Ask anyone who has spent time protecting networks from distributed denial of service (DDoS) attacks: There is no silver bullet. While blocking DDoS can be trivial (“just blackhole the destination IP address!”), it is often much more complex to block the attack traffic without affecting legitimate traffic. To do that, you need to use the right set of countermeasures for the specific type of attack vector—in other words, use the right tools for the job.

For many years, we have been arguing (and demonstrating in our customers’ networks) that network edge mitigation is what network operators should use for most DDoS attacks. That is, if their border routers can support large-scale filtering through NETCONF or FlowSpec. These routers can offer very effective mitigation capacity because they were built to efficiently forward, rate-limit and drop packets when requested. They are the most cost-efficient stateless mitigation devices you will find because they are already in your network.

We understand that not everyone has the option of using routers for network-based protection. For example, some networks use older border routers with limited filter scale. These can be fine for some basic DDoS countermeasures (think DNS amplification), but they are not sufficient for botnet-based mitigation, which might require a few thousand filter entries per attack.

For these customers, we introduced our Defender Mitigation System (7750 DMS) in 2023. This stateless, purpose-designed DDoS mitigation device provides terabit-level mitigation and can be positioned practically anywhere in an existing network.

You can think of 7750 DMS and edge-based mitigation as deflector shields for your network. Both can absorb large amounts of attack traffic and are extremely efficient for the vast majority of attack types.

Of course, there are some specific attack types that would be better addressed with other methods. Enter the Advanced Countermeasures Engine (ACE): our tractor beam for more complex DDoS attack traffic.

Starting now, ACE runs as part of the 7750 DMS and expands its capabilities on several fronts:

1. Extended stateless blocking: ACE can drop traffic using access control lists of virtually unlimited size. This means you can now filter on all known bots instead of filtering on the specific bots sending you DDoS traffic. You can also block specific countries, even if these include a very large number of prefixes.

2. Protocol validation: From layer 4 to layer 7, ACE will parse the full packets and discard those that do not conform to protocol definitions.

3. Stateful/active countermeasures: As additional means to prevent spoofed and malicious sources of traffic, ACE will provide the ability to authenticate sources for several protocols widely used in DDoS attack and track TCP sessions to address specific types of low-and-slow attacks.

4. DNS server protection: ACE will protect your DNS infrastructure against application-layer attacks, including an increasingly common attack type where attackers send DNS requests for non-existent/randomized subdomains, leading to NXDOMAIN responses and DNS service unavailability.

ACE offers new capabilities to expand your mitigation toolset. You can keep relying on the stateless protection provided by your network edge or DMS deployment, which can address the vast majority of DDoS attacks today, from volumetric to application-layer attacks. See my earlier post for more on this topic.

To sum up: Keep using your deflector shields. And know that if you need more advanced, stateful countermeasures, we’ve also got you covered with our tractor beam-worthy ACE.