What Is DDoS?
A Distributed Denial of Service (DDoS) attack is an attempt to pile so much traffic onto a given computer, network, application, or service that it goes offline. DDoS attacks are a popular method of cyber attack because they're very effective at disrupting the target, and they're pretty simple to execute. Attackers can easily spread malware and build a network of infected computers (botnets) that can then be used against a target without their owners' knowledge, making the barrier to entry relatively low.
Because a successful DDoS attack literally silences its target, this method is particularly common among trolls, blackmailers, and hacktivists looking to make a statement. DDoS mitigation depends on network visibility, a good understanding of the different types of DDoS, and a fast reaction time, so read on to learn how to stop DDoS attacks against your network!
Types of DDoS Attacks
There are three main categories of DDoS attacks:
|Attacks that use high traffic to flood network bandwidth
|Attacks that consume server resources
|Attacks that target the application layer and pile on requests until the web server crashes
There's a huge amount of variation in attack type and specific methodology, but here's a list of some of the most commonly used DDoS attack types:
|UDP floods target the User Datagram Protocol by sending UDP packets to a given port on a target computer or network. When the host checks for the so-called application at that port, there's nobody there. Note: UDP reflection attacks like Memcrashed amplify DDoS attacks by orders of magnitude. Here's one way to stop them.
|These attacks go after Transmission Control Protocol (TCP) weaknesses by spoofing synchronized messages to start three-way handshakes with the target network that never close.
|Ping of Death (POD)
|A Ping of Death sends malicious pings to a target system; these aren't so effective today because many of the weaknesses that allowed for successful exploits have been patched. (Remember—always, always patch your systems!)
|These attacks exploit Internet Protocol (IP) and Internet Control Message Protocol (ICMP) with malware called smurf that spoofs an IP address in order to ping a given network.
|Slowloris attacks use HTTP flooding to take down web servers with minimal cost to the attacker, which is one reason these types of attacks often feature in hacktivist DDoS events.
|Zero-day DDoS attacks exploit vulnerabilities that have yet to be patched.
DDoS Protection: How to Stop Attacks
Back in March 2018, the largest DDoS attack ever recorded (1.35 Tbps) targeted Github using memcache as a UDP reflection attack vector. (Read more about that, and how to detect similar attacks). That's an insane amount of malicious traffic, and one that is nigh unstoppable—which makes it more crucial than ever that you have a playbook in place for DDoS attacks against your organization so you can at least mitigate the damage.
In the next section we'll talk about what you can do if you find yourself a victim of a DDoS attack, but first let's go over a few preventative measures that every organization should take immediately. These won't necessarily stop a DDoS attack, but they can help slow them down and give you time to react.
#1: Know your network.
The more you know about what normal inbound traffic looks like, the quicker you'll spot anomalies that could be the start of a DDoS attack. Real-time visibility with network traffic analysis is by far the most efficient and accurate way to maintain a profile of what your network should look like, and machine learning solutions can help you detect suspicious surges immediately.
#2: If you run your own web server...
- Rate limit your router to prevent your server from being overwhelmed
- Use aggressive timeouts for half-open connections
- Automatically drop spoofed or malformed packages
#3: Overprovision, overprovision, overprovision.
Whether you host your own server or not, overprovisioning bandwidth will help you accomodate sudden spikes in network traffic (or at least will buy yourself a little more time to get help).
DDoS Mitigation Strategies
Say it happens. You're hit. (At least you're in good company; some of the big names who've featured in high-profile DDoS attacks in the last few years include the aforementioned Github, the Boston Globe, and the Danish rail company DSB.) What should you do to stop an attack or limit the damage to your business?
#1: Anticipate the critical assets (applications and network services) attackers are most likely to target, and make sure your monitoring, detection, and emergency response plans specifically align to those assets. Include an approved public statement in your response plan so you don't need to scramble for PR while under attack!
#2: Put procedures in place to re-route traffic for scrubbing in the cloud.
#3: This can't be overstated—enterprises need real-time visibility into their own network behavior with machine learning in place to detect anomalous traffic spikes. Perimeter defenses are unable to stop even the less sophisticated forms of DDoS attack, and will have a harder time detecting surges quickly enough to make a difference.
#4: Pay attention to your application layer! This means ensuring you have the ability to perform deep-packet inspection at the application layer (L7 in the OSI model), and if you can, adding redundancy by deploying critical applications on multiple public cloud providers so you can scale out to the next deployment if attacked.
The number one thing you can do to protect yourself from serious damage by DDoS attack is to invest in real-time visibility into east-west (internal) network traffic. There's a reason Gartner is talking about network traffic analysis and more and more enterprises are looking at network analytics as a source of security data.
Check out this blog post to learn more about network traffic analysis for security, including benefits, predictions, and vendors in the space!