Today, any business can become a victim of a DDoS attack. In the past, such attacks were mostly associated with social unrest, electronic warfare, and large organisations. Today, with the growth of the dark web, DDoS attacks have become an illegal service offered by criminal organisations to clients of all sizes. A DDoS attack could be ordered by your disgruntled customer, by your immoral competitor, or even accompany a ransomware attack.
DDoS attacks have become more commonplace with a record number of more than 10 million such attacks in 2020 alone. The majority of 2020 attacks were short (under four hours) but attackers often repeat such attacks several times in a row. There was a slight drop in the intensity in Q4 2020 but trend analysts expect this to be temporary and estimate that 2021 will bring even more attacks than last year.
Luckily, DDoS defence technologies keep up with the pace. However, due to the nature and complexity of DDoS attacks, this is not something that you can simply resolve by installing software on your servers or configuring your firewalls. DDoS defence requires several layers of protection, a high level of expertise, and a collaborative approach.
The Curse of Complexity
One of the biggest problems with DDoS attacks is that the term actually encompasses several types of attacks, which utilize completely different methods and mechanisms. Here are the three most common ones:
- Volumetric ISO/OSI Model Layer 3 attacks rely on creating a volume of traffic that greatly exceeds your available network bandwidth. Even though all such attacks work in a similar fashion, the types of packets and sources can be different. These attacks include flooding your assets with ICMP pings, UDP packets or bounced TCP responses with a fake source IP. Each of these types requires a different defence approach.
- Protocol ISO/OSI Model Layer 3 attacks, such as the ping of death, rely on exhausting the resources of networking equipment or networking software. They still need quite a large volume of data to be sent, however, the volume is not meant to clog transmission lines but choke the recipients instead. Such attacks often use vulnerabilities or weaknesses of particular protocols.
- Application ISO/OSI Model Layer 7 attacks, such as slowloris, rely on exhausting your server resources, for example, available web server instances. Just a few small malicious packets can make it impossible for your vulnerable and unprotected servers to serve legitimate customers. These attacks aim at different applications and utilize different techniques and vulnerability exploits. Therefore, each type also requires a different defence approach.
Due to the complexity of the DDoS attack landscape, defence technologies must be equally complex. For example, protection against volumetric attacks requires the defence mechanism to be placed as far from your asset as possible. On the other hand, protection against application attacks requires the defence mechanism to be placed as close to your asset as possible.
What makes such attacks even more difficult to mitigate is the fact that attackers often use multiple vectors at the same time (multiple DDoS vectors or even DDoS with other types of attacks, such as attempts at exploiting web vulnerabilities). Trends show that multi-vector attacks in recent years are becoming more and more common.
Effective Defence Methods
There are many different methods of defending your assets against DDoS attacks. Some of them involve only specialized software but many also require human intervention and access to a community that shares attack details with one another.
The most important aspect of successful defence is early discovery. If your resources are already exhausted, it means that the defence was not successful. Detecting real DDoS attacks, on the other hand, is not easy. This is especially true in the case of volumetric attacks, which are hard to distinguish from a legitimate increase in traffic, for example, due to sudden customer interest.
It’s not enough to install some kind of software that detects a rise in traffic or certain kinds of packets. A dedicated team of specialists is still needed to be able to evaluate whether a raised alarm is a true DDoS attack or a false positive. Therefore, the first step is having the right team on the job.
Start Before the Beginning
Many DDoS attacks can be mitigated even before they start simply by eliminating potential attack sources. Criminals reuse their attack resources between attacks. For example, if a criminal organisation performs one DDoS attack using a certain network of bots (for example, vulnerable IoT devices spread around the world), the IP addresses of most of those bots will remain the same in all other attacks from this criminal organisation.
Organisations worldwide exchange data such as IP addresses and types of traffic received (e.g. whether a given IP address only sends malicious traffic or interweaves malicious and legitimate traffic, depending on circumstances). Such specialized information exchange networks help all DDoS defence services provide very effective protection. Most often, the first attempt of a connection from an attack bot is already prevented, never raising an alarm.
DDoS protection services also include properly configured, specialized web application firewalls placed right next to your web assets to prevent application attacks. Such firewalls can eliminate malicious packets that would otherwise consume your resources. Unlike in the case of volumetric attacks, these need to protect your server directly to avoid the attacker finding ways around them.
Step in When It Happens
The second major step of defending against the DDoS attack (after detection) is actual activities performed once the attack has started. This is especially important in the case of volumetric and protocol attacks. There are three major techniques of eliminating the flood of DDoS packets:
- Bandwidth adjustment is possible only in the case of major organisations that have the necessary resources. In such a case, the organisation can temporarily, for example, start an excessive number of servers and take on the entire volume of the DDoS attack without any mitigation. However, with the volume of attacks observed in 2020, this solution is only possible for such online giants as Google, Facebook, Microsoft, or Amazon.
- Blackholing is a very common defence method where, once an attack is detected, all the traffic is simply dumped into a “black hole” (nothingness) instead of being delivered to your server. Unfortunately, this means that all the legitimate connections during the attack are eliminated as well. The aim of this defence method is not to salvage legitimate connections but to make sure that your asset can be immediately back online once the attack is over.
- Scrubbing is the most common defence technique where specialized software analyzes incoming traffic based on its type, source, and content, and decides which packets are most likely to be legitimate and which should be dumped into the black hole. This method is the most effective for all types of DDoS attacks because it does not completely cripple your assets (they are still available for legitimate customers who may, however, experience delays or interruptions). However, it requires a lot of resources on the defence side.
Defence organisations usually offer two modes of protection or a mix of those modes:
- In the case of on-demand services, they work in two modes: a monitoring mode when the defence organisation watches for a potential DDoS attack and a defence mode when the organisation actually steps in and mitigates the attack.
- They can also work in a 24/7 protection mode when some defence mechanisms are permanently activated (for example, scrubbing) thus not requiring actual attack detection.
You Can’t Do It Alone
To protect yourself against potential DDoS attacks, you need to employ all the methods mentioned above. This is clearly beyond the scope of most businesses and therefore DDoS protection is handled by specialists such as BMIT Technologies. However, we can’t do it alone, either! That’s why, for your top-level protection, we work together with global leaders.
Our partners, Lumen and Netscout, provide us with some of the tools needed for your DDoS protection. For example, they help us reach the global information exchange community and eliminate DDoS attack sources even before such attacks happen. Due to serving a large number of organisations worldwide, they also provide scrubbing and blackholing services that are able to protect even against the biggest DDoS attacks.
The key to effectively protect yourself against DDoS is having the right partners to protect you 24/7 and to step in when an attack happens. Partners, who not only have the necessary tools, but also experience in handling such situations in the past. That’s why BMIT is your best bet to make sure that a DDoS attack will not cause major losses to your business.