This blog was originally posted on F5.com.
Applications are the face of your company. Customer goodwill is won or lost in a heartbeat these days, so downtime of any description is not an option. Every second you are out of commission is a potential prelude to financial and/or reputational loss.
While there are a multitude of fancy new cyber-attacks that can disrupt and harm, it is a distinctly “old school” threat that remains among the most prominent (and disruptive).
Distributed Denial of Service (DDoS) attacks aren’t new. In fact, the first known incident resembling a denial of service attack reportedly occurred in 1974 when a 13-year-old at the University of Illinois took down a room full of terminals connected to a learning management system.
Times have changed since, but DDoS attacks have continued to evolve, grow teeth, and wreak havoc. This is particularly true in the wake of COVID-19, with a number of industry reports from the past two quarters highlighting significant spikes across the world.
Yet, even before the pandemic, the DDoS threat was on an upward trajectory. For example, an analysis of F5 Security Incident Response Team data recently noted that 77% of all attacks against service providers in 2019 were DDoS-related. In 2017, it was around 30%.
What are the risks?
DDoS attacks typically come in three forms. High bandwidth attacks, also known as volumetric floods, are the most common. A massive amount of traffic is sent to the targeted victim’s network with the goal of consuming so much bandwidth that users are denied access.
Then there’s protocol attacks (sometimes called “computational” or “network” attacks), which deny service by exploiting either weaknesses in, or the normal behavior of, protocols. These are typically OSI layer 3 and layer 4 protocols such as ICMP (Internet Control Message Protocol), TCP (Transport Control Protocol), UDP (User Datagram Protocol), and others. The goal is to exhaust the computational capabilities of the network or intermediate resources (such as firewalls) and achieve denial of service.
Finally, and arguably the toughest of the bunch, are application layer attacks (also known as OSI layer 7 attacks), which target web servers, web application platforms, and specific web-based applications rather than the network itself. This is when attackers attempt to crash the server and make a website or application inaccessible. These attacks can target known application vulnerabilities, its underlying business logic, or abuse higher-layer protocols like HTTP/HTTPS (Hypertext Transfer Protocol/Secure) and SNMP (Simple Network Management Protocol). Attacks of this nature often use less bandwidth and don’t always indicate a sudden increase in traffic, which makes them much harder to detect and mitigate without false positives. Application layer attacks are measured in requests per second.
One of the biggest challenges facing security teams is the ease with which a DDoS attack can be launched; a vast array of online resources means almost anyone can become a cybercriminal at the click of a button. There are also services that you can pay to attack the target of your choice. Everyone is at it too, whether it is hacktivists, disgruntled ex-employees, “script-kiddies” leveraging ready-made code, or nation-state actors.
Unfortunately, there’s no way to completely avoid being a target, but there are several steps you can take to better protect your organization.
First of all, it is crucial to have a DDoS response plan in place. This should be a playbook that outlines every step for incident response (people, processes, roles, procedures, etc.).
To effectively mitigate app-based DDoS attacks, all organizations need to:
- Learn typical traffic behaviour and use the insights to stamp out anomalies.
- Be precise. Being able to separate legitimate surges in activity from attacks means you can maintain the desired user experience without adding risk. Visibility into the performance of the system being compromised is very important.
- Locate the bad actor. Application layer attacks involve a connection being established. This means there is an opportunity to find the source of the attack.
- Generate an attack signature. Blocking the source of the attack might cut off access for legitimate users if large proxy servers are involved. With a unique signature for an attack, you can block on a granular level. You can find the weak points in the attack and use it against the threat actors.
When it comes to implementing specific DDoS protection solutions, you should always base it on the frequency your organization is attacked (or the likelihood thereof), your in-house skillsets to defend against an attack, available budgets, and your network’s capacity and limitations. Deployment options include:
- On-premises. An on-premises DDoS solution can work if your network capacity can handle moderate attacks (in the range of 10 to 50 Gbps), is routinely targeted, and you have skilled in-house DDoS mitigation personnel.
- An outsourced solution. If your network circuits can’t handle an attack greater than 10 Gbps, the risk of attack is low, and you don’t have the in-house expertise to manage an on-premises solution, a DDoS scrubbing center (outsourced service) is recommended.
- Hybrid DDoS. If you are prone to frequent or large-scale DDoS attacks that exceed your network capacity, and in-house mitigation expertise is limited, you can opt for a hybrid model and use a managed service in combination with an on-premises DDoS solution.
In addition to these recommendations, you should also ensure your network infrastructure is protected with firewalls and intrusion detection systems that monitor and analyze network traffic. Furthermore, it is advisable to use anti-virus solutions to curb malware infections, as well as load balancing and redundancy to help maintain availability.
At the same time, it is important to not overlook technical and administrative controls such as limiting remote administration to a management network (instead of the entire internet), and frequently scanning Internet-facing network ports and services.
Everyone should take DDoS seriously, expect to be attacked at some point, and have plans and mitigation measures in place that are intimately aligned with business objectives.