A hybrid approach is also possible, very convenient in some cases - with a separate certificate and key created specifically for DDoS protection. This option allows you not to disclose your private key, and, nevertheless, to connect protection with disclosure when an attack begins. For this, the provider's clients simply need to select the appropriate option in their personal account, after which a certificate-key pair is automatically issued for them.
Let's talk about a case that happened quite recently. A bolivia mobile database bank used the following DDoS attack protection scheme: its "business card" website was protected by disclosing private SSL keys, and the bank's WAN network was protected by using a BGP connection.
The attack on the bank began, as always, unexpectedly and, as often happens, on a "fine" spring morning. It was aimed at applications providing mobile services for this bank and was carried out via the HTTP protocol using a botnet. BGP protection, effective against DDoS threats at the L3 and L4 levels, of course, could not cope with the current, quite powerful attack at the L7 level. As a result, the mobile bank applications became unavailable.
The bank's specialists began urgently setting up the sending of system logs from their balancers to the L7 analyzer of the DDoS provider in order to connect protection without disclosing private SSL keys. Literally a couple of minutes after completing this setup, it was possible to filter out attack traffic and block the intruders' bots.
- Board index
- All times are UTC
- Delete cookies
- Contact us