Behavior analysis techniques in DDoS mitigation
There are 2 major schools of thought in the practice of DDoS mitigation: Signature vs. heuristic based filtering. Signature based filtering is the most common method, detecting attacks based on each attack’s predetermined “fingerprint,” and effectively blocking the attack based on this day. While highly efficient, this prevents real time mitigation of “zero day” (brand new) attacks.
1. Network Behavior Analysis (NBA)
one primary method used by DDosHostingProtection, images known valid traffic patterns and performs analysis against traffic that does not match the expected behavior. When traffic is abnormal, the NBA systems must make the determination whether the abnormality was organic in nature or the result of a DDoS attack. When it is determined that the spike could not have occurred as the result of organic changes in traffic patterns, the traffic is temporarily blocked.
2. Human Behavior Analysis (HBA)
a patent-pending method by DDosHostingProtection, uses similar concepts applied to Layer 7 traffic. When a Layer 7 request is received by a DDosHostingProtection proxy system, either deployed as a remote proxy or a local web application firewall (WAF), it is inspected to determine whether the request originated from an actual human. The Black Lotus systems maintain intelligence on the expected request patterns and are able to block requests that do not match the expected behavior. Using this logic, even a single malicious request can be identified as a member of a botnet. This information is then used to augment NBA methods and form a more effective DDoS mitigation system.
