The evolution of DDoS attacks
For decades, hackers have been using bots to flood target networks with an overwhelming amount of traffic—so much, in fact, that the target servers often shut down.
However, because of their unique ability to cripple system resources, DDoS attacks today are virtually never launched just to shut down a network. Instead, they are used as a way to divert attention from secondary attacks—creating the perfect environment for cyber criminals to penetrate a network undetected and engage in alicious activities such as data ex-filtration, injection of ransomware, or even physical attacks.
To counter these threats, organizations typically install on-premises mitigation equipment, turn to their internet service providers (ISPs) for protection, or rely on cloud based solutions to fend off the growing spectrum of attacks. But in today’s technologically fast-paced environment, these methods aren’t enough.
Why plug ‘n’ play is not okay
DDoS attacks are getting more sophisticated—and traditional defense approaches are faltering. As both private and public organizations fall prey to short duration multi-vector attacks, slow and low attacks (where attack thresholds stay below detection levels), and high-speed attacks, their impact has become potentially catastrophic. Large organizations that are knocked offline can suffer millions of dollars in lost revenue, lost productivity, and brand damage. They are also at risk of credit and insurance rating downgrades, compromised customer and supplier relationships, and budget overruns as they scramble to upgrade their IT infrastructure.
Plug ‘n play technologies simply cannot mitigate this level of risk; a more proactive approach to DDoS prevention is needed. That is precisely what DDoS protection services should work upon. Unlike off-theshelf solutions, the protection services should be fully customized to accustomed to the client’s operating environment. A current-state analysis of the environment is necessary, post which, clients should define a DDoS protection strategy specially architected to shield the organization’s assets from targeted attacks. In addition, round-the-clock monitoring helps detect and contain attacks before they can cause damage.
Too often, organizations that suffer a DDoS attack are completely unaware of the extent of the damage created. The stakes associated with DDoS attacks are rising. Make sure you are prepared to fight back.
Why hackers attack
- If DDoS attacks were ever considered mere “nuisances,” those days are done. Today, DDoS is a weapon that criminals use to:
- Divert attention from a secondary attack: By forcing resources to focus on resolving the primary attack, DDoS attacks can be smokescreens that allow hackers to gain unauthorized access to other parts of a target’s system in order to ex-filtrate data, inject malware, or even launch physical attacks.
- Extort payment: DDoS attacks are used as a form of ransomware, with hackers demanding ransoms in exchange for stopping an attack in progress or not attacking again.
- Steal critical assets: Cyber criminals can use DDoS attacks to move into a network in an attempt to steal intellectual property or other information that can be quickly monetized—exposing companies to legal, reputational, and financial risks associated with the loss of private data.
- Demonstrate their skill: With DDoS-for-hire services on the rise, hackers will sometimes launch an attack to provide potential buyers with a demonstration of their botnet’s power.
- Push an agenda: Hacktivists often use DDoS attacks to protest government policy or “punish” corporations for perceived negative practices.
The next generation of DDoS protection
While automated algorithms that detect network traffic anomalies remain critical in the fight against DDoS attacks, these types of reactive approaches are no longer enough. As DDoS attacks become increasingly sophisticated, they must be handled more dynamically and proactively.
A managed service is necessary for today’s date, which aligns the DDoS protection to the client’s business needs. Following a current-state analysis, a client can devise in-depth recommendations for the implementation of a DDoS protection strategy tailored specifically to the client’s operational environment. That means it protects client’s most critical data and assets, no matter where they are located.
Round-the-clock monitoring allows distinguishing between legitimate and unwanted traffic and shutting down attempted attacks before they cause damage, 24x7, 365 days a year. A dedicated team member in the security stream should work closely to uncover the attackers’ underlying motives and correlate the DDoS attack to suspicious activity taking place at other points across the client’s network. The result? Clients gain the ability to track the type, source, and intent of attacks, and the flexibility to mitigate the collateral damage typically associated with DDoS.
DDoS attacks can cost large enterprises over $1.6 million and small companies over $106,000. However, if the attack is detected within the first 24 hours the impact can be reduced drastically.
Enhanced detection, containment, recovery, and response
- A DDoS protection plan built on the above described approach should deliver the following protection attributes:
- Enable immediate response on DDoS attacks across all the layers (Layer 3, Layer 4 and Layer 7) through integrated detection and blocking mechanisms.
- Provides enhanced verification capabilities than what is currently provided by static router filters or signatures based security solutions.
- Delivers behavior based anomaly recognition to identify valid packets sent with malicious intents to flood a service
- Identifies and blocks individual spoofed packets to protect valid business transactions (even during spoofed attacks when cyber criminal identities and profiles are changing constantly)
- Offers mechanisms designed to handle the huge volume of DDoS attacks real time
- Enables on-demand deployment of DDoS solution (as per the business decisions) to protect the network during attacks without introducing any point of failures or imposing the scaling costs of an inline solution
- Smart and intelligent built in processes which would cleanse contaminated traffic streams, helping ensure maximum reliability and minimum scaling costs
- Avoids reliance on network device configuration changes once fine tuned (should be self
Uses standard protocols for all communications, ensuring maximum interoperability and reliability
In addition, the following are the leading practices, which an enterprise should follow to have a comprehensive DDoS Protection :
- Be prepared – All enterprises should have an incident response plan in which DDoS attack scenarios should be included as per the threat landscape of the organization. As per the plan mitigation strategies should be defined and DDoS protection across all the layers should be evaluated.
- Design for failure – design network and application architecture with scalability and flexibility. It should be designed for failure viz. it should be ready to withstand any types of attacks and minimize business impact. Bottlenecks within the environment should be identified and compensating controls should be existing across the network.
- Security monitoring – continuous monitoring of the network should be in place and abnormal network patterns should be investigated. Netflow analysis can be a good way to detect attacks.
- Traffic filtering – Perimeter devices and services such as firewalls, IPS, blackhole routing can drop some of the unwanted traffic. For protection against Layer 7 application based attacks, web application firewalls (WAF) can be a good line of defense. It can be customized as per the application behavior for best results. Unnecessary ports and unused services should be disabled.
- Server configuration – regular patch management and hardening of the devices should be conducted. Especially critical servers exposed such as DNS, NTP, Web servers etc, should be checked for secure configurations especially options for aggressive connection aging and TCP window size enforcement. Configure the solutions according to leading practice guidelines.
- Not being at the mercy of Content Delivery Network (CDN) provider – Pure CDN’s are generally not designed to protect assets from DDoS attacks even though they provide higher bandwidth. Cyber criminals may simply bypass the cache and send requests directly to the backend servers. To avoid such kind of challenges, it is better to partner with an anti-DDoS solution provider before an attack happens in addition to onsite mitigation techniques.