DDOS cloud protection program, 3 elements and 4 suggestions!

 How CDN5 Provides Cloud DDoS Protection
In response to DDOS attacks, CDN5 introduces developers to cloud protection services that can be used to protect targets either natively or in an integrated manner. As the outermost layer of the Defense-in-Depth network protection model, DDoS cloud protection services can help improve the availability and resilience of the entire cloud network infrastructure.  
What is DDOS Cloud Protection? 
DDOS cloud protection is different from traditional protection that relies on physical hardware and local resources. It is a security solution that leverages cloud infrastructure and uses distributed cloud resources to detect, mitigate and absorb DDOS attack traffic to defend against DDOS. 
Cloud-based DDOS protection works: The cloud protection center routes traffic to a cloud-based cleaning center to analyze, detect and absorb, malicious traffic interception, and return legitimate traffic to the source. The response time of cloud protection is relatively slower compared to traditional DDOS protection because the traffic must first pass through the cloud. However, the advantages of cloud-based DDOS protection are also clear, as follows: 
Flexible Scalability: DDOS cloud protection is based on CSP's extensive infrastructure, providing flexible scalability to dynamically scale and protect against mega-attacks.
Intelligent detection: Based on cloud-developed machine learning algorithms and behavioral analysis, it can accurately address application layer DDOS attacks that may be missed by local protection
Lower cost: Utilizing the large number of extensive resources of CSPs, cloud protection can effectively reduce the cost of protection.
Flexible deployment: Compared with ISP standardized products, DDOS cloud protection providers can customize solutions based on user needs

Those factors should be considered when choosing DDOS cloud protection
 1. Cost: the current market has a pay-per-volume and a fixed monthly fee. Essentially, if there is no attack, it is naturally cost-effective to pay by volume, and if there is an attack, paying by volume may lead to sky-high bills. In addition, the cost of DDOS protection should be referred to the cost-effective, rather than pure price.
 2. Protection provider professionalism: For example, CDN5 for many years, has been fighting DDOS attacks, never defeated, while other service providers may belong to start-ups or less experience in this DDOS protection, so the choice should be made before the pressure test or trial.
  3. Responsiveness.If Chinese users, as far as possible, choose to CDN5 such as professional Chinese technical support companies, can provide 24/7 response support, timely problem solving, to ensure the stable operation of the service.  

Core points to prevent DDoS attacks
1. Implement multi-layer protection 
About 5-10 years ago, DDOS attacks are generally layer 3-4 (attacking the network transport layer), today's DDOS attacks have been spread throughout the different layers (network layer, transport layer, session layer, application layer) or a combination of multi-layer attacks, and even, the attacker will be forged and variations of some of the new methods, planning extremely complex attacks. Therefore, the prevention of DDOS must implement a multi-layer protection program, if you choose a CDN service provider, then the service provider must have flexible scalability.
2. Intelligent identification of attack types 
In general, the three common types of DDOS attacks are layer 7, application layer and HTTP flooding, based on manual analysis of the response is very slow, and intelligent identification can quickly detect the type of attack, and according to the characteristics of the right to enable the defense mechanism, for example, filtering specific URLs and traffic, IP address, can effectively mitigate the impact of the attack on the service when the attack begins. 
3. Reduce the exposure of the attack surface 
In order to minimize the risk of DDoS attacks, it is critical to reduce the exposure to attackers. Here are some effective strategies: 
Hide source IP: Hide source IP exposure by accessing CDNs. 
Network Separation: For example, put web services in the public network and database services in a private subnet, and make the database accessible to non-owned hosts.  
Geo-restriction: Restrict visitors from areas where some services are not provided. 
Program security: Remove unnecessary features, keep the application or website pure, and reduce all kinds of unnecessary ports.  
4. Implementation of black hole routing 
Black hole routing is a technique used to drop malicious traffic before it reaches the target network or server. This involves configuring a router or switch to send traffic to empty interfaces, known as “black holes,” to effectively drop the traffic. Black hole routing is typically used to block traffic from a specific IP address or subnet identified as the source of an attack. 

This article was written by CDN5 Technical Department Engineer/Angus