Congyu Li, product manager for NSFOCUS, answered this question in a speech at the RSA Asia Pacific conference 2013. A new solution for stopping DDoS attacks and Web attacks was introduced, which is a collaborative solution between two well-known protection systems.
“It has been the consensus in the Data Center industry that the best spot to stop a DDoS attack is in the backbone of the network because the size of the attack traffic can be quite large. Data centers usually provide mitigation of DDoS attacks as a part of their infrastructure service. On the other hand, Web attacks are large in volume, but their payload goes up to the application level,” said CongYu Li, “In the current market, professional Anti-DDoS Systems (ADS) can mitigate volumetric DDoS attacks. Professional Web Application Firewalls (WAF) can mitigate Web attacks and small volumes of DDoS attacks. However, having ADS and WAF operating separately to defend against both DDoS attacks and Web attacks is not an ideal solution for data centers as Web Hosting customer cannot be transferred from DDoS attack mitigation service to Web attack mitigation service smoothly and efficiently when the attack methodology and tactics change.”
The new solution starts from Anti-DDoS module in a Web Application Firewall. The WAF can fend off small-scale DDoS attacks. If the DDoS attack is larger than the WAF can handle, it will send a notice to the ADS in the backbone of the network to take the attack traffic. The ADS will then use the IP information from the WAF to take a series of actions to mitigate the large-scale attacks of higher performance and capacity.
The collaboration of the two systems is automatic and well-functioned. For data centers, it not only provides proactive mitigation protection, but also reduces cost in both technical resources and administration.
NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and corporations. It focuses on providing network security solutions including: carrier-grade Anti-DDoS System, Web Application Firewall, and Network Intrusion Prevention System – all designed to help customers secure their networks and corporate-critical information. More detailed information is available at http://www.nsfocus.com.