Top 6 DDoS protection solutions that should be on your radar

9 min. read
Placeholder for Cloud architect developerCloud architect developer


With the rise and potentially devastating consequences of Distributed Denial of Service (DDoS) attacks, cybercriminals continue to seek out new methods of perpetrating them - e.g. through amplification variants. DDoS attacks are also used more and more not only for financial gain but also as a means of discrediting and disabling competitors or simply creating headlines.

Building defences against DDoS attacks is no longer just a matter of using the best mitigation solution. In the past twelve months, especially with the COVID-19 based social limitations, we’ve seen the rise of ransomware-driven attacks and other Advanced Persistent Threats (APT) related to DDoS. This is why many DDoS vendors have developed new and updated anti-DDoS and networking security solutions to protect enterprises against these bigger, smarter and more diverse DDoS attacks and the distribution of botnets. Our cybersecurity experts selected the five best anti-DDoS solutions.

1. Anti-DDoS / Networking security assessments

Of course, simply deploying a 'magic' black-box or anti-DDoS node and expecting that all issues are resolved is not the way or enough to solve all challenges surrounding DDoS and APT's. That’s why a crucial, yet regularly overlooked, element of DDoS protection is having an experienced engineer assessing your setup first. A DDoS specialist can highlight any current issues or vulnerabilities and gives extensive advice on the best solution for your specific situation.

Whether it’s hardware or software related, most of the time numerous factors play an important role in hardening your network and optimising the environment in which the attacked host and/or application resides. That’s why ramping up your defences against DDoS and reducing vulnerabilities can sometimes mean that small and relatively simple design changes are required.

Changes to existing environments or configurations, for example, could already be the right DDoS solution for you. An Anti-DDoS Security Assessment often means establishing quick wins requiring little or no investment. This is why regularly assessing your hardware, setup and environment, even though it is not a vendor solution, is at the top of this list.

2. Combination: Arbor Networks Sightline (former SP) and Threat Mitigation System (TMS), Sightline Insight

Arbor Networks is on its way to completing the second decade of its Anti-DDoS lifespan. The classical combination of Arbor Networks Sightline and Arbor's TMS continues to prove its effectiveness across many industries.

Arbor Sightline is an anomaly detection system. It is based on sampled netflow, capable of performing enhanced reporting, alarming, automated mitigation in multiple phases and can even be triggered by their Availability Protection System (APS). An extra powerful feature is that any third-party script or application for mitigations can be triggered by external and existing logic. Known for its peering and routing analysis capabilities, Arbor Networks Sightline adds faster network insights, improving your business security posture.

In addition, the Arbor Insight option is available now. Storing 100% of all netflow data in a performant, big-data setup, while seamlessly integrated with Sightline, allows for a new level of reporting, alerting and visibility for both peering-analysis, threat visibility and mitigation. RTBH and Flowspec are mitigation methods that are both included with Sightline. Optionally it can be enhanced with Threat Mitigation System (TMS) appliances such as an external scrubbing centre, offering APT awareness and filtering.

This is without a doubt a vital component of the Arbor Networks DDoS solution. Customers have a choice of deploying both Arbor Networks Sightline and TMS virtualised, on the hypervisor and bare metal, therefore lowering Total Cost of Ownership (TCO) from day one.

Benefits of Arbor and the ATLAS Intelligence Feed

Important to note is that TMS’s detection service also makes use of (and helped set up) the ATLAS Intelligence Feed (AIF), providing insight and expert analysis for DDoS protection. With the Arbor Security Engineering & Response Team (ASERT), dedicated to discovering and analysing emerging threats and developing targeted defences, Arbor has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally. ASERT shares this operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via inband security content feeds. Being part of ATLAS, actively monitoring Internet threats around the clock and around the globe via ATLAS, ASERT gives you another good reason to consider Arbor’s anti-DDoS solutions.

3. Flowspec

Few technologies exist that have so many misunderstandings, bad marketing and politics have led to slow development and acceptance, despite it being a great solution for 1 or more problems. In the case of A-DDoS, one can definitely name Flowspec there. With a first implementation already in 2007 on Junos and its RFC5575 created by Cisco, Juniper, Arbor and NTT in 2009, it has been out for more than a decade now. And still many haven't even heard from it, despite it being the best thing since sliced bread according to many.

Without going into too much detail here, Flowspec can be seen as sort of an ACL, source and/or destination-based, using both layer-3 and -4 features which can be originated centrally and distributed via BGP between routers. The BGP part includes BGP attributes, -filtering/policies and -validation. This can then get installed as a sort-of dynamic ACL on the receiving router, placed below any existing filtering, on all or subset of interfaces on a router. It can be used on-net, within the existing network, but can also be used with EBGP as an off-net solution. In fact, the original scope of Flowspec was to protect (paid) transit customers from attacks on their IP-subnets, incoming via their transit-ISP.

This would ensure that despite the uplink being saturated, the customer could still signal mitigation to the ISP which, after automatic filtering/validation by the ISP, could install required ACL entries on the upstream ISP's routers. This would then mitigate the attack within seconds after signalling, freeing up the upstream link(s) and often without impact even to the monthly 95-percentile bandwidth calculations. This exact use-case thought of more than a decade ago, is still alive and in demand more than ever in 2021.

And the best thing… from a router feature perspective, Flowspec is a feature usually supported without added licensing cost! Due to its method of operation, Flowspec can be a great countermeasure for the volumetric and session/state-level attack types. With a growing amount of ISP's adopting Flowspec as either standard or premium service for their customers, this can be a great option or addition for parties otherwise requiring cloud-based or other flavours of A-DDoS solutions, while at low or minimal cost!

But also on-net applications can be worthwhile. Again at a 0 or minimal cost, great added value can be provided to the deployed mitigation setup and several solutions, like e.g. Sightline, have Flowspec mitigation and origination built-in. Strongly recommended for more novice users is consultancy or an aforementioned assessment to ensure proper operation.

4. Juniper Networks & Corero

Specifically for users of larger-scale MX routers and specific large scale attacks, this solution is an option. In the last years, Corero has developed an Anti-DDoS solution with an extra trick up its sleeve. Next to using RTBH and Flowspec as mitigation options, they also support Juniper’s ‘Firewall Filter Flexible Match Conditions’. This is an extension to existing Layer-2/3/4 filtering. Here additional offset criteria can be specified thereby enabling pattern matches at custom, user-defined locations within a packet. So a sort-of dynamic ACL entry with offset based matching can be installed. Required are MPC based line cards (or integrated) and with specific MIC’s.

This can be seen as an alternative with specific attacks to in-line or scrubbing-centre devices, where effectively the router would take over this role. Licensing is volume-based. For environments with existing data-plane filtering or with large amounts of filters expected, due to e.g. high attack quantities, are advised to consult a Juniper expert with existing HW-specs for scalability. We are an Elite Partner of Juniper Networks and we are happy to help you further.

5. Arbor APS/AED

Known as the all-in-one in-line Anti-DDoS appliance, Arbor APS/AED provides a mitigation capacity of up to 200Gbps in a 2U Chassis. It also comes as a virtual offering, also supporting cloud environments such as Amazon Web Services. The Arbor APS and Arbor DDoS Protection service deliver detection and mitigation technology, providing a holistic view of network activities and enabling rapid, automated blocking of attacks before they impact your critical applications and services. Arbor APS now also comes with a new licensing scheme. Traditionally, traffic that was being dropped was also calculated in the license costs. With the new license, only 'good' or 'forwarded' traffic is required to be licensed. This allows for a strong reduction in licensing fees for many environments, significantly lowering TCO. Only a few competing products have aligned with this method.

If combined with Arbor Sightline and its 'cloud signalling', when specific parts of the environment require the highest level of protection, it represents a win-win situation. In this way, the advantages of both an in-line as well as an on-/off ramped solution are effectively combined. When then combined with other best practices, such as Flowspec, it is probably the most effective Anti-DDoS solution currently available on the market, and particularly appeals to financial services organisations, for example. A great new addition now for 2021 is support for STIX/TAXII, e.g. IOC-support and custom, dynamic IP-reputation communication.

6. F5 Silverline Web Application Firewall (WAF)

With Silverline Web Application Firewall, F5 Networks introduced one of the most sophisticated (and cloud-based) WAFs on the market. Its capabilities and feature set, combined with global redundancy and excellent 24x7x365 support, have raised the bar to very high levels when it comes to Web Application security. When you can't afford to have any flaws, need the highest availability and need custom functionality, Silverline definitely should be on your list of Cloud Web Application Firewalls to consider.

F5 Networks regularly updates the Silver WAF with new extensive features that truly enrich the F5 platform. Besides that, it has multiple NOCs delivering 24/7 support and proactively adjusts your setup when desired during detected issues. The Silverline Web Application Firewall service protects web applications no matter where the app is hosted—in the private or public cloud, or in a physical data centre.

DDoS protection solutions - the expert's advice

Preventing the growing number of attacks and threats from hitting you starts with educating employees, using scalable next-generation solutions and gaining insight into the threats targeting your business or industry.

This can be greatly accompanied and enhanced with end-point protection solutions like e.g. Crowdstrike. These priorities are a big challenge for cybersecurity managers. Over the past couple of years, we’ve seen some of the most frequent and severe cybersecurity attacks ever recorded (view live DDoS-attack world map).

As security professionals prepare for another potentially record-breaking year of network breaches and data security risks, it is imperative that you make yourself aware of the latest developments. Good examples are IOC-handling and STIX/TAXII support for e.g. integration within SIEM solutions. The latest generation of anti-DDoS solutions and technologies can help you to stay ahead of the perpetrators and successfully protect your most critical assets and applications.

Nomios DDoS protection

For enterprises confronted with DDoS attacks, finding solutions that offer DDoS protection is critical to protecting revenue, productivity, reputation, and user loyalty. Nomios has developed a set of solutions and services to help enterprises, service providers and cloud service providers to design, deploy, operate and fully or partially manage their anti-DDoS solutions.

Do you want to know what Nomios can do for your DDoS protection? Get in touch with us today!

Sign up for our newsletter

Get the latest security news, insights and market trends delivered to your inbox.

More updates