Reading Time: 12 minutes

DDoS

Attack types and mitigation strategies

What is DDoS?

In short, a Distributed Denial of Service (DDoS) attack is where an attacker employs an army of botnets to exhaust resources of, or bandwidth to, your servers and apps to the point that they are unable to provide services to your clients. This exhaustion of resources is typically done through sending of excessive traffic or requests to your server.

More recently however, DDoS attack vectors have shifted from the network and transport layers to the application layer. One reason for this is the rise of reflection and amplification style attacks. With this type of attack, an attacker sends a small packet to a vulnerable machine using the spoof-ed IP address of their victim. This generates a large response by the machine (amplification) which is then sent to the spoof-ed IP address (reflection); i.e. the victim of the DDoS attack. Using this technique, hackers can generate large-scale attacks with far fewer machines. The largest DDoS attack recorded to date generated 1.3Tbps of memcached DDoS traffic.

DDoS attack types

Volumetric attacks: the most common type! Designed to overwhelm a machine’s network bandwidth by flooding it with data requests.

Protocol attacks: the most common type is the SYN flood. Focused on exhausting connection tables of devices that deal directly with verifying connections. This type of attack may not necessarily attack the victim’s machine but attack a device on the path to the victim’s machine.

Application-layer attacks: focused primarily on direct web traffic. Potential layer seven protocols include HTTP, HTTPS, DNS and SMTP.

Amplified reflection attacks: the most damaging style! As covered before, attackers generate tons of small requests to vulnerable servers, spoofing victim’s IP address. The servers then reply with large amplified responses to the unsuspecting victim. The much hyped Memcached reflection attack vector, has an extraordinary amplification factor; A 210 byte request could trigger a 100 MB response directed at the target.

DDoS, IoT and 5G

A new attack strategy is based on the UDP implementation of the Constrained Application Protocol (CoAP). CoAP is a protocol which is implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. This makes CoAP the next vector for an amplified reflection style attack.

As new 5G networks become operational, we should expect the size of attacks and the traffic they generate to increase exponentially. Ericsson recently predicted that, by 2024, the number of IoT devices with cellular connection will reach 4.1 billion. These devices will not only increase in number, but in speed also, and if not secured, they are the ideal amplifying reflectors for the next record breaking DDoS attack.

DDoS fun facts

  • In 2018 DDoS as a Service (yes, it is a thing!) experienced a significant growth, while the total number of DDoS attacks (148,000 of them) were actually down – by nearly 30% – from 2017. The reason for this decline? Organisations are better prepared.
  • Just over 10 percent of attack types used multi-vectors attacks while near 90 percent used single-vector attacks
  • The memcached based DDoS attack on GitHub sent 177MPPS  (or 1.3Bps) to GitHub. How big is your internet pipe?

First step in DDoS Defence

Just like anything else Technology related, you need to cover the basics;

  • People
  • Process
  • Technology

You can do this by developing a DDoS response plan. Consider the following when developing such a plan;

People and Process

  • You should identify (as part of your risk analysis) the assets you need to protect and the business impact of their loss. You can use the Annualised Loss Expectancy (ALE) formula for this purpose
  • Develop or augment an existing incident response plan to include DDoS response
  • Outline incident response processes, identify roles and responsibilities, and create a communications plan
  • Identify acceptable time to mitigation and the escalation procedures
  • Verify your business partners, Cloud and Internet Service Providers capability to provide DDoS mitigation
  • Tabletop your DDoS response plan to ensure operational readiness

Technology

  • Secure your infrastructure. Consider utilising advanced intrusion prevention and threat management systems
  • Maintain Strong Technology Architecture (e.g. no single points of failure, decouple resources, resilient architecture)
  • Introduce strong monitoring capabilities (monitor network bandwidth, server resources, etc) and understand normal operation metrics
  • Deploy an on-premise, cloud or a hybrid protection model depending on your needs, assets and risks
  • Integrate your DDoS protection services with SIEM

DDoS defence categories

DDoS defence solutions can be divided into the following three categories: internal, edge, and external.

  • Internal: consists of defences inside your network and close to resources you wish to protect (typically the application itself, ADCs, WAFs and IPS-es)
  • Edge: consists of devices at the enterprise/data centre edge (typically firewalls, and routers)
  • External: consists of anti-DDoS services that are entirely outside of your enterprise and provided by CSP/ISPs

Industry best practice is a multi-layer (AKA hybrid) approach that combines all these layers and considers the different types of DDoS attacks. On-premise solutions are used to mitigate against application-layer and state-exhaustion attacks (internal and edge layers) while volumetric attacks that target internet connectivity (external layer) are mitigated in the cloud. It should be noted that the cloud based solutions are typically divided into two groups; CDN-based DDoS protection services which are always-on and instantaneous (pricey) and, DDoS scrubbing services that are usually on-demand (cheaper).

On-premises solutions: Companies with extensive on-premises infrastructure should choose DDoS protection solutions deployed as appliances. These products however, leave your enterprise vulnerable to volumetric attacks that overwhelm your bandwidth.  

Cloud-based solutions: Firms with distributed infrastructure or cloud-hosted assets should choose cloud-based DDoS mitigation solutions. Most ISPs, CDN and DNS providers have high-capacity DDoS scrubbing centres which stop DDoS attacks before they reach your assets. You can choose on-demand or always-on mitigation.

Hybrid solutions offer the best of both. The approach provides fast detection and low latency application-aware defence. In a hybrid solution, on-premise devices can signal the cloud solution provider to begin mitigation in the cloud. The solutions also enable your organisation to retain control of mitigation timing and techniques while providing protection from volumetric based attacks. A Hybrid based approach does however limit the number of vendors you can partner with as some cloud DDoS protection providers do not have on-premise solutions.

Which mitigation strategy is right for you

To choose the best DDoS mitigation service for your company, “Gartner’s Market Guide for DDoS Mitigation Services suggests that you match your level of attack risk to the capabilities of the DDoS mitigation provider offering:

  • Medium-to-High Risk – Organisations in this category should consider scrubbing centre solutions. As these scrubbing vendors protect both externally facing websites and non-web resources, this service provides the best protection against multi-layered threats.
  • Low-to-Medium Risk – Mid-tier risk companies should consider getting DDoS mitigation from their CSP or hosting provider. These providers tend to offer lower monthly premiums, but the number of mitigation events that they can handle are sometimes limited (and can only protect external-facing websites)

“Gartner’s Market Guide for DDoS Mitigation Services 2016

My personal recommendation however is slightly different. I suggest a hybrid model where you have both on-premise and on-demand in-cloud based solutions combined. This does however mean (usually) that you will need to choose a single vendor that provides both solutions. This in itself may be considered a risk!

Let’s have a look at three vendors offering DDoS protection solutions.

Disclaimer: I have used vendors' own websites for the below comments.
I am also neither paid by any of these vendors nor influenced by any of them in any way.

Netscout/Arbor – Hybrid solution provider

On premise protection: Arbor SP: targeted at large enterprises, it collects and analyses Netflow, BGP and SNMP data to provide pervasive network visibility and DDoS attack detection. Upon detection, Arbor SP can automatically re-route attack traffic to the Arbor TMS which can be deployed in a shared scrubbing centre. For smaller networks Arbor APS is positioned. It is an always on, in-line, DDoS attack detection and mitigation solution which can stop both in-bound and out-bound DDoS attacks. In the event of large DDoS attack, Cloud Signalling will link to an upstream/in-cloud DDoS attack protection service (i.e., Arbor Cloud) for mitigation.

In-cloud protection: fully managed DDoS Protection service via nine scrubbing centres located throughout the North/South America, Europe and Asia. Arbor Cloud provides 9.3Tbps of global mitigation capacity. These are monitored by ATLAS, Arbor’s global visibility and threat intelligence capability.

Akamai – cloud solution provider

Prolexic routed: leverages BGP to route all of an organisation’s network traffic through Akamai’s globally distributed scrubbing centres. Prolexic Routed is offered both as an Always On service, which offers the fastest detection and mitigation capabilities, or optionally as an On-Demand service, to provide organizations with flexibility in how they customise and apply DDoS mitigation. It is built on a global network (18 scrubbing centres) with 7.8 Tbps of dedicated capacity, and a team of 150 security professionals.

Since you are here, check out Akamai’s eight step DDoS protection plan.

Imperva – cloud solution provider

Imperva’s DDoS protection for networks is available as an always-on or on-demand service, with flow-based monitoring and support for automatic or manual switchover.  Imperva have 6 Terabits per second of scrubbing capacity and the ability to process 65 billion packets per second. Once activated, the DDoS protection service blocks any attack in less than 10 seconds with typical time to mitigation of 1 second. Their protection service for networks supports any type of service, including TCP, UDP, SMTP, FTP, SSH, VoIP and proprietary or custom protocols. Imperva’s up-to-the-second dashboards show attack traffic details. Their DDoS protection for websites can also complement the Imperva cloud WAF.