targeting an organization
concern regarding DDoS attacksnetwork availability. at the same time.
Whats more, as inline, stateful inspection tools, firewalls
and IPS devices are vulnerable to DDoS attacks, often
becoming the targets themselves.
4
Arbor White Paper: The Importance of On-Premise DDoS Protection