How SDP Can Be Used to Thwart DDoS Attacks
By Shamun Mahmud, Senior Research Analyst and Standards Officer for the Cloud Security Alliance
Software Defined Perimeter provides an integrated security architecture that is otherwise hard to achieve with existing security point products. We’ve seen tremendous growth in interest, enterprise adoption, and visibility of this innovative approach to network security. An open source reference implementation is available, and multiple IEEE papers have been published showing SDPs performance in various implementations (eg. Software Defined Networks, Edge Computing, IaaS, Network Function Virtualization etc.). Large enterprises have embraced SDP architecture and have publicly championed their successes, including: Google, Coca-Cola, Verizon, Mazda, and GE. Coca-cola is implementing SDP research in their vending machines and Mazda is using SDP with connected vehicles. Building Intelligence Inc. uses SDP in their access points for visitors, loading docks, and freight entrances to prevent against terrorist attacks and theft.
While four SDP hackathons have been successfully held, there have been zero successful attacks on the SDP test infrastructure. Below we’ve listed several of the ways your organization can use SDP to thwart DDoS attacks. These examples are excerpts from the full report CSA has written on this topic titled Software-Defined Perimeter as a DDoS Prevention Mechanism.
How to thwart DDoS attacks with SDP
HTTP Flood Attack
As the key to this attack is to use legitimate-looking devices that want to connect to legitimate looking Post requests, the most efficient way to thwart this kind of attack is to prevent any connection at all. SDP prevents the attack by making the target’s Servers invisible to unauthorized devices.
TCP SYN Flood Attack
Large SYN packets or packet volumes can also flood the target causing a denial of service. The SDP Gateways provide a shield that drops all packets from rogue clients and allows only packets from legitimate clients into the perimeter that protects the target.
UDP Reflection Attack
This type of attack is based on the inherent insecurity of UDP, as an unauthenticated and connectionless protocol. By placing these services behind an SDP Gateway, organizations can enforce access controls so that only authorized users (or devices, or servers) can send UDP packets to the service. This eliminates attackers’ abilities to use these UDP services for a reflection attack.
You can learn more by downloading the full guidance around DDoS prevention from CSA. To learn more about zero trust and SDP visit the Zero Trust Working Group and access the latest research from CSA on this topic.