Stopping encrypted attacks with NETSCOUT Arbor Edge Defense

In today’s digital landscape, encrypted traffic is the norm—not the exception. While encryption such as Transport Layer Security (TLS) 1.3 protects user privacy and data integrity, it also presents a growing challenge for security teams: How do you defend against threats hidden inside encrypted traffic without overwhelming your systems?

The Challenge of Encrypted DDoS Attacks

Threat actors are always looking for ways to circumvent modern defenses, and one of the most popular distributed denial-of-service (DDoS) attack methods is to hide the attacks in what looks like ordinary traffic. Enormous amounts of internet traffic now rely on Hypertext Transfer Protocol Secure (HTTPS). Since decrypting TLS 1.3 traffic typically requires proxy-based solutions—which are resource-intensive—many security products struggle to inspect encrypted sessions effectively. This blind spot makes encrypted DDoS attacks harder to detect and mitigate.

Block First, Ask Questions Later

One way to minimize the impact of encrypted attack traffic is to simply drop it before decrypting. There are several methods we employ to filter out the garbage quickly and efficiently:

• Known source blocking: Many attackers are now using open internet proxies to hide the source of their HTTPS attacks. We constantly track these sources, and our ATLAS Intelligence Feed (AIF)-powered countermeasure can block them automatically.
• TLS attack prevention: This countermeasure looks at the TLS handshake (pre-encryption) and can block TLS sessions that don’t follow standard user behaviors​.
• TCP connection limiting: This countermeasure looks at TCP connection behavior from each source. Sources opening too many connections or engaging in abusive behaviors over TCP can be blocked.
• Rate-based protections: Usually attackers will be sending more traffic than legitimate users, and these protections can distinguish and block those sources automatically​.
• Selective decryption: This is used to decrypt and deal with more-advanced attacks, when encrypted traffic behavior mimics legitimate users.

Why Full Decryption Isn’t Always the Answer

Decrypting all traffic isn’t practical. It’s computationally expensive and can quickly exhaust system resources. What’s needed is a smarter approach—one that focuses decryption efforts only where it’s truly necessary.

NETSCOUT’s Solution: Selective Decryption

NETSCOUT’s Arbor Edge Defense (AED) offers a powerful solution via selective decryption. Positioned at the network edge, AED intelligently decides which traffic to decrypt based on threat indicators and client validation.

Here’s how it works:

• Intelligent decryption: As the traffic enters, AED identifies valid client traffic and passes it on without requiring decryption
• Suspicious traffic decryption: Only nonvalidated encrypted traffic is decrypted and analyzed for DDoS threats
• Customizable decryption: Users can enable decryption for specific protection groups or levels, allowing targeted inspection without wasting resources

Benefits of Selective Decryption

Efficient resource use: Focuses decryption on suspicious traffic, preserving system performance
Scalable protection: Enables high-scale defense against encrypted threats without compromising throughput
Flexible configuration: Tailors decryption policies to match the needs of different services and threat levels

Conclusion