{"id":15536,"date":"2026-01-23T18:01:59","date_gmt":"2026-01-23T18:01:59","guid":{"rendered":"https:\/\/newestek.com\/?p=15536"},"modified":"2026-01-23T18:01:59","modified_gmt":"2026-01-23T18:01:59","slug":"smarter-ddos-security-at-scale","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15536","title":{"rendered":"Smarter DDoS security at scale"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>In today\u2019s digital landscape, encrypted traffic is the norm\u2014not the exception. While encryption such as Transport Layer Security (TLS) 1.3 protects user privacy and data integrity, it also presents a growing challenge for security teams: How do you defend against threats hidden inside encrypted traffic without overwhelming your systems?<\/p>\n<h2 class=\"wp-block-heading\"><strong>The challenge of encrypted DDoS attacks<\/strong><\/h2>\n<p>Threat actors are always looking for ways to circumvent modern defenses, and one of the most popular\u00a0<a href=\"https:\/\/www.netscout.com\/what-is-ddos?utm_source=idg&amp;utm_medium=display&amp;utm_campaign=brand-campaign-cybersecurity&amp;utm_keyword=brandpost&amp;utm_content=article_coverage\" target=\"_blank\" rel=\"noreferrer noopener\">distributed denial-of-service (DDoS)<\/a>\u00a0attack methods is to hide the attacks in what looks like ordinary traffic. Enormous amounts of internet traffic now rely on Hypertext Transfer Protocol Secure (HTTPS). Since decrypting TLS 1.3 traffic typically requires proxy-based solutions\u2014which are resource-intensive\u2014many security products struggle to inspect encrypted sessions effectively. This blind spot makes encrypted\u00a0<a href=\"https:\/\/www.netscout.com\/what-is-ddos?utm_source=idg&amp;utm_medium=display&amp;utm_campaign=brand-campaign-cybersecurity&amp;utm_keyword=brandpost&amp;utm_content=article_coverage\" target=\"_blank\" rel=\"noreferrer noopener\">DDoS attacks<\/a>\u00a0harder to detect and mitigate.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Block first, ask questions later<\/strong><\/h2>\n<p>One way to minimize the impact of encrypted attack traffic is to simply drop it before decrypting. There are several methods we employ to filter out the garbage quickly and efficiently:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Known source blocking:<\/strong>\u00a0Many attackers are now using open internet proxies to hide the source of their HTTPS attacks. We constantly track these sources, and our\u00a0<a href=\"https:\/\/www.netscout.com\/product\/atlas-intelligence-feed?utm_source=idg&amp;utm_medium=display&amp;utm_campaign=brand-campaign-cybersecurity&amp;utm_keyword=brandpost&amp;utm_content=article_coverage\" target=\"_blank\" rel=\"noreferrer noopener\">ATLAS Intelligence Feed (AIF)<\/a>-powered countermeasure can block them automatically.<\/li>\n<li><strong>TLS attack prevention:<\/strong>\u00a0This countermeasure looks at the TLS handshake (pre-encryption) and can block TLS sessions that don\u2019t follow standard user behaviors\u200b.<\/li>\n<li><strong>TCP connection limiting:<\/strong>\u00a0This countermeasure looks at TCP connection behavior from each source. Sources opening too many connections or engaging in abusive behaviors over TCP can be blocked.<\/li>\n<li><strong>Rate-based protections:<\/strong>\u00a0Usually, attackers will be sending more traffic than legitimate users, and these protections can distinguish and block those sources automatically\u200b.<\/li>\n<li><strong>Selective decryption:<\/strong>\u00a0This is used to decrypt and deal with more-advanced attacks, when encrypted traffic behavior mimics legitimate users.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>Why full decryption isn\u2019t always the answer<\/strong><\/h2>\n<p>Decrypting all traffic isn\u2019t practical. It\u2019s computationally expensive and can quickly exhaust system resources. What\u2019s needed is a smarter approach\u2014one that focuses decryption efforts only where it\u2019s truly necessary.<\/p>\n<h2 class=\"wp-block-heading\"><strong>NETSCOUT\u2019s solution: Selective decryption<\/strong><\/h2>\n<p>NETSCOUT\u2019s\u00a0<a href=\"https:\/\/www.netscout.com\/product\/arbor-edge-defense?utm_source=idg&amp;utm_medium=display&amp;utm_campaign=brand-campaign-cybersecurity&amp;utm_keyword=brandpost&amp;utm_content=article_coverage\" target=\"_blank\" rel=\"noreferrer noopener\">Arbor Edge Defense (AED)<\/a>\u00a0offers a powerful solution via selective decryption. Positioned at the network edge, AED intelligently decides which traffic to decrypt based on threat indicators and client validation.<\/p>\n<p>Here\u2019s how it works:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Intelligent decryption:<\/strong>\u00a0As the traffic enters, AED identifies valid client traffic and passes it on without requiring decryption.<\/li>\n<li><strong>Suspicious traffic decryption:<\/strong>\u00a0Only non-validated encrypted traffic is decrypted and analyzed for DDoS threats.<\/li>\n<li><strong>Customizable decryption:<\/strong>\u00a0Users can enable decryption for specific protection groups or levels, allowing targeted inspection without wasting resources.<\/li>\n<\/ul>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\">\n<figure class=\"wp-block-image size-large\"><\/figure>\n<p class=\"imageCredit\">NETSCOUT<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Benefits of selection decryption<\/strong><\/h2>\n<p>Efficient resource use: Focuses decryption on suspicious traffic, preserving system performance<\/p>\n<p>Scalable protection: Enables high-scale defense against encrypted threats without compromising throughput<\/p>\n<p>Flexible configuration: Tailors decryption policies to match the needs of different services and threat levels<\/p>\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n<p>As encrypted traffic continues to grow, so does the need for smarter security solutions. NETSCOUT AED\u2019s selective decryption approach empowers organizations to defend against encrypted DDoS attacks efficiently and effectively\u2014without sacrificing performance.<\/p>\n<p>\u00a0\u00a0<br \/><strong>Learn more about\u00a0<\/strong><a href=\"https:\/\/www.netscout.com\/product\/arbor-edge-defense?utm_source=idg&amp;utm_medium=display&amp;utm_campaign=brand-campaign-cybersecurity&amp;utm_keyword=brandpost&amp;utm_content=article_coverage\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Arbor Edge Defense<\/strong><\/a><strong>.<\/strong><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In today\u2019s digital landscape, encrypted traffic is the norm\u2014not the exception. While encryption such as Transport Layer Security (TLS) 1.3 protects user privacy and data integrity, it also presents a growing challenge for security teams: How do you defend against threats hidden inside encrypted traffic without overwhelming your systems? The challenge of encrypted DDoS attacks Threat actors are always looking for ways to circumvent modern&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15536\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15536","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15536"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15536\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}