DDoS Attack Mitigation Technologies Demystified

Distributed Denial of Service (DDoS) attacks are some of the oldest of Internet threats. Despite that, due their simplicity and effectiveness, they continue to be a top risk for public services around the world. As protections have evolved, the technology used by hackers has adapted and become much more sophisticated. New attack types now target applications and services, and not only are bulk Layer 3 and 4 DDoS events becoming more sophisticated but many times they are masked in apparently legitimate traffic, or combined in unique new "zero day" attacks, making it very difficult to detect them.

This whitepaper discusses some of the technologies used traditionally to detect and mitigate DDoS attacks, how they evolved and why the state-of-the-art technology must rely on Application Specific Integrated Circuits (ASICs), inline symmetric or asymmetric deployments, a wide-spectrum of analysis methods covering from Layer 2 (Data-Link layer) to Layer 7 (Application layer) of the OSI model, and why this must be done with high-performance, hardware-based architectures.

As part of the discussion we will explain some features and benefits of the Fortinet FortiDDoS approach, the differences compared to conventional devices based solely on stateful or stateless inspection and the advantages of behavior-based methods of attack detection built on customized hardware vs. signature based methods built on standard CPU/RAM architectures.