SSL (Secure Sockets Layer) is a standard security protocol used to establish encrypted links between a browser and server in online communication. Using SSL technology means that all data transmitted between server and browser is encrypted. A SSL or TLS (Transport Layer Security) certificate is a data file that binds a cryptographic key to a specific organization. When a SSL or TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that is connected to it.
SSL-based DDoS attacks can be divided into two: (i) protocol misuse attacks, which exploit the use of the SSL protocol and can cause DDoS by not allowing the completion of a secure connection; and (ii) SSL traffic floods when data is being passed over the created secure channel.
SSL-based DDoS attacks are growing in number with encrypted traffic accounting for 25-35% of all inbound and outbound Internet traffic, according to Radware. Organizations are turning to encryption in part because of industry trends such as migration to the cloud, in addition to the fact that the new HTTP/2 Internet protocol mandates the use of encryption in the communication between browser and server.
As encrypted connections rise, the need for SSL inspection and SSL protection solutions becomes increasingly relevant. One in every four web-based DDoS attack is encrypted, requiring a high capacity mitigation solution.
DDoS protection services cannot analyse and filter a company’s traffic unless (i) the protection service has the key to decrypt it, as is common with large companies who typically already have their infrastructure managed by third parties, or (ii) the protection service locates one of its products on the client’s network, the purpose of which is solely to deliver content via SSL and send all traffic in plaintext back to the DDoS protection service, which in turn will filter only the legitimate traffic through to the company’s internal webservers.
Either approach works, although there are often security concerns around the first. Passing on your encrypted key to a third party does require replacing at least some technical control with contractual control, generating greater oversight/audit responsibilities over the third party. Mitigating against the third party potentially misusing the key can be prepared for in this way. Some companies, such as Prolexic, have recently developed solutions in which they receive temporary short-lived keys.
Ultimately, it comes down to the reputation and trust you can place in a DDoS protection service to manage their relationship to your encrypted content. Check their compliance and regulatory policies in detail before entering into a relationship.