HPE Aruba Networking SASE offers a multi-layered security approach to combat these threats. EdgeConnect SD-WAN’s built-in Next Generation Firewall now includes Adaptive DDoS protection that uses cutting-edge machine learning to dynamically adjust defense mechanisms in real time. ZTNA (Zero Trust Network Access) adds an extra layer of defense by reducing the attack surface, masking private resources and segmenting application access, to ensure that only authenticated and authorized users access specific services.
What is a DDoS attack?
A DDoS attack is a malicious attempt to overwhelm a target server, service, or network with massive amounts of traffic, causing it to slow down or become completely unavailable. Unlike a Denial of Service (DoS) attack, which typically originates from a single source, a DDoS attack involves multiple devices, often coordinated through a network of compromised devices called a botnet, making it harder to mitigate. DDoS attacks generally fall into three categories: volumetric attacks, such as UDP floods, which flood a network with excessive traffic; protocol attacks which exploit weaknesses in network protocols like SYN floods to exhaust server resources; and application layer attacks, like HTTP floods. which target specific applications, such as a website, with seemingly legitimate requests to exhaust its resources. Each type of attack can target different layers within the OSI model, impacting both network stability and security.
Example of a protocol attack using SYN flood
What is Adaptive DDoS defense?
Adaptive DDoS in EdgeConnect SD-WAN is an advanced defense mechanism designed to counter increasingly sophisticated DDoS attacks by using machine learning to automatically adjust defense thresholds in real time. Unlike traditional DDoS protection that relies on static, manually set thresholds, Adaptive DDoS protection continuously learns from the network’s behavior, ensuring that defenses are always tuned to current conditions without the need for constant manual updates. This dynamic approach not only simplifies the management of DDoS defenses but also increases their effectiveness.
To help manage the network during a DoS attack, administrators can set minimum and maximum thresholds. The minimum threshold helps spot problems early on, while the maximum threshold makes sure traffic doesn’t drop prematurely. This gives administrators better control, making sure that they only drop traffic when necessary.
Two core features make Adaptive DDoS highly efficient. The Auto Rate Limiting feature sets the minimum threshold, while Smart Burst sets the maximum threshold.
- Auto Rate Limiting: This feature leverages machine learning to regularly calculate a new traffic baseline based on network statistics and usage patterns. Over time, it learns the normal flow of traffic across the network, which allows it to dynamically set a minimum threshold for traffic flows. Traditionally, administrators would have to estimate and configure these thresholds manually, often resulting in overly conservative or risky configurations. Auto Rate Limiting automates this process, ensuring that the network stays protected while preventing unnecessary disruptions. It can detect early signs of an attack before they escalate, providing an early warning system that helps prevent traffic drops before they become critical.
- Smart Burst: During regular network operations, there are times when legitimate traffic spikes occur, such as during morning logins or nightly backups. These are "good traffic bursts" that should not be blocked. However, distinguishing between good and malicious bursts can be challenging. Smart Burst addresses this by allocating unused flow capacity across configured firewall zones to handle legitimate traffic surges without compromising security. It applies specific algorithms to manage traffic at the maximum threshold, preventing bad traffic from overwhelming the network. Administrators can choose from four customizable modes to suit their specific defense goals:
- Baseline Plus adds an extra buffer to the learned baseline, providing additional protection without risking the premature drop of legitimate traffic.
- Committed Burst proportionally allocates extra flow capacity to different firewall zones, ensuring that all zones have sufficient bandwidth during high-traffic periods.
- Excess Burst collects and redistributes any unused flow capacity from other zones, offering a second layer of support to zones experiencing higher-than-usual traffic.
- Custom Mode gives administrators the flexibility to define their own rules for managing flow capacity based on unique network needs.
Auto Rate Limiting and Smart Burst allow the system to stay adaptive and responsive to both everyday traffic fluctuations and unexpected attack patterns, offering a smarter, more efficient defense against DDoS threats. As a result, network performance remains smooth, and critical applications continue to run without disruption, even during an attack.
The solution also includes a comprehensive set of DDoS analytics and reporting tools. These include insights into threshold violations, flow drops, denied hosts, top talkers, and alarms for exceeded thresholds. This visibility allows administrators to stay informed about network performance and security events, helping them make proactive decisions to maintain business continuity.
Reduce the attack surface with ZTNA
ZTNA, part of HPE Aruba Networking SASE, is a vital component in defending against DDoS attacks by minimizing the network attack surface and ensuring that services are not exposed to unauthorized users. In a traditional network, services and applications are often openly accessible, increasing the potential entry points for attackers to exploit.
With ZTNA, however, access to resources is strictly controlled based on the principle of "least privilege," where users are only granted the necessary access to perform their tasks. By segmenting user access to applications and enforcing strict access policies, ZTNA makes it much more difficult for malicious traffic to reach critical services, reducing the chances of successful DDoS attacks. In the event of an attack, ZTNA helps contain the damage by limiting access to affected segments, preventing the attacker from moving laterally across the network.
Scale protection with HPE Aruba Networking SASE
HPE Aruba Networking SASE integrates robust secure SD-WAN features thanks to EdgeConnect SD-WAN, offering advanced protection against modern cyber threats. The platform combines essential security functions like IDS/IPS, role-based segmentation, and Secure Web Gateway (SWG) integration to create a comprehensive defense architecture. IDS/IPS monitors network traffic and detects known attack patterns, providing real-time, signature-based protection through application-level policies tied to firewall zones. These systems operate in both inline and out-of-band modes, giving network administrators flexibility in balancing security and performance.
Role-based segmentation adds an extra layer of control by allowing administrators to define security policies based on user roles, devices, and network segments. This granular segmentation limits the network attack surface and reduces the risk of lateral movement during an attack, safeguarding sensitive data even if one part of the network is compromised.
To further enhance security, HPE Aruba Networking SASE allows organizations to augment their SD-WAN with other Security Service Edge (SSE) features like SWG and Cloud Access Security Broker (CASB). SWG provides web-based threat protection, offering malware protection and web content filtering. CASB, on the other hand, enhances security by monitoring and controlling access to SaaS applications, protecting against data loss, unauthorized access, and policy violations.
Conclusion
By leveraging machine learning to dynamically adjust defense thresholds through Adaptive DDoS, EdgeConnect SD-WAN, part of HPE Aruba Networking SASE, simplifies DDoS protection while maintaining high network performance. Additionally, with ZTNA, administrators can reduce the attack surface by enforcing strict access controls and masking private resources, ensuring that services remain hidden from unauthorized users and minimizing the risk of successful DDoS attacks.
Beyond DDoS protection, the integration of SWG and CASB further strengthens an organization’s security posture. Together, these features make HPE Aruba Networking SASE an ideal solution for organizations looking to enhance their network security, ensuring that critical resources remain safe from evolving cyber threats while optimizing performance and scalability.
To learn more, read our solution overview on this topic.
Other resources:
HPE Aruba Networking SD-WAN webpage
HPE Aruba Networking SSE webpage
HPE Aruba Networking SASE webpage
Gabriel_Gomane
Gabriel Gomane has more than 15 years of experience in product marketing and product management, focusing primarily on networking, security and digital transformation. He has broad international experience, having held marketing positions based in Europe and in the US. Before joining HPE Aruba Networking, Gabriel worked for various high tech companies including Meru Networks and MEGA International. Gabriel holds a BS in engineering from Grenoble INP and an MBA from HEC Paris.
