Why You Should Focus on DDoS Mitigation (and How to Do It)
By: Ernest Sampera on December 16, 2020
Distributed denial of service (DDoS) attacks have long been a thorn in the sides of companies of all sizes and industries—though they are particularly dangerous for organizations that rely heavily on digital services (either to conduct business or to deliver their own services to customers).
What are DDoS attacks? How can they impact a business? What are some DDoS mitigation strategies you can use to blunt or stop different DDoS attack types?
A DDoS attack is a type of cyberattack wherein the attacker tries to deny access to a specific service or network (hence the “denial of service” part of the name) by overwhelming the target system or the infrastructure it runs on—typically with basic access requests.
In many cases, these attacks leverage the use of numerous malware-compromised systems as part of the attack (hence the “distributed” part of the name). However, not all DDos attacks rely on simple brute force numbers to overload a target. There are several different types of DDoS attacks, which can make DDoS mitigation and remediation difficult.
Some DDoS attack type examples include:
Volumetric Attacks. These attacks rank among the most brute force-like DDoS attack types. Volumetric attacks seek to consume all of the bandwidth available to a service or network so that no legitimate traffic requests can be processed and often use some type of “amplification strategy” to reach the volume needed to strangle high-capacity networks. DNS amplification attacks are a prime example of a volumetric DDoS attack type.
Protocol Attacks. Protocol attacks often target the network or transport layers of a network (wherein data packets are routed or transmitted with specific protocols) to disrupt a service. By overloading network equipment like routers, firewalls, or load balancers, protocol attacks can keep people from being able to access critical resources. An example of a protocol attack would be a SYN flood, which uses spoofed IP addresses to exploit a target’s TCP handshake protocols with bogus requests that never “complete” the handshake process—exhausting the target’s resources.
Application Layer Attacks. Also called “Layer 7” attacks, since the application layer is named “Layer 7” in the OSI framework for network connectivity, application layer attacks often involve flooding a target with HTTP requests—forcing the target to respond. The request has a small bandwidth cost, while the response, which needs to load images and other web page elements, has a relatively high bandwidth cost. So, a common type of application layer attack is the HTTP flood.
Multi-Vector DDoS Attacks. To make DDoS remediation more difficult, some attackers opt to use multiple types of attacks all at once. By targeting multiple network layers at once, attackers make their DDoS strategy more disruptive and harder to counter for their targets.
There are a number of reasons why a person or group might choose to launch a DDoS attack. Two primary motivations, as noted by Penta Security, include “hacktivism” and “politics.” DDoS attacks, particularly against larger corporations or businesses with popular services, tend to garner a lot of attention very quickly—which can make a DDoS attack ideal for raising awareness about a specific issue.
Another motive noted in the Penta Security article was the use of DDoS attacks “as a distraction for a larger attack… where the attack may be used indirectly for a larger security breach.” Basically, while a victim is busy with trying to stop a DDoS attack, the attacker is leveraging the confusion caused to breach security for other systems and get away before the breach is noticed.
Fallout from a DDoS Attack
So, what’s the potential fallout from a DDoS attack? Why should businesses work to stop a DDoS attack before it begins?
Failing to stop a DDoS attack means losing access to critical IT resources for the company and its customers. The forced downtime from such an attack can be incredibly costly for a business. A popularly-citedstatistic from an old Gartner article states that network downtime costs “$5,600 p/minute, which extrapolates to well over $300k p/hour.”
While the actual cost of network downtime may vary for different organizations based on their size, industry, and business model, there is little doubt that the impacts of extended network downtime can be severe for companies of any size.
The fallout from a DDoS isn’t limited to the direct costs a company incurs from lost sales opportunities and the labor spent getting their network back online. There are other costs to consider, such as:
The productivity lost because employees can’t use important business applications;
A drop in market share as customers move to more “reliable” services; and
Expenditures on potential legal actions or customer appeasement measures for failing to meet SLAs.
These indirect costs of a DDoS attack can have far-reaching implications that make it harder for a business to remain profitable and competitive.
How to Stop a DDoS Attack
One of the difficulties in stopping a DDoS attack is that there are several different types to deal with that target different potential weaknesses in the network. Additionally, it’s necessary to avoid throwing out the good traffic from legitimate users with the bad.
So, there are a number of different DDoS mitigation strategies that companies need to employ simultaneously to prevent their network from being overwhelmed—especially if attackers are using a multi-vector strategy.
Web Application Firewall (WAF). A WAF is often useful for mitigating layer 7 (application layer) DDoS attacks. The WAF can act as a reverse proxy gateway to protect the server from malicious traffic—filtering out DDoS by performing deep layer inspections of incoming data packets. Some web application firewalls even allow for custom rules implementation to respond to new attack types.
Network Diffusion. To help limit the impact of a large DDoS attack, some organizations may use network routing tools to spread out the traffic and requests amongst multiple data centers and systems. This diffuses the impact of the attack. However, it is highly dependent on the size and processing capability of the network as a whole (and the routing solution), so it isn’t always practical for especially large DDoS strikes.
“Black Hole” Rerouting. Instead of shunting traffic to an actual in-use resource, some organizations may try to thwart attacks by shunting all of their traffic into a “black hole” route (such as a non-functional server or an invalid IP address). While it prevents stress to the network, it can also, if not handled extremely carefully, end up making the network inaccessible to legitimate users too since their requests will also get rerouted to the black hole.
IP Address Whitelisting. For enterprise applications meant only to be used by employees within the network, the use of IP whitelisting (the practice of only allowing certain preapproved IP addresses to connect to the application or server) can be incredibly useful for DDoS mitigation. However, this is not an ideal solution for customer-facing applications and databases, as customers may have a wide variety of IP addresses. Also, IP address spoofing may allow attackers to fool the filter.
Rate Limiting. Rate limiting is the practice of restricting the number of requests a server will accept over a given time period. While this can help to mitigate certain “brute force” style DDoS attacks that just ping login or HTTP requests over and over again, it may not be so effective at stopping more sophisticated, multi-vector attacks.
While the above tools can all be helpful in DDoS mitigation, they aren’t enough on their own. To get the best results, it’s important to have an incident response plan and IT experts in place to carry it out. This plan should include measures to help employees identify the signs of a DDoS attack (network slowness, inability to access resources, etc.), alert the incident response team, and assign roles and responsibilities for each step of the process so everyone knows what to do.
Having an incident response plan (and the people to run it) in place can have a major impact on an organization’s DDoS mitigation, and thus any network downtime they face. Creating such plans is just a good network security practice in the first place!
DDoS Protection with vX\defend
With volumetric attacks becoming bigger than ever—the current record for largest attack at the time of this writing is a massive 2.3 Tbps (Terabits per second)—it’s never been more important to have a strong DDoS protection strategy.
One such tool is vX\defend from vXchnge. vX\defend is one of the risk mitigation tools that comes with vXchnge’s colocation data center services. The basic strategy is that vXchnge uses multiple internet service providers (ISPs) to provide networks with increased resiliency and to reduce lag. If one ISP’s services are compromised (such as being used for a DDoS attack), vX\defend will utilize multiple routing paths to redirect your network traffic before the attack reaches your data center—keeping your services online and available to both your employees and customers.
In addition to rerouting bad traffic, vXchnge also offers “burstable bandwidth” of up to 1 Gbps (Gigabit per second) of additional bandwidth to help cover unexpected traffic spikes so your network performance doesn’t suffer.
Are you ready to transform your IT capabilities and mitigate future DDoS attacks with ease? Reach out to vXchnge today to get started!
About Ernest Sampera
Ernie Sampera is the Chief Marketing Officer at vXchnge. Ernie is responsible for product marketing, external & corporate communications and business development.