DDoS Mitigation Overview

We integrate the best of breed Anti-DDoS protection techniques designed to provide superior online computing security, ensure 100% availability of your website and provide a security perimeter to prevent data theft and cyber-attacks against your data center

Due to the nature of TOFFS Secured Multi-CDN, we are able to federate across multiple CDNs to absorb the volumetric attacks. TOFFS Secured Multi-CDN aggregates more than 5 Tbps of traffic and is burstable to 10 Tbps in the event of large scale attacks. With the automated capability to switch real end-users to another CDN network within 30 seconds, TOFFS provides 100% availability of the Secured Multi-CDN network at all times.

In the event of a bot attack on the primary CDN network, business rules can be configured to automatically switch valid users to another network when the response of the primary network has slowed down. TOFFS 24 x 7 SOC personnel will monitor the attack as well as ensure the real users performance are not degraded by switching the real users to another CDN that is not attacked or affected.

With web application firewalls in the CDNs and TOFFS infrastructure, organisations are protected from Layer 7 application attacks like SQL injections, Cross site scripting, CC attacks, LOIC attacks, etc.

TOFFS provides the customers a SLA guarantee of 99.999% availability even during a DDoS attack.

Cedexis & TOFFS Secured Multi-CDN Use Case Scenarios

Under DDoS or Application Level Attack

  1. Company A traffic is load balanced between 2 CDNs serving valid traffic and having 2 separate networks to mitigate volumetric attack traffic.
  2. Cedexis’ Radar tracks the real time performance of every end-user and baseline the users response time against the desired threshold (e.g., 3 sec) as well as the health check of the Company A’s origin.

 

  1. Cedexis’ OpenMix load balance the volumetric attack traffic between 2 CDNs and at the same time serving legit traffic by choosing the more responsive & effective CDN to serve the legit end-users’ request.
  2. Automated Business Rules – Using Cedexis enables Company A and the TOFFS SOC team to switch networks within 30 seconds to ensure the website is always available and there is no single point of failure at DNS or CDN level.

TOFFS Secured Multi-CDN & WAF Overview

TOFFS Secured Multi-CDN offers Web Application Firewall with full web security protection including OWASP Top-10 coverage, advanced attack protection and 0-day attack protection that automatically adapts your protections to evolving threats and protected assets.

  • Activated through a simple DNS change, with no additional hardware or software installed, WAF Service is easily activated to provide web security coverage in the shortest time-to-deploy.
  • Provides both negative and positive security models that automatically detect application domains, analyze potential vulnerabilities, and assign optimal protection policies. This allows rapid detection and mitigation of zero-day attacks and the continuous fine-tuning of security policies due to changing application usage patterns.
  • Fully Managed 24 x 7 Security Service – Fully managed, 24 x 7 service provided by TOFFS Security Operations Team – a dedicated group of security professionals monitoring the security health of our customers' websites and mobile applications.

Scrubbing Center for other ports / protocols (non http / https)

With increasing native mobile applications using custom ports in addition to port 80, 433 (e.g. whatsapp uses 5223, 5228, 4244, 5242, 443, 80) and enterprises have other, there is a need for Internet protection services for other ports that CDN typically cannot support.

TOFFS Secured Multi-CDN provides an option of using Radware’s global network of mitigation devices total over 2Tbps of scrubbing mitigation capacity for non http ports. This capability is spread strategically across scrubbing centers around the world for instances when volumetric attacks threaten to saturate customers’ link capacity. Radware scrubbing centers are designed to serve major markets with minimal latency and are constantly being expanded and upgraded based on the growth of the customer base and changes in DDoS attack trends.

In addition to its scrubbing centers, Radware also supports multiple cloud POPs for always-on WAF and DDoS protection service. Radware is the only service provider that has dedicated scrubbing centers that segregate clean traffic from attack traffic – further securing the organization’s legitimate traffic.

Click here to view WAF specifications

Web Application Firewall Specifications

Web Application Attack Mitigation

  • SQL injection attack protection
  • Cross-site scripting attack protection
  • Cross-site request forgery (CSRF) attack protection
  • Open redirect attack protection
  • Bot defenses by detecting known bot agents and frequency of requests
  • Buffer overflow mitigation
  • Attack evasion techniques by normalizing traffic and enforcing protocol compliance

Authentication

  • Basic
  • Digest
  • NT LAN Manager (NTLM)
  • Client SSL certificate
  • Security Assertion Markup Language (SAML)
  • Token-based authentication

Supported Protocols

  • HTML, DHTML, XML, SOAP, JSON, AJAX
  • HTTP/1.0 and HTTP/1.1

Application Defenses

  • HTTP protocol conformance
  • White list security with automated learning
  • Black list security
  • Request normalization
  • Cookie encryption, URI and form rewriting for session protection
  • Client-side caching and SSL security enhancements
  • Blocking by geolocation
  • aFleX policies for customized rules and complete programmatic control

Data Loss Prevention

  • Credit card and social security number masking
  • Perl Compatible Regular Expressions (PCRE) pattern matching
  • Response cloaking

DDoS Protection

  • Volumetric DDoS attacks – SYN flood, ICMP flood, UPD flood, Ping of Death, Smurf attack, LAND attack, fragmented packets
  • Application-layer DDoS attacks – HTTP flood, Slowloris, Slow POST, DNS flood, targeted attacks to exhaust backend database resources