Cloud Security Alliance Releases Anti-DDoS: Software-Defined Perimeter 
As a DDoS Prevention Mechanism

Document examines the operationalization of Software-Defined Perimeter as prevention mechanism against three well-known types of Distributed Denial of Service attacks

ORLANDO – (ISC)² Security Congress – Oct. 28, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released new research on Anti-DDoS: Software-Defined Perimeter as a DDos Prevention Mechanism. Produced by CSA’s Software-Defined Working (SDP) Group, this paper sheds light on the use of a SDP as a tool to prevent Distributed Denial-of-Service (DDoS) attacks. It demonstrates the efficiency and effectiveness of a SDP against several well-known attacks including HTTP Flood, TCP SYN, and UDP Reflection.

The document focuses on protecting private services, such as private business applications, employee or customer portals, and email servers, which are well-suited to being protected from DDoS attacks by a Software-Defined Perimeter. Utilizing the Seven Layer OSI Model, various scenarios are laid out based on where the aforementioned attacks may be targeted (i.e. applications, transportation, and networks), which security professionals can use as guides for securing their own enterprise systems.

“Denial of Service attacks are — and continue to be — a problem. With the adoption of cloud services, the threat of network attacks against application infrastructure increases, since traditional perimeter-defense techniques cannot adequately protect servers,” said Juanita Koilpillai, co-chair, CSA Software-Defined Perimeter Working Group, and CEO and President of Waverley Labs. “This document, the latest from the SDP Working Group, was created to aid those responsible for the evaluation, design, deployment, or operation of DDoS prevention solutions within their enterprise.”

Typically performed against public-facing services running on the internet, such as web servers and DNS servers, DDoS attacks attempt to overwhelm a target and prevent it from delivering its services to legitimate users. SDPs are resilient against these types of attacks, however, because they utilize a computationally lightweight mechanism (SPA) to distinguish between authorized and unauthorized users, even from remote systems. Because the vast majority of DDoS traffic is initiated by unauthorized users, SDP gateways can reject it without incurring a heavy computational load on the server.

The Software-Defined Perimeter Working Group was created with the goal of developing a solution to stop network attacks against application infrastructure. Those interested in learning more about the group or participating in future research should visit the Software-Defined Perimeter Working Group page.

Download Anti-DDoS: Software-Defined Perimeter as a DDos Prevention Mechanism.