This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.

本文由Incapsula赞助。 感谢您支持使SitePoint成为可能的合作伙伴。

Unless you’ve taken the necessary steps to protect your websites, they’re highly vulnerable to DDoS attacks. Now you might think of a DDoS attack as the attack that knocked out French news sites after the country’s election in May. Or you may think of the attack in October 2016 when subscribers couldn’t access the New York Times or Wired because hackers used DDoS to attack the DNS provider. In those cases, the system was hit with so many requests from bots around the globe that they couldn’t handle legitimate requests. And that, in a nutshell, is a DDoS attack. It’s flooding the service with so many requests that the system grinds to a halt.

除非您采取了必要的步骤来保护您的网站,否则它们很容易受到DDoS攻击。 现在,您可能会认为DDoS攻击是五月份法国大选之后击落法国新闻网站的攻击。 或者您可能会想到2016年10月的攻击,当时用户无法访问《纽约时报》或《 连线》,因为黑客使用DDoS 攻击 DNS提供程序。 在这些情况下,系统受到来自全球各地的机器人的大量请求的打击,以致于他们无法处理合法请求。 简而言之,这就是DDoS攻击。 大量的请求淹没了服务,导致系统陷入停顿。

But today DDoS attacks comes in many flavors. They have evolved from simply flooding the firewall or DNS servers with noise, to targeting an enterprise’s infrastructure and web applications. It’s actually attacking you from inside your enterprise.

但是如今,DDoS攻击有多种形式。 它们已经从简单地将防火墙或DNS服务器泛滥成灾,发展到针对企业的基础架构和Web应用程序。 它实际上是在企业内部攻击您。

应用DDoS攻击激增 (A Surge in Application DDoS Attacks)

Unlike network layer DDoS attacks like the one on the New York Times, application layer DDoS attacks typically needs less volume of traffic to do their damage. Application layer campaigns repeatedly making calls to applications, such as websites, web apps, servers and plugins, slowing or stopping the applications altogether by taxing the resources of the server it resides on.

《纽约时报》等网络层DDoS攻击不同应用程序层DDoS攻击通常需要较少的流量来进行破坏。 应用程序层活动反复调用诸如网站,Web应用程序,服务器和插件之类的应用程序,通过对驻留在其上的服务器资源进行赋值来减慢或停止应用程序。

Internet facing web applications are vulnerable to a myriad of attacks such as cross-site scripting (XSS) and SQL injection. An application attack also differs from a perimeter – or Layer 3 attack in because a hacker uses targeted commands to take an application down and ties up the server’s resources.

面向Internet的Web应用程序容易受到多种攻击,例如跨站点脚本(XSS)和SQL注入。 应用程序攻击也不同于外围攻击或第3层攻击,因为黑客使用定向命令来关闭应用程序并占用服务器资源。

On the whole, DDoS attacks are on the rise, and the kind that attacked French newspapers is not the where the surge is coming from. The largest increase increase in DDoS attacks is hitting servers that host web applications.

总体而言,DDoS攻击呈上升趋势,而攻击法国报纸的类型并非激增来源。 DDoS攻击增加最多的是托管Web应用程序的服务器。

For example, for four quarters in a row, Incapsula recorded a decrease in the number of network layer assaults, which it says fell to 269 per week compared to 568 in the second quarter 2015. In contrast, it saw yet another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.

例如, Incapsula连续四个季度记录了网络层攻击数量的减少 ,该数量下降到每周269次,而2015年第二季度为568次。相比之下,它又出现了一个峰值。应用层攻击的数量达到了每周1,099的历史新高。

Security experts predict that Internet facing enterprises will experience DDoS attacks more than once a year. “It’s not a question of if, but rather when you will be attacked,” Tim Matthews, Imperva’s vice president of marketing told Dark Reading.

安全专家预测,面向Internet的企业每年将多次遭受DDoS攻击。 Imperva营销副总裁蒂姆·马修斯 ( Tim Matthews)告诉《黑暗阅读》:“这不是是否要攻击的问题,而是何时攻击您的问题。”

The reason for the surge in DDoS attacks on applications is two fold.


First, the number of application is on the rise. In 2016, half of the organizations surveyed indicated that they are looking to releasing and maintaining custom applications.

首先,申请数量在增加。 2016年, 接受调查的组织中有一半表示他们正在寻求发布和维护自定义应用程序。

The other reason for the rise in DDoS attacks is due mainly to the abundance of resources available to hackers — and wannabe hackers. Not long ago it was quite difficult to build a force of bots to attack a given resource. Now, for little to no money, anyone could acquire the hacking software on the dark web, or for as little as $5 they can hire someone to do it for them. In 2015, a high school student paid for a DDoS attack on his school.

DDoS攻击增加的另一个原因主要是由于黑客和想成为黑客的可用资源丰富。 不久前,建立一支僵尸网络来攻击给定资源非常困难。 现在,只需花很少甚至没有钱,任何人都可以在黑暗的网络上购买黑客软件,或者只需低至5美元,他们就可以雇用某人为他们做这件事。 2015年,一名高中生为自己学校的DDoS攻击付费。

成本 (The Cost)

Any DDoS attack costs the business’ reputation and eventually customers, because the customer really doesn’t care what kind of DDoS was invoked, whether it was a network layer or application layer attack; they only know they cannot complete a transaction. For example, a DDoS attack on an application brought down an undisclosed U.S. college in February. The attack created a network outage for more than two days preventing students, parents and staff from logging in. The school was effectively shut down in that time.

任何DDoS攻击都会损害企业的声誉,并最终损害客户的利益,因为客户真的不在乎调用哪种DDoS,无论是网络层攻击还是应用层攻击。 他们只知道他们无法完成交易。 例如,对应用程序的DDoS攻击使2月未公开的美国大学倒闭。 这次攻击造成超过两天的网络中断,阻止学生,家长和教职员工登录。在那段时间里,学校实际上被关闭了。

In the case of a school, the monetary loss is difficult to quantify, but for a business that sells widgets, it gets expensive very fast. In terms of dollars, a single hour of downtime can cost a business as much as $20,000. And that doesn’t factor the soft costs attributed to the loss of reputation and future sales. After all, users might wonder how well the business is protecting client data when it can’t even protect itself.

以学校为例,金钱损失很难量化,但是对于出售小部件的企业来说,它很快就会变得昂贵。 以美元计,一小时的停机时间可能使企业损失多达20,000美元 。 但这不包括因声誉损失和未来销售而产生的软成本。 毕竟,用户可能想知道,当企业甚至无法保护自己时,企业在保护客户数据方面的表现如何。

DevOps需要为其应用程序提供安全的环境 (DevOps Needs a Secure Environment for Their Apps)

Coupling the spike in DDoS attacks on applications, and the low cost and ease of creating an attack as well as the results from a business impact analysis, it’s clear that developers need to prepare for an attack.


But like most of IT, DevOps have viewed security as an obstacle to delivery targets. According to Gartner, implementing information security policies and teams creates a perception that it prevents developers from delivering value. What’s worse, most developers didn’t learn secure coding in school, and if they’re not coding with security in mind, it leaves applications open to attacks.

但是像大多数IT部门一样,DevOps将安全性视为交付目标的障碍。 Gartner称 ,实施信息安全策略和团队会产生一种观念,即它阻止开发人员交付价值。 更糟糕的是,大多数开发人员没有在学校学习安全编码,如果他们不考虑安全性进行编码,则会使应用程序容易受到攻击。

Garner also reports that developers need to change their practice. It says, “Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.”

Garner还报告说开发人员需要改变他们的做法。 它说:“信息安全架构师必须以对开发人员基本上透明的协作方式,将多点安全性集成到DevOps工作流中,并保留DevOps和敏捷开发环境的团队合作,敏捷性和速度,并提供“ DevSecOps”。

So while developers are improving their skills and are reminded nearly every day that they need to build security into their code, there are a lot of apps in the wild right now which are ripe for attack. The fastest way to mitigate this vulnerability is to buy a service that provides a web application firewall (WAF). It’s an appliance or cloud-based service or combination of both that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules, many types of web attacks can be identified and blocked. It’s a matter of routing traffic through the WAF before it hits your application servers.

因此,尽管开发人员正在提高自己的技能并几乎每天都被提醒他们需要在其代码中构建安全性,但现在有很多应用程序正在遭受攻击。 缓解此漏洞的最快方法是购买提供Web应用程序防火墙(WAF)的服务。 它是一种设备或基于云的服务,或者是两者的组合,将一组规则应用于HTTP对话。 通常,这些规则涵盖了常见的攻击,例如跨站点脚本(XSS)SQL注入 。 通过自定义规则,可以识别和阻止许多类型的Web攻击。 这是在WAF到达您的应用程序服务器之前通过WAF路由流量的问题。

如何为您的网站选择DDoS保护服务 (How to Choose a DDoS Protection Service for Your Website)

It’s time to go shopping for a web application firewall but there are far too many options. Not all WAF and support staff are same. Some make big claims but struggle with various attack complexities. Most are cloud based and the better ones can be set up in a just a few minutes.

现在是时候购买Web应用程序防火墙了,但是选择太多了。 并非所有WAF和支持人员都一样。 有些人提出了很高的要求,但要面对各种攻击复杂性。 大多数都是基于云的,更好的可以在短短几分钟内完成设置。

Here is a set of questions that you should ask your WAF sales rep:


DDoS解决方案是否使用众包? (Does the DDoS Solution Use Crowdsourcing?)

Using crowdsourcing techniques allows immediate protection to the entire customer base. Using the collective knowledge about the current threat landscape builds a database of threat information that can be aggregated across the community using big data analytics.

使用众包技术可以立即保护整个客户群。 利用有关当前威胁状况的集体知识,可以建立威胁信息数据库,可以使用大数据分析在整个社区中汇总这些信息。

他们的市场份额是多少? (What is Their Market Share?)

Biggest isn’t always best, but it is important when we’re valuing crowdsourcing. A small customer base won’t be much help to reduce the risk of attacks.

最大的不一定总是最好的,但在我们评估众包时,这很重要。 较小的客户群对降低攻击风险没有太大帮助。

Web应用程序防火墙是否已通过PCI SSC认证? (Is the Web Application Firewall certified by the PCI SSC?)

Payment Card Industry (PCI) Security Standards Council is a vendor-agnostic body that certifies vendors that demonstrate compliance with its twelve PCI Data Security Standards.


DDoS是否仅在Prem上? (Is the DDoS on Prem Only?)

While dedicated DDoS security appliances prevent application DDoS attacks, they cannot handle massive volumetric attacks – attacks that top 200 Gbps of throughput and surpass customers’ Internet bandwidth limits. To eliminate downtime, organizations must block volumetric attacks before they reach the network. While it may be useful in some cases to have an on prem box, see if the provider has a cloud solution to complement it.

尽管专用的DDoS安全设备可以阻止应用程序DDoS攻击,但它们无法处理大规模的体积攻击-这种攻击的吞吐量高达200 Gbps,并且超过了客户的Internet带宽限制。 为了消除停机时间,组织必须阻止批量攻击,然后才能到达网络。 虽然在某些情况下具有预置盒可能很有用,但请参阅提供商是否具有云解决方案来对其进行补充。

您的WAF是否执行行为异常检测? (Does Your WAF perform Behavioral Anomaly Detection?)

Anomaly detection is the science of using intelligence to detect items and events which do not conform to an expected pattern or other items in a dataset. In this case anomaly detection checks for behavioral patterns that don’t appear to be human.

异常检测是使用情报来检测与数据集中的预期模式或其他项目不符的项目和事件的科学。 在这种情况下,异常检测会检查似乎不是人类的行为模式。

您的WAF是否已设置并忘记了? (Is Your WAF Set and Forget?)

That’s a trick question. Given enough time and persistence any attacker will find a way into a network. It takes people to recognize the shift in strategy and adjust accordingly. Artificial intelligence is good, but it’s better when backed by human intelligence.

这是一个技巧问题。 只要有足够的时间和持久性,任何攻击者都可以找到进入网络的途径。 人们需要认识到战略的转变并做出相应的调整。 人工智能是好的,但在人类的支持下会更好。

Look for a provider that has all of the above. Incapsula, for example has what the company calls a Five Ring Approach to Application Layer DDoS protection. In fact Incapsula was the solution provider that helped that U.S. college mentioned above to quickly mitigate the attack. Engineers noticed that the attackers modified their attack when they noticed the mitigation and adjusted to quickly bring the attack under control, while allow legitimate traffic through.

寻找具有以上所有条件的提供商。 例如, Incapsula拥有公司所谓的五环方法来保护应用程序层DDoS。 实际上,Incapsula是帮助上述美国大学Swift缓解攻击的解决方案提供商。 工程师注意到,攻击者在注意到缓解后便对其攻击进行了修改,并进行了调整,以Swift控制攻击,同时允许合法流量通过。

The business of DDoS attacks is a booming. DDoS is used for extortion, ransom, revenge, vigilantes, or just for kicks. Those site developers that choose not to protect themselves are sitting ducks for criminals with the tools and a desire. Like Tim Matthews of Incapsula said, “It’s not a question of if, but rather when you will be attacked.”

DDoS攻击的业务正在蓬勃发展。 DDoS用于勒索,勒索,报仇,维持治安或仅用于踢人。 那些选择不保护自己的站点开发人员正在利用工具和欲望让犯罪分子坐视不安。 就像Incapsula的Tim Matthews所说:“这不是是否要问的问题,而是您何时会受到攻击。”


