What you need to know about DDoS attacks
A Cyber Security White Paper
First, it is important to state that Distributed Denial of Service attacks (“DDoS”) primarily target public facing Web sites of major institutions. The typical small to medium sized business is unlikely to directly experience an attack. However your business could be indirectly impacted if a key client, vendor or Internet service, such as DNS, is attacked.
DDoS attacks, which have recently been in the news, have actually been around almost as long as the Internet. Early on, these attacks were simply used to gain notoriety for an individual or small group of hackers. The DDoS attacks of 2012 and on however have been more complex and sophisticated, and in some cases the DDoS attack has been used as a distraction from the true activity of stealing money.
Types of DDoS Attacks
There are two basic types of attacks. The first is a network attack that focuses on bandwidth and network device throughput exhaustion. The second is an application-layer attack that focuses on consuming all the resources of the hosted application. Recently there has been an emerging, third type of DDoS attack which can affect users in the cloud – cloud services subscription exhaustion. All of these attacks have the same result – denying the user access to an online resource like e-mail or a Web site, and significantly increasing the cost to the targeted organization of providing that service.
Motivations for DDoS Attacks
Cyber Crime: Some of the more recent attacks have been used by cyber criminals to hide the exfiltration or movement of money. While some groups are known for using DDoS attacks as a means of extortion, others will attack a Web site and then tell the victim to pay to stop the attack.
Hacktivism: Promoting political beliefs is another significant motivator. Most are familiar with the groups Anonymous and The Syrian Electronic Army, which have been reported in the media as the source of numerous DDoS attacks. In some cases the attackers may be employed by nation states or even business competitors.
Self-Inflicted: This can happen when an organization’s Web site becomes so popular that normal users overwhelm it and in effect create a DDoS event due to the sheer volume of legitimate traffic on the
There are a number of defenses against DDoS, but we need to emphasize there is no single device or service that will prevent a Web site from being attacked. The strategy instead is to mitigate the effects of an attack with a layered technology approach. Before you choose your level of protection from a DDoS attack you need to decide how likely you are to be attacked and determine how much downtime you and your customers can tolerate. Based on recent events, a bank with online services would be more concerned with DDoS than a professional services company with limited or no online customer services. Quantifying tolerance for down time is important, the shorter the tolerance for downtime, the more complex and expensive the remediation will become.
- Onsite Appliances: There are a number of vendors that sell appliances installed where your public Web sites are hosted. These systems have the advantage of being managed by your IT department, or IT service provider, which allows your response to be more flexible based on the DDoS attack metrics. These appliances can host reputation services to block traffic from known bot systems. Unlike standard Unitifed Threat Management (UTM) or firewall/IPS appliances, these advanced onsite appliances can host an Intrusion Protection System (IPS). Some downsides to this approach are that the attack is still local to your Internet connections, and can overwhelm your perimeter systems and servers.
- Content Delivery Network (CDN): This is a hosted service that will cache static content from your Web site(s) throughout the Internet. During a DDoS attack, the CDN provider can redirect queries to multiple cached Web sites, essentially spreading the attack out to reduce its effects on your Internet connection and Web site. CDN providers act as proxies to your Web site and they can take advantage of their much greater bandwidth capacity to keep your Web site accessible. The downside of the CDN service is that it’s only obscuring the IP addresses of your Web site and if the attacker can discover those, the effectiveness of the DDoS protection provided by the CDN can be significantly reduced. Another downside is the cost of using the CDN’s bandwidth during a DDoS attack, but this can be managed with favorable contract terms.
- DDoS Protection Service Providers: A service provider in this space will provide you access to their bandwidth where they will use their perimeter DDoS protection to clean the traffic they direct back to your Web site. This is usually a standby service that is activated during an attack and disabled when the attack stops. One downside to this type of protection is that there is a disruption to your online services while traffic is being redirected to the service and when the service is disabled after the attack. Another downside is the latency that is introduced by the traffic redirection during an attack but better these disruptions than having your whole site go offline.
- Web Application Firewall (WAF) Service: In this case, the WAF is hosted either separately or as part of the CDN or DDoS Protection services. Some of the same downsides exist for this service as exist for DDoS Protection Services and includes disruption while traffic is being redirected to the service and when the service is disabled after the attack and the latency that is introduced by the traffic redirection during an attack. Another possible issue could be that the service provider rule set may not be as granular as you need while minimizing false positives.
What Protections to Choose?
Like most security protection, there is not a single action or product that will effectively protect against DDoS by itself. Security solutions are more effective when layered. All products and services have their strengths and weaknesses, and layering multiple protections can buttress one product or service’s weakness with the strength of another. Likewise, there are pros and cons with onsite and hosted protections. You may want to go the hosted route exclusively and pick a CDN that provides caching as well as anti-DDoS protection and a WAF.
Planning an Attack Response
The best time to plan for a DDoS attack is before it happens. Determine your best responses to specific situations with a tabletop drill before you’re attacked. If you have an incident response procedure, treat this as such. One of the first things you should consider is how to determine that your Web site is under a DDoS attack. There are some indicators: if the attack is the old-fashioned bandwidth exhaustion type, it will be pretty easy to determine what’s going on. If the attack is an application-layer attack against your Web site server, it may be more difficult.
- Before an attack, you need to continuously monitor bandwidth availability to your Web site and your Web server health to alert you when abnormal activity occurs to set a baseline from which you can determine what is normal vs. abnormal.
- For effective remediation during a DDoS attack, you will need to rapidly assess the situation and determine if you are actually under an attack and what type of attack is occurring. It is then important to quickly implement the response, which might include enabling the CDN/hosted DDoS protection or effectively tuning your onsite anti-DDoS protection.
- Once you’ve implemented your protection and the attack symptoms have been reduced or eliminated, you should concentrate on getting back to standard operations. You should also work to determine exactly what occurred and use that information to fine-tune your incident response, as well as the effectiveness of your anti-DDoS service or your onsite protection.
Detecting a DDoS attack can be difficult. You may see the results of an application DDoS attack when the application services start to repeatedly fail for your public or online Web site. Also, remember, an application-layer DDoS attack may not involve enough traffic to significantly affect your Web site bandwidth but it can still have disastrous results.
About Systems Engineering
Systems Engineering is a leading provider IT strategy and comprehensive business technology products and services to organizations nationwide. SE security services take proactive measures to protect against costly security breaches and potential downtime. SE Secure delivers a layered, policy-based framework using best-in-class technologies. SE EventWatch℠ provides real-time log management, 24/7 monitoring, intrusion detection and prevention, compliance reporting, and vulnerability scanning designed to protect your network and minimize downtime.
To learn more about protecting your network against DDoS attacks, contact Systems Engineering for a complimentary network security assessment.