Cloudflare DDoS attack protection solution

DDoS attack protection solution

Cloudflare is a content delivery network provider, Internet security service, and domain name server distribution service, standing between visitors and Cloudflare users' hosting service providers. It operates as a reverse proxy for websites, headquartered in San Francisco, California.

Product details

Cloudflare DDoS attack protection solution

1. What is a DDoS attack?

Distributed Denial of Service (DDoS) attack is an attack method aimed at blocking normal traffic to a targeted server, service, or network system by overwhelming the target or its surrounding infrastructure with a large amount of Internet traffic.

To make DDoS attacks highly effective, attackers use multiple compromised computer systems as sources of attack traffic. Exploited machines can include user computers and other networked resources such as IoT devices.

Currently there are three basic types of DDoS attacks:

Volumetric attacks: Type of attack using large traffic from amplification sources or botnet networks to flood the target system's network bandwidth.
Protocol attacks: cause service disruption by consuming excessive server resources or network device resources such as firewalls and load balancers. Protocol attacks exploit weaknesses in Layer 3 and Layer 4 of the OSI protocol to block access to target systems.
Application layer attacks: This type of attack primarily targets web applications and is very difficult to prevent because it is hard to distinguish malicious traffic from legitimate traffic

2. Current state of DDoS attacks in Vietnam

According to statistics in Q2,3/2022:

DDoS attacks account for 44% of total Layer 7 attacks in Vietnam

Vietnam ranks in the top 18 countries as a source of HTTP DDoS attacks and top 15 countries most targeted by HTTP DDoS attacks

Attacks originating from the largest ISPs in Vietnam such as VNPT, Viettel, FPT, Mobifone, make it difficult to prevent

3. Introduction to CloudFlare

Cloudflare is a content delivery network provider, Internet security services, and domain name server distribution services, standing between visitors and Cloudflare users' hosting providers. It operates as a reverse proxy for websites, headquartered in San Francisco, California.

Established in 2009, CloudFlare's network currently has a total capacity of up to 209Tbps, double the combined capacity of the top 05 DDoS protection service providers. 15% of global Internet traffic passes through Cloudflare's network, leveraging abundant data sources and machine learning systems, behavioral analysis, Cloudflare continuously updates attack patterns and helps customers block 76 billion cyberspace attacks daily.

CloudFlare is present in over 300 cities and over 100 countries. In Vietnam, since 2019 CloudFlare has deployed 04 POPs in Hanoi and Ho Chi Minh City.

4. Introduction to Cloudflare DDoS Protection solution

Cloudflare provides unlimited distributed denial-of-service (DDoS) protection for all customers across all packages and services. Automatic detection and mitigation of DDoS attacks is enabled on Cloudflare's edge system. Cloudflare's edge system includes multiple dynamic Managed Rulesets providing comprehensive protection against various DDoS attacks on L3/4 and L7 of the OSI model.

Cloudflare's distributed edge system sits in front of customers' applications deployed on cloud, onpremise or SaaS and receives all traffic from users, bots and attackers. All connections to customers using Cloudflare services must go through Data Centers (DC) via BGP Anycast protocol.

Using Anycast allows all DCs to advertise a common IP address range, ensuring optimal speed for users. Regardless of location, users always connect to the nearest DC. Anycast also distributes DDoS attack traffic. During an ongoing attack, each DC receives a small portion of the total traffic, making it easier to share the load and filter out unwanted traffic.

Anycast deployment allows maintaining consistent network setup, design, and services running across all edge data centers. Customers do not need to worry about which DC they are connecting to because service and registered configuration are always guaranteed.

Every server in every Cloudflare data center spanning 300 cities across 100 countries with 209 Tbps network capacity runs the full suite of DDoS mitigation services, ensuring protection against the largest attacks.

Cloudflare's centralized and decentralized mitigation systems work together to identify and mitigate most DDoS attacks in under 03 seconds. Pre-configured static rules are deployed in under 01 second.

Cloudflare integrates built-in reports providing customers with detailed information about access traffic patterns, observed (and blocked) threats and more, directly from the dashboard or through the Cloudflare GraphQL API. Cloudflare reports can also be integrated with third-party SIEM solutions.

4.1. Types of Cloudflare DDoS protection services

Cloudflare provides 03 DDoS attack protection solutions:

Website DDoS Protection - Web Services (L7): Layer 7 DDoS protection solution for websites and web applications
Application DDoS Protection - Spectrum (L4): Reverse proxy solution protecting applications running on TCP/UDP
Network DDoS Protection - Magic Transit (L3): Protect entire networks within IP subnets from DDoS attacks while accelerating traffic

Overview model:

4.2. Cloudflare HTTP DDoS Attack Protection

With just a simple change in DNS settings, customers can integrate their website onto Cloudflare within minutes. Cloudflare's globally distributed anycast network routes visitor requests to the nearest Cloudflare DC.

These requests are then scanned on edge DCs to determine whether the visitor is a threat, using criteria such as HTTP headers, agents, query strings, paths, servers, HTTP methods, HTTP versions, TLS cipher versions, and request rates.

The solution provides predefined rulesets to match attack patterns, known attack tools, suspicious patterns, excessive traffic sent to origin/cache, and additional application layer attack vectors at the edge. Cloudflare continuously updates these rulesets to improve attack prevention coverage, update new and emerging threats, and ensure cost minimization.

Some protected attack vectors include:

HTTP flood attack
WordPress pingback attack
HULK attack
LOIC attack
Slowloris attack
Mirai and Mirai-variant HTTP attacks

Additionally, customers can customize DDoS protection settings to reduce false positives and according to customer-specific requirements.

4.3. Cloudflare Spectrum

Spectrum solution operates as a layer 4 reverse proxy protecting and accelerating all TCP or UDP-based applications. Customers can route MQTT, email, file transfer, version control, gaming traffic... via TCP or UDP through Cloudflare to hide the origin and protect it from DDoS attacks.

Key features of Spectrum:

Forward TCP/UDP traffic through Cloudflare
Allow or deny IP addresses
Integrated performance benefits
Flexible and Full TL modes
Real-time application-specific analysis
Allow traffic to pass through TLS
Easy setup via dashboard interface or API
Layer 4 load balancing traffic across multiple servers
Support for sharing logs to public cloud storage regions

Cloudflare Spectrum integrates with Argo Smart Routing to deliver TCP traffic faster than standard Internet routing 'best-effort'. Mạng của Cloudflare học từ lưu lượng truy cập của khoảng 25.000.000 tên miền và địa chỉ Internet, cho phép định tuyến thông minh dựa trên máy học (ML) theo thời gian thực khi có nghẽn mạng. Dựa trên các kiểm tra đo lường, thời gian trọn vòng (roundtrip time, RTT) TCP trên mạng của Cloudflare giảm gần 17% so với việc gửi lưu lượng truy cập trực tiếp trên Internet.

Spectrum has a software-configurable IP firewall that can be configured directly on the dashboard or via API. Customers can allow or deny individual IP addresses or IP address ranges for granular control of traffic to your application servers. Customers can also configure rules to block visitors from a specific country or even an Autonomous System Number (ASN).

In case of downtime, all active TCP connections and UDP traffic will be automatically switched to an alternate standby server in a configured load balancing group to avoid disruption. By dynamically distributing to the most available and responsive server groups, Cloudflare Spectrum and Load Balancer help increase customer service uptime.

Additionally, Spectrum supports real-time Analytics to gain insights into inbound traffic, outbound traffic and threats mitigated by Spectrum.

View real-time data transmission (input and output) as well as the number of concurrent connections to your service
Request detailed log data of each connection event via RESTful API
Automatically send log data to your chosen cloud storage service provider

4.4. Cloudflare Magic Transit

Cloudflare Magic Transit protects customers' entire IP network ranges from DDoS attacks while accelerating network traffic. The solution uses Cloudflare's global network to mitigate attacks, utilizing standard network protocols such as BGP, GRE, and IPsec for routing and encapsulation. All customer network assets, whether on-premise or in cloud environments, are protected.

Cloudflare Magic Transit integrates our best-in-class network firewall, allowing customers to configure allow/deny rules for granular IP ranges and propagate changes within seconds. Magic Transit integrates with all Cloudflare L4 and L7 products.

When integrated with Argo Smart Routing, Cloudflare Magic Transit delivers clean traffic to customers over the fastest, most reliable links in real-time.

Key features:

Over 209 Tbps network capacity
Integration through BGP routing and GRE encapsulation
Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols).
Mitigate most attacks in less than 3 seconds
Integration with L7 services (CDN, WAF, Bot Management…)
Phân tích chuyên sâu
Real-time threat detection
Always-on and on-demand options

5. Evaluation by organizations

According to the GigaOm Radar Report for DDoS Protection 2022: Cloudflare was ranked as a Leader. The report evaluated 09 different vendors and Cloudflare received the highest overall ranking.

According to The Forrester Wave™: DDoS Mitigation Solutions, Q1 2021: Cloudflare was recognized as a product 'Leader' out of 11 providers based on 28 criteria for capabilities, strategy and market presence

According to Gartner's 2020 report 'Solution Comparison for DDoS Cloud Scrubbing Centers', Cloudflare received the most 'High' ratings among 06 service providers across 23 evaluation criteria.

Sonic Technology Solutions Joint Stock Company – Official distributor of security solutions from Cloudflarein the Vietnamese market.

See more HCLSoftware solutions at: https://sonictech.com.vn/vi/cloudflare

————————–

Sonic Technology Solutions Joint Stock Company (Sonic Technology)

Hanoi: 8th Floor, Licogi 13 Building, 164 Khuất Duy Tiến, Thanh Xuân Ward, Hanoi City

HCM: 1st Floor, Zone A, Waseco Building, No. 10 Pho Quang, Tan Son Hoa Ward, Ho Chi Minh City

Hotline: 024.6656.4587

Email: hung.le@sonic.com.vn

Fanpage facebook: https://www.facebook.com/SonicTechnology.Jsc

Zalo OA: https://bit.ly/Sonic_Zalo

Shorten content

Related products

ZeroTrust and SASE Solutions

Web Application Firewall (WAF) Solution

Cloudflare Area 1 Email Security Solution

View all

Other products

Application Delivery & WAF Solution

Radware's Application Delivery & WAF solution helps enterprises optimize application delivery, load balancing, WAF security, API protection, bot mitigation, and Layer 7 DDoS attack mitigation across hybrid and multi-cloud environments.

AI Security Solution

Radware's AI Security solution helps enterprises protect LLMs, GenAI and AI Agents against prompt injection, data leakage, agent hijacking, tool abuse and emerging AI security risks.

Comprehensive IT System Monitoring Solution with integrated AIOps

LogicMonitor LM Envision is a SaaS-based Observability and AIOps platform, helping businesses comprehensively monitor IT infrastructure, cloud, logs, applications and digital experience on a unified interface.

View all

Connect to SONIC

Do you need consultation from Sonic?
Connect with us to receive the earliest consultation