NETWORKING

  • 11/03/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

DDoS Mitigation: Pay Attention To The Network

DDoS attacks are a growing threat. Monitoring firewall and load balancing activity can help IT teams detect and mitigate DDoS attacks.

Distributed Denial of Service (DDos) attacks are increasing at an alarming rate. They can be created cheaply and easily, and can take a service offline or shut a business down completely. When service is degraded or stopped altogether, a company’s reputation is impacted.

According to Akamai’s Q2 2015 State of the Internet Security report, attackers today are favoring less powerful, but longer duration DDoS attacks. From April to June 2014, the average attack lasted for 17 hours; from April to June 2015, the average attack lasted for nearly 21 hours.  

And between June 2014 and June 2015, there was a 122% increase in application layer (Layer 7) DDoS attacks and a 134% increase in infrastructure layer attacks (Layers 3 and 4).  “Very few organizations have the capacity to withstand such attacks on their own,” the report said.

To add insult to injury, hackers are now sending ransom emails to enterprises asking them to pay up or else be subjected to an unrelenting DDoS attack. Dark Reading reports that, since April 2015, the so-called DD4BC group has sent dozens of threatening emails to businesses demanding 25 to 50 Bitcoins to avoid an attack.

The unrelenting threat is why researchers with the Defense Advanced Research Projects Agency (DARPA) are creating a new program to help military, public, and private enterprises fend off DDoS attacks. It’s also why the Department of Homeland Security recently awarded the University of Delaware a $1.9 million contract to identify and prevent DDoS attacks on data centers. The funding, Delaware Public Media reports, will allow the university to build technology and focus on a new brand of DDoS attacks.

DDoS detection & mitigation

There are more than a dozen well-known types of DDoS attacks impacting today’s organizations. Some are orchestrated by seasoned hackers, but most are conducted by just a few computers aiming to take down a service or website by sending too many requests.

The most common DDoS attacks are the SYN Flood attack, the UDP Flood attack, and the ICMP Flood attack. These types of DDoS attacks have occurred at retail giants and big banks, alike in recent years. In July 2015, a DDoS attack caused a 50-minute outage to the Royal Bank of Scotland’s online banking system, affecting customers from RBS, Ulster Bank and NatWest Online Systems. Also in July Planned Parenthood's website and New York Magazine's websites were hit with DDOs attacks.

In cases like these, when an attacker initiates a connection-based protocol, he or she might send 50,000 packets a second over the network, leaving connections open and vulnerable. If a company is monitoring its network, it likely will see a massive spike in connections from the load balancer, along with an increase in throughput on the firewall and the bandwidth utilization on Internet links.

Consequently, paying attention to network activity through monitoring can provide a first line of defense against DDoS attacks. The ability to monitor firewall and load balancer activity can arm network operations and security teams with the advanced warning they need to mitigate a DDoS attack.

Network monitoring provides the information needed to act at the first sign of an attack, by providing the IT department with a granular, but full picture of their digital infrastructure.

IT teams can be alerted when random ports are flooded with packets, or when spoofed requests from a variety of sources attack a target server. This agility helps them identify debilitating attacks before resources are exhausted and the server is forced to go offline.

Reviewing historical data can allow IT pros to set up accurate thresholds for questionable network traffic. For example, a rule can be set such that when a specific number of packets come through in two seconds or less, this traffic is automatically blocked. In this way, users are able to mitigate the impact of DDoS attacks on the digital infrastructure.

Paying attention to the details of network traffic, like metrics, flows and logs, can help organizations have as much data as possible to detect, visualize, and mitigate a DDoS attack.


Comments

Why is this change Happening?

Vess,

In your Blogpost you have clearly mentioned the following change in DDOS trends-

attackers today are favoring less powerful, but longer duration DDoS attacks. From April to June 2014, the average attack lasted for 17 hours; from April to June 2015, the average attack lasted for nearly 21 hours.  

What do you feel is the primary factor driving this change?

Is this because DDOS attackers are now focussing more and more on Financial Gain Rather than just publicity and for this issue alone,Stealth is of Greater benefit than Sheer Power?

It seems that they want to remain incognito for as long as they can and do as much damage as is possible as quietly as possible.

Am I right with how I am assessing this situation here?