How to Defend Against DDoS Attacks: Six Steps

In the first half of this article, Understanding DDoS Attacks, we talked about the nuts and bolts of DDoS attacks. Here, we’ll discuss how you can take practical steps to protect your organization from the devastation of DDoS.

More than 80 percent of companies experiencing at least one DDoS attack in 2017. It’s no longer a question of if, but when you’re organization will be hit by a DDoS attack.

How can companies implement effective strategies to defend themselves against DDoS attacks? Let’s take a look.

Best Practices for Mitigating DDoS Attacks

In 2016, we saw the first weaponized IoT botnet strikes, which used the Mirai malware to effectively bring down mainstream sites like Netflix, Twitter, Reddit and many more. Since then, the tools and methods available to hackers have only increased. Making matters worse, the price of launching a DDoS attack has gone down. It will only need cost you $20 for a botnet rental with a guaranteed DDoS attack rate of 290-300 gigabits.

It’s important for every business to have some sort of protection against large DDoS attacks. Many classic forms of DDoS protection are unable to take a nuanced approach to an onslaught of data. Rather than separating the legitimate data from the malicious data, they simply throw out all incoming data indiscriminately.

Not every type of DDoS protection is effective for every type of attack, though. Flow-based monitoring is effective with volumetric attacks, but less so with network protocol and application attacks. On the other hand, packet analysis is effective with all three.

The DDoS protection offered by your ISP or cloud provider is unlikely to provide the comprehensive defense system you need. They are interested in protecting their own infrastructure. You’re interested in protecting your applications and networks. So, you shouldn’t rely exclusively on them for full coverage DDoS protection.

Four Requirements for DDoS Protection

A modern DDoS defense should include four critical requirements:

  1. Precision: It’s crucial for companies to implement a precise DDoS defense system. Unlike more blunt defense systems (such as Remotely Triggered Black Hole Filtering, or RTBH), a precise protection solution can pinpoint threats and mitigate them accordingly. This helps to avoid costly mistakes, such as false positives or negatives, which may block legitimate users or result in a missed attack.
  2. Scalability: The largest DDoS attack reached 1.35 terabits per second in March 2018. Given the sheer size of today’s DDoS attacks it’s more important than ever for DDoS protection systems to be scalable in depth, breadth and height. Depending on the packet rate, number of attacking bots and bitrate of an attack, non-scalable systems can prove to be inadequate.
  3. Wartime Response Efficiency: An automated DDoS defense system can eliminate the need for costly and time-consuming manual intervention. It should automatically detect, mitigate, report and learn from DDoS attacks. This is especially true in the event of a multi-vector attack (using multiple techniques and methodologies simultaneously).
  4. Affordability: Companies can keep costs low without sacrificing performance with smaller, more efficient and more affordable DDoS protection system. This reduces the number of appliances needed, decreases cost and cuts down on rack space, saving both time and money.

Unfortunately, legacy systems fall short on these requirements for the following reasons:

  • Lack precision: Flow detection can’t detect sophisticated network and application attacks.
  • Lack scale: Racks of equipment are required in order to create profitable clean pipe services.
  • Lack automation: Trained experts are required to initiate time-consuming manual interventions.
  • Not affordable: Legacy systems are too expensive to scale.

Modern Approach to DDoS Protection

The frequency of multi-vector DDoS attacks is growing exponentially. DDoS Strategies research by IDG revealed that UDP flood attacks account for 20 percent of all attacks. Categorized by layer:

  • 29 percent of attacks take place at the network layer
  • 25 percent at the application layer
  • 25 percent at the network layer
  • 21 percent at infrastructure services

Hackers are using multiple types of attacks against single targets. It’s more crucial than ever for modern DDoS protection solutions to have each of the four critical requirements: precision, scalability, wartime response efficiency, and affordability. Effective DDoS protection strategies fall short if it’s not comprehensive. Companies should prioritize multi-layered hybrid solutions which can provide constant protection from any type of DDoS attack.

A modern, top-to-bottom approach to DDoS protection uses multiple tools and accomplishes multiple goals:

  • Layered, in-depth detection: Uses a cost-effective reactive mode with layered packet detection.
  • Intelligent automation with machine learning: Eliminates the need for manual intervention.
  • Scales to 100Ks of monitored entities with individual policies: Provides profitable clean pipe services.
  • Overcomes organizational silo issues: Allows organizations to leverage common resources and talents.

Companies typically implement one of three deployment modes.

  • Proactive: A proactive deployment mode is always watching incoming traffic and performing detection and mitigation against it. So, this is an extremely effective way for businesses to put packet-based detection and mitigation appliances at the edge of the network.
  • Reactive: A reactive deployment mode uses flow-based data in order to get full visibility into a network’s traffic. It works by routing specific traffic to a mitigator, scrubbing it clean and then redirecting it back into the network. This mode is the one that’s most commonly offered by ISPs or cloud providers.
  • Hybrid: A hybrid deployment mode uses on-demand cloud mitigation capabilities to address volumetric attacks, as well as in-line and on-premises packet-based solutions designed to detect and mitigate the three major types of DDoS attacks—volumetric, network protocol and application.

To reap the benefits of a modern approach to DDoS protection and adequately defend against multi-vector attacks, it’s typically recommended that organizations adopt a hybrid deployment mode.

DDoS Cloud Scrubbing

Companies also need to seek out solutions which offer DDoS cloud scrubbing. This requires a cloud service used to divert traffic from the organization’s data centers during an attack. The cloud scrubbing service will then eliminate malicious traffic before sending legitimate traffic back to its normal path via the ISP.

DDoS Threat Intelligence

Threat intelligence is another important aspect of a DDoS defense strategy. Without it, companies are forced to use guesswork and blind mitigation to combat attacks. With threat intelligence organizations can identify any kind of common threat before they hit their network.

Companies struggle to find important insights from incomplete and outdated threat intelligence data. It’s essential for companies to look toward a real-time feed of actionable threat intelligence data that actively monitors objects (such as botnets, IP addresses of reflection attack agents and more).

The Right DDoS Defense Tools

Companies shouldn’t underestimate the importance of finding the right DDoS defense tools to use. Organizations must first understand what types of attacks are the most common, and which are rising in popularity. Amplification attacks are currently the most common, followed closely by stateful floods, which are often sourced by botnets. This includes IoT botnets, such as those used in the Mirai attacks.

Altogether, a comprehensive DDoS solution which blends both technology and process will succeed thanks to the presence of:

  • Dedicated, on-premises gear that can remain vigilant 24/7.
  • An expert incident team who can respond and react to any type of attack.
  • The cloud, which can serve as a destination for diverted traffic.

Six Steps for DDoS Defense

During a DDoS attack, an effective defense will include:

  1. On-premises gear automatically detects the attack and activates mitigation procedures.
  2. The incident response team is automatically alerted when the attack escalates to a certain level without being successfully mitigated.
  3. The incident response team engages by verifying that a real attack is taking place (rather than a false positive), analyzing the attack, providing mitigation guidance and recommending cloud swing when needed.
  4. A diversion signal is sent to the cloud, along with details about the attack.
  5. The cloud team diverts traffic for scrubbing, usually using the Border Gateway Protocol (BGP) or the Domain Name System (DNS).
  6. When the attack is over, traffic is restored to its normal path through the ISP.

Webinar

Learn how you can protect your organization from DDoS attacks with best practices. View the webinar with experts Jeff Wilson of IHS Markit and Ahmad Nassiri of A10 Networks.