Over the last few weeks, we have received numerous support requests from our enterprise customers and had interactions with teams regarding early notification alerts sent from our side about their application servers' susceptibility to the HTTP 2 Rapid Reset DDoS attack. It was interesting to listen to the Blue team's stance and views on the shared responsibility aspect of DDoS mitigation. There is a widespread misbelief that any single-layer protection, whether at the ISP level or gateway, offers adequate defense against all types of DDoS attacks. Most large enterprises have multi-disciplinary, defense-in-depth practices in place to prevent such attacks. Nonetheless, it was notable that we were able to demonstrate the actual impact to customers with meaningful proof of concepts (POCs) despite the presence of many such security solutions. While the most favored and recommended method of remediation is the actual patching of the application server, there may be issues related to application compatibility or other factors that could delay this action. Therefore, it is crucial to verify the presence and effectiveness of security controls at various levels to establish a virtual patching defense for the affected application servers. A multi-layered DDoS defense strategy integrates measures from ISPs, WAFs/WAAPs, CDNs, ALBs, SLBs, and Application Servers to provide comprehensive protection:

• ISPs can preemptively handle DDoS attacks at the network level by filtering known attack patterns.
• WAFs/WAAPs guard the network edge, screening incoming web traffic to thwart application-level threats.
• CDNs use their global server networks to dilute DDoS impact, caching content to serve users from the closest location.
• ALBs and SLBs distribute traffic across servers, detecting and mitigating unusual traffic increases indicative of DDoS attempts.
• Application servers utilize inherent or added software defenses to monitor and respond to traffic anomalies.

This combined approach offers a robust security posture, ensuring that even if one defense is breached, others continue to protect against DDoS attacks. Our team has crafted an infographic designed to help the community effortlessly grasp the protection each defense layer offers against DDoS attacks and the importance of regularly assessing the effectiveness of these solutions.

Note: The "Order/Placement" refers to the strategic location within the network where security solutions are deployed; "Layer" indicates the specific level of the network stack that the security operates on; and “Type” describes the setup and management options available for these security solutions.