DDoS Mitigation

At Azion, DDoS Mitigation is performed by DDoS Protection, an Edge Firewall add-on. DDoS Protection is designed to mitigate the largest and most complex network, transport, presentation, and application-layer DDoS attacks without bandwidth limitations.

DDoS Protection is integrated into over 100 edge locations across Azion Edge Network, with connections to distributed scrubbing centers for effective attack mitigation as close as possible to the origin of the attack. As a founding participant in the MANRS initiative led by the Internet Society, Azion enhances network routing security by using strict AS-path filters and verifying both customer and internal network advertisements to prevent IP spoofing.

Additionally, Azion’s Software-defined Networking (SDN) practices leverage real-time packet analysis and advanced algorithms for traffic anomaly detection, enabling automatic mitigation of attacks like BGP hijacking and DDoS without affecting latency.

This way, complex attacks on your content, applications, and Domain Name System (DNS) service can be prevented directly at the edge, even if you’re still using an on-premise or cloud origin infrastructure since mitigation will be extended to the edge regardless of whether your network is IPv4, IPv6, or hybrid.

Go to DDoS Protection

Main DDoS attacks

DDoS attacks can be classified by:

  • Volume-based attacks: also known as flood attacks. This type of attack uses a form of amplification or malware and worm requests, potentially coordinated by a botnet, to create large amounts of traffic and overload a system.
  • Protocol attacks: also known as state exhaustion attacks. Protocol attacks focus on exploiting vulnerabilities in network resources, overloading the processing of critical services and infrastructure such as security and load balancing.

This is a non-exhaustive list of some DDoS attacks that can be mitigated by Azion’s platform:

  • Bogons
  • Botnet attacks
  • Brute force attacks
  • Connection flood attacks
  • DNS flood (including well-formed DNS Queries)
  • HTTP floods (including HTTP well-formed POST / GET URL requests)
  • HTTP Slow Reads
  • ICMP Flood
  • IGMP Flood
  • IP Bogons
  • IP Fragmentation
  • Low and Slow attacks
  • MALFORMED ICMP Flood (Ping of death)
  • MIXED Floods (TCP+UDP, ICMP+UDP, etc.)
  • Nuke
  • OWASP top 10
  • Reflected ICMP / UDP
  • Slowloris
  • Smurf
  • Spoofing
  • TCP ACK Flood
  • TCP ACK-PSH Flood
  • TCP SYN-ACK Flood
  • TCP FIN Flood
  • TCP Out of state Flood
  • TCP RESET Flood
  • TCP SYN Flood
  • TCP Fragmentation
  • TCP Invalid
  • Teardrop
  • UDP Flood
  • Zero-day attacks

Some examples of detection and mitigation techniques employed include:

  • Allowlists, blocklists, and greylists.
  • Blocking, redirecting, or dropping according to HTTP headers, and geolocation, among other parameters.
  • Blocking, redirecting, or dropping according to reputation, network lists, etc.
  • Botnet lists, cloud providers, malware, proxies, etc.
  • Bots mitigation and management techniques.
  • Challenge-response techniques.
  • Captcha and recaptcha for identifying human users.
  • Cookie tampering.
  • Dynamic IP reputation, fingerprints, IP+ user agents, etc.
  • Fingerprinting.
  • HTTP redirect.
  • Malformed packets discarding.
  • Origin access restriction for Azion IP addresses only.
  • Pattern analysis and anomaly detection.
  • Score-based blocking.
  • Security token, JWT, etc.
  • Session timeout.
  • Signature/fingerprint-based blocking.
  • Simple (local) and advanced (global, contextual) rate limit.
  • Standby rules (to be used in response to incidents as they happen).
  • Techniques to prevent brute force attacks.

DDoS management

Azion applies a security-centric strategy to its products and services, providing customers with programmable and extensible zero-trust security that is always protected and visible with end-to-end encryption.

Attack records and monitoring can be done through Azion Real-Time Events, Real-Time Metrics, or using Data Stream connectors to integrate Security Information and Event Management (SIEMs) and Big Data services.

Azion prioritizes algorithm development for automatic detection and blocking of attacks. Once a threat is identified, the Azion Security Response Team (SRT) tracks threats end-to-end and may come to apply customized rules to mitigate sophisticated network, transport, presentation, and application-layer DDoS attacks. These rules will be instantly enforced by the real-time architecture of Edge Firewall, allowing you to quickly and efficiently protect your content or application.

Contributors