DDoS attacks have rapidly evolved over the past decade. The complexity and sophistication of these attacks have been ever increasing. It is estimated that the number of attacks to double in the next two years by reaching over 15 million. The target range various from financial organizations, healthcare sector and government entities to low key public networks. Without a pre-planned strategy in place, organizations can’t provide uninterrupted service to their customers. It is essential for all businesses to prepare themselves to have a strong cyber security posture.
Step 1: Choose the DDoS Solutions Stack
On-Premise or Cloud
Ever evolving cyber-attacks put organizations in a state of flux to choose between on-premise and the cloud mitigation plan. On-premise DDoS prevention is built for purpose-driven defence solution. It is deployed at the edge of the network, mainly between the internet and the network core. It supports organizations with real-time defence and offers complete visibility of the network. On the other hand, a cloud-based mitigation service is utilized as an on-demand option for large-scale attacks. A recent report on DDoS mitigation solutions states that on-premise equipment and ISP mitigation architectures are 4 times more prevalent than service-only solutions.
DDoS Mitigation Tools
Organizations should be more concerned about the volume of attacks the DDoS mitigation tool can handle. Today, malicious traffic comes with tens and hundreds of gigabytes per second. A famous worldwide news telecasting company received a whooping volume of 602Gbps traffic. This proves that organizations should incline towards the tools which can handle such a huge volume.
Impact on Basic Operations
A large scale attack can impact the users of a system to do transactional activities. They can be critical for business operations. But, such attacks can greatly hit critical operations. The defence solution should allow users to do their transactions while mitigating the on-going attack.
Organizations should aware of the total bandwidth they need to protect in order to stay resilient. Many DDoS mitigation services are priced on bandwidth-based protection. When the attack scale goes up to 300 Gbps and the organization’s bandwidth protection has a limit of 100 Gbps, they need to rethink their cost model.
A false positive is when a legitimate user requests access to the system and the mitigation service flags the user as an attacker. It is one of the most significant issues in DDoS mitigation. Organizations should pay close attention to this. To avoid inconveniences, the solution should be iteratively tested with behaviour analysis.
Step 2: Know the Types of Attacks
SYN flooding is a type of attack which sends a large volume of SYN packets to the server using spoofed IP addresses. It creates embryonic connections that consume all of the server resources and shut down the transactional services.
With DNS reflection, the attackers contact a large number of open DNS servers and request a DNS zone file by providing a source IP address of the attack target. In response, the DNS servers send the large DNS zone answer to the attacked server. In this attack method, the server is effectively taken offline, as it is unable to respond to new DNS requests from real visitors.
The third type is the SMURF or ping attack. The attackers flood ICMP ping requests to a network’s broadcast address which relays ICMP to all devices behind the router. It responds with a ping, overwhelming the router with ping traffic and makes it unable to respond to real requests.
As the application-based attacks look just like ordinary user traffic, they are one of the toughest attacks to detect. The attacker visits a target system like a real user and identifies operations that have high latency on the server.
An example of a high latency is a search that returns millions of rows. The attacker creates a scripted form of the same operation and hit the server with a huge volume of slow operations. It creates a bottleneck and brings down the system. Apache killer and Slowloris are well-known instances of this attack. Since the attack is on the 7th layer, it is hard to distinguish between attackers and normal users. The network operator can take down the entire server to stop the attack. But it can hugely impact the real users of the server.
In this type of attack, DDoS is only used to deflect the attention from a pre-planned attack. When the web properties are under attack, internal and external resources focus on shutting the DDoS attack down. It affords ample opportunity for additional attack troops to sneak in by injecting SQL. With the injection, attackers can infiltrate the network unnoticed and steal valuable data.
Today’s DDoS attacks use a combination of some or all of the methods described above. These multifaceted initiatives require multifaceted defences. The attacks have evolved over the years from one attacker launches a single-dimensional attack using a single commanding control point to highly distributed and phased attacks involving multiple domains and encrypted communications. They are frequently launched by multiple groups acting in tandem from different locations. They transformed in a way that, the attacks are invading like military campaigns with extensive up-front planning.
Step 3: Simulations
The security team in organizations can use few lab machines or a few machine instances on Elastic Compute Cloud to generate a huge volume of traffic aimed at their own server and simulate a low-scale DDoS attack. They can do it with extreme discretion and aim at a staging system. With the basic simulations, the organization can get an idea of how DDoS works and how they can mitigate the risks. When the simulated attacks are targeting the servers, the security team can use load testing tools to check how many legitimate users can access the server for the given load.
Step 4: DDoS Mitigation Test Scenarios