Despite their prevalence, DDoS (Distributed Denial of Service) attacks have been erroneously considered minor attacks by some parts of the security community due their “limited” duration. Victims of DDoS attacks are typically forced to interrupt their services for a few hours without any other observable damage.
Recent events, however, have demonstrated that the impact of DDoS attacks is much more than meets the eye. Not only can these attacks inflict huge economic losses, they can also have a serious impact on the reputation and image of the victimized company or organization.
Another worrying trend observed in recent DDoS attacks is that in addition to targeting web infrastructures, attackers are also trying to exploit flaws and improper configurations within the Domain Name System (DNS) infrastructures. Arbor Networks’ 2012 Worldwide Infrastructure Security Report indicated that 41% of respondents experienced DDoS attacks against their DNS infrastructure.
Moreover, the targets of a DDoS attack do not fit into a specific category. Providers of online banking, payment services, email services and just about every other type of web service provider are prime candidates.
Similarly, there is no typical profile of an attacker – cyber criminals, hacktivists and state-sponsored hackers all use similar tactics to hit a large list of targets.
Principal Categories of DDoS Attacks
The security community classifies DDoS attacks as follows:
DDoS Mitigation Solutions – Traditional vs. Cloud-Based
The increase in the magnitude and complexity of DDoS attacks highlights the need for organizations to adopt proper countermeasures and mitigation techniques. Naturally, time is of the essence when it comes to DDoS protection. Prompt DDoS detection is a critical phase of the mitigation process – the faster security systems can detect a potential threat, the better the chance of minimizing damage and even neutralizing the threat.
Firms that provide solutions for DDoS mitigation follow various approaches to protect their customers. The first step in protecting a company’s web infrastructure against a DDoS attack is to identify normal conditions for network traffic. This definition of normal “traffic patterns” is necessary baseline for threat detection and alerting. The majority of commercial solutions provides threshold-based alerting mechanisms that trigger alerts based on the collection of meaningful information from the logs.
Another common detection approach is known as “Layered Filtering,”, dedicated appliances and software detect and mitigates different types of attacks in both the network and application layers. Defense mechanisms which analyze traffic in layers try to detect harmful traffic and apply filters to block the threats at the specific level. Many companies also adopt open source software to limit the incoming number of connections and traffic dimensions.
Traditional DDoS mitigation solutions oversize the network bandwidth and adopt complex hardware such as firewalls and load balancers. Many experts consider this approach to be unnecessarily costly and in many cases ineffective. For this reason, many companies have chosen to adopt a cloud-based approach to DDoS protection with direct management of DNS services, enabling them to optimize their response to malicious events. Another advantage of a cloud-based approach is the reduction of investment in equipment and infrastructure (capex) as well as the reduced cost of managing and maintaining typical hardware solutions (opex).
Key Criteria for Evaluating DDoS Mitigation Solutions
Choosing a DDoS mitigation solution is far from a simple task, given the numerous alternatives and choices, such as hardware versus software, appliance versus cloud-based solutions, etc. To simplify your decision process, the following checklist includes the most important features/criteria to evaluate before acquiring a new product:
How does the cloud based DDoS mitigation approach work?
As noted earlier, one of most popular mitigation approaches is cloud-based DDoS mitigation. Such solutions are offered by Incapsula, Prolexic and Verisign, among others. Successful mitigation depends on the ability to monitor and analyze traffic patterns in real time. When a DDoS attack is detected by monitoring systems, the malicious traffic is redirected from the targeted website to a mitigation architecture through the cloud. Inbound malicious traffic is sent to the nearest scrubbing center, where the mitigation solution applies DDoS filtering and routing techniques to reduce DDoS traffic interference. The clean traffic is then routed back to the customer’s network. Accordingly, the capacity of the scrubbing centers and the filtering methods used are crucial for the provisioning of an efficient DDoS mitigation service.
To get an industry expert’s take on these topics, I contacted Incapsula, one of the leading providers of DDoS mitigation services. Incapsula offers Web Security, DDoS Protection, Failover & Load Balancing on a Global CDN. The company was spun out of and is financially backed by Imperva [IMPV], a leading provider of data security solutions. Here are excerpts from my interview with Incapsula’s CEO, Gur Shatz.
What are the key criteria for a successful DDoS mitigation service?
“Well, there are various factors that contribute to a successful DDoS mitigation solution, such as:
Based on the observation of DDoS attacks against your clients during the last few months, what are the changes/trends that you are seeing with respect to attack methods?
“The principal trends that we are observing are:
This information might be biased, because as a cloud provider, we are well suited for handling large network attacks. Since our users typically use our “always on” automatic detection service, it is reasonable to assume that users with hit and run problems tend to reach us more than users of other solutions.”
What are the strong points of your Cloud-based solution?
“I believe that our true strengths lie in a number of aspects of our service:
Whatever solution you choose, you must always consider the trade-off between costs and benefits. To meet business goals, every company is increasing its exposure on the Internet and, in parallel, enlarging the potential surface of attack. At the same time, downtime is no longer acceptable from a business standpoint for the majority of these companies.
(Security Affairs – DDoS Mitigation)