Software-Defined Perimeter as a DDoS Prevention Mechanism
Release Date: 10/27/2019
Working Group: SDP and Zero Trust
Distributed Denial-of-Service (DDoS) attacks are one of the most prevalent types of cyber attack, and their numbers are only climbing. DDoS attacks are large-scale incursions in which the perpetrator uses more than one unique source IP address (often thousands of them) to launch simultaneous attacks against a target. Organizations should be aware of this threat and on the lookout for the best DDoS mitigation methods.
In this paper by the Zero Trust Working Group, we advocate for Software Defined Perimeter (SDP) as a tool to protect private services from DDoS attacks. SDP is an architecture that provides integrated security, which is otherwise hard to achieve with existing security point products. SDP is efficient and effective against several well-known attacks, including HTTP Flood, TCP SYN, and UDP Reflection.
- An explanation of DDoS attack vectors and their layers and logical protocols according to the OSI and TCP/IP models
- An overview of non-SDP mitigation methods
- The steps for setting up an SDP configured as a DDoS defense mechanism
- An explanation of three well-known attacks and how to use SDP to defend against them: HTTP Flood, TCP SYN Flood, UDP Reflection
- A list of DDoS and other attack monitoring maps
Who It’s For:
- People in security, enterprise architecture, and compliance roles within enterprises
- Solution providers, service providers, and technology vendors