Distributed denial-of-service (DDoS) attacks have been a threat since the advent of the commercial internet. They represent an asymmetrical war, where $30 attacks can cost companies millions. Today, attackers are increasing their target diversity and complexity, with attack traffic simultaneously spanning data, applications, and infrastructure to increase the chances of success.
Most people probably think of DDoS attacks as a security-only issue. The reality is the network operations team sees the traffic anomaly long before the security team sees the attack itself. Companies understand that network traffic data is the key to preventing DDoS attacks.
How do companies traditionally stop DDoS attacks?
A typical DDoS defense model leverages out-of-band appliances, appliances that a network operator installs in its network operations center (NOC) or DC. These appliances detect anomalies in network flow data, network metadata from edge routers, and border gateway protocol (BGP) data. The appliance then signals the network to either drop traffic at the network edge or redirect traffic to an on-premises DDoS scrubbing appliance, like those that Radware, A10, or Correro provide.
Sometimes, the traffic also gets passed through a third-party cloud mitigation service, like those which CloudFlare, Neustar, or Akamai offer. Over time, mitigation devices will only need to mitigate a fraction of total traffic. Selectively pushing traffic to mitigation devices only when there is an attack maximizes the cost-efficiency of this solution. The approach makes sense on paper, but the drawback inherent in all such appliance-based DDoS defense solutions is that they are fraught with poor detection accuracy.
As a result, organizations' best engineers are bogged down dealing with inaccurate alerts using blind manual interventions. That means they're spending time making configuration changes to network devices or rerouting traffic instead of focusing on mission-critical tasks. What's more, these interventions typically do not contribute positive outcomes. For a more accurate approach to mitigation, companies need a solution capable of monitoring massive volumes of network traffic in real time.
How can companies build better mitigation processes?
There are several ways companies can begin to approach DDoS attacks as a network concern. They include:
- In-Line Appliance Mitigation: This approach sends all traffic through one or more DDoS protection appliances that support deep packet inspection. If the appliance determines particular traffic flows or packets to be attacks it discards them and allows legitimate traffic to pass through. This approach is useful for more complex attack types and for very quick detection and mitigation. However, it's an expensive approach and does not scale for large networks.
- Cloud-Based DDoS Defense Services: Cloud-based DDoS defense services detect and mitigate attacks without requiring the network under attack to deploy on-premises resources. Most cloud DDoS defense services do not offer a detection service; instead, it's left up to the customer to reroute traffic when attacks occur. Or, companies may use an "always on" service that scrubs and returns traffic to the company in question. Cloud-based services are slightly cheaper than inline approaches, but not by much.
- Routing Techniques: Remote Triggered Black Hole (RTBH): Blackholing of traffic is a form of DDoS mitigation achieved by dropping traffic at the network edge by changing routing parameters. The most common form of black holing is destination-based Remote Triggered Black Hole (RTBH). This approach reroutes attack traffic to a destination that doesn't exist (a black hole), with the drawback that legitimate traffic may also be lost. BGP Flowspec improved upon this approach by trying to only block the attack traffic and allow the legitimate traffic to pass through. However, Flowspec can be a complex protocol to deploy.\
- Hybrid DDoS Defense: Hybrid DDoS defense is performed by a combination of on-premises mitigation devices and cloud-based mitigation services. This approach enables the fastest response from the on-premises appliance but can scale up to very large attacks with the use of a cloud-based mitigation service.
Monitor, Detect, Mitigate
Many enterprise workforces are employing a work-from-home model for the foreseeable future. This arrangement creates a distributed network with less secure endpoints and a myriad of third-party platform integrations to monitor. As a result, DDoS attacks are becoming a more and more critical challenge to address. To mitigate DDoS attacks, companies must think of them not as security concerns but as network reliability concerns. My recommendation for companies is that they:
- Monitor the network-wide traffic level of individual IP addresses connected to their networks
- Monitor against multiple data dimensions. While in many cases it is sufficient to look for violations of simple traffic thresholds, for most attacks it’s becoming necessary to go beyond a single dimension and recognize the relationships between multiple indicators.
- Implement technology that automatically identifies and tracks “interesting” IP addresses by auto-learning and continuously updating a list of top-N traffic receivers then performs baselining and measurements to detect anomalies on any current member of that list.
- Design in advance a mitigation solution that meets the needs for your organization. As detailed, there are tradeoffs for each approach, so the right balance of protection, cost, and scalability must be determined.