Edgio adds advanced DDoS protection with other WAAP enhancements

Content delivery network (CDN) service provider Edgio has added a new Distributed Denial of Service (DDoS) scrubbing ability along with improved Web Application and API Protection (WAAP) to its network security offering.

Designed to reduce severe damages from sophisticated DDoS attacks, Edgio’s scrubbing solution impersonates the customer’s network by routing the customer’s IP traffic through its scrubbing point-of-presence (PoP) and only sending the “clean” traffic back to the customer’s infrastructure, according to Richard Yew, senior director, product management for Security at Edgio.

A PoP is the point at which two or more different networks or communication devices build a connection with each other.

“Companies like Edgio are always working to push the bar forward with mitigating DDoS attacks, while the bad guys continue to advance their bot armies — both in complexity and in sheer numbers,” said Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates. “When coupled with threat detection and API protection, Edgio’s solution will provide some interesting choices for customers dealing with continued DDoS attacks and API vulnerabilities.”

Edgio’s scrubbing extends to origin servers

A typical DDoS attack has an attacker holding a business’ system, website or network hostage by overwhelming it with a large volume of requests, making it unavailable to legitimate users. The attack uses multiple compromised devices, referred to as bots or zombies to effect simultaneous requests.

There are, however, other types of DDoS attacks that target the origin servers or IP addresses of a website or application, instead of targeting the front-end infrastructure or CDN. These are called direct-to-origin attacks.

Edgio’s new scrubbing capability promises protection at the source level against attacks from the non-web applications via a dedicated scrubbing capability that uses standard protocols such as Border Gateway Protocol (BGP) and generic routing encapsulation (GRE) tunnel for masking the original IP packets.

“Coupling DDoS scrubbing with edge/CDN-based DDoS protection ensures we provide 100% protection against all forms of DDoS attacks today,” Yew said.

Outbound rule customizer and proxy detection

Edgio has also added a set of improvements to its WAAP, which include advanced rule customizer, outbound data leak prevention, proxy detection, enhanced configurability and regional code support for geopolitical compliance.

Conventionally, security rules are designed to inspect inbound requests to mitigate application attacks from the inside-in, lacking the outbound visibility. Therefore, Edgio has added the ability for security rules to scan outbound traffic as well, preventing data and code leakage.

“Controlling outbound traffic is critical — one of the most significant control gaps there is, and continues to be the cause for abuse of APIs and the sensitive traffic that uses them,” Steffen said. “Controlling that traffic (or — in the very least — having visibility to that traffic) is an important step on gaining control of data in motion, regardless of the source.”

Outbound rules typically have higher computational costs and tend to add too much latency if done via a point solution that’s not edge based, according to Yew.

Edgio has also added the ability to detect and block requests originating from anonymous proxies, providing additional control on the access to customers’ applications. The enhanced configuration management will enable developers to directly import and export configuration JSON via both API and UI to protect new applications.

Edgio’s clients can also control access to their applications via new advanced access control rules like regional control down to specific regions and provinces.