Fighting Back Against DDoS Attacks

Businesses are increasingly finding themselves on the receiving end of Distributed Denial of Service (DDoS) attacks.

In an earlier article, we explored some of the worrying trends reported in Arbor Networks' annual Worldwide Infrastructure Security Report.

In this article, we examine why DDoS attacks are technically challenging to handle and suggest some steps you can take to protect your systems.

The most likely DDoS attacks

65% of last year's DDoS attacks were ‘volumetric.’ These attacks attempted to knock systems offline by consuming almost all the bandwidth connecting those systems to the wider world.

The median size of these attacks was 760Mbps - large enough to completely saturate most organisations' Internet connections and to cause many servers to become unreachable.

Although investing in a multi-gigabit connection could help combat most volumetric attacks, this is an expensive option. A better, more affordable solution is to use DDoS mitigation services. These filter out malicious requests closer to their source, preventing the malicious requests from reaching your servers or from saturating the Internet connection to your office.

Volumetric attacks aren't the only type of DDoS attack that companies need to worry about, however.

The Worldwide Infrastructure Security Report found 18 per cent of DDoS attacks were ‘state exhaustion’ attacks that aimed to completely fill up the connection state tables that are present in many infrastructure components, such as load balancers, firewalls and routers.

A further 18 per cent of DDoS attacks targeted the application layer. These attacks often attempt to overwhelm the target by triggering resource-intensive tasks using relatively few requests.

A massive internet connection won’t protect your systems from state exhaustion attacks or application layer attacks. In fact, a bandwidth increase could actually play into the attacker’s hands by allowing even more malicious traffic to reach the devices under attack.

In these situations, the best defence is to have a filtering system in place that blocks suspicious traffic before it can reach your systems. This protection also needs to be able to assess what is likely to be a genuine request and what isn’t, so that genuine requests continue to pass unimpeded.

Where DDoS attacks are targeted and where they originate

Attackers most commonly target port 80 (used for HTTP traffic), with 45.7% of attacks going after this port. Port 53 (DNS) is the second most popular target, accounting for 12% of attacks. Port 443 (HTTPS) is the third most popular target, constituting 7% of attacks.

Many businesses overlook DNS when planning their network security, often because their DNS services are provided by a third party, outside of their network. Unfortunately, attacks on a DNS server can bring down websites and delay email delivery, even if the underlying web and email servers are working perfectly.

One solution is to use DNS servers from multiple providers, not just your domain registrar or web hosting company. When you register domains, you have the option to list several DNS servers, precisely because the primary DNS server you list might not always be responsive.

Although there are frequent media reports about cyber-attacks originating from China and Russia, it’s no good simply blocking traffic solely based on the country of origin, given the prevalence of botnets controlled from afar. The Arbor Networks survey found:

• 12.8 per cent of DDoS attacks came from the US.
• 5.6 per cent came from Canada.
• 4.4 per cent came from Great Britain.

How are businesses protecting themselves?

Respondents to the annual survey are using a variety of techniques to combat DDoS attacks:

• 73 per cent are using an Intelligence DDoS Mitigation Systems (IDMS).
• 70 per cent are using Access Control Lists (ACLs).
• 48 per cent are using Destination-based Remote Triggered Blackhole (D/RTBH).
• 43 per cent are using firewalls.
• 34 per cent are using Source-based Remote Triggered Blackhole (S/RTBH).
• 27 per cent are using load-balancers.
• 22 per cent are using an Intrusion Prevention System (IPS).
• 19 per cent are using BGP Flowspec.
• 17 per cent are using a Managed Security Service Provider.
• 13 per cent are relying on a Content Delivery Network (CDN) to help ease the burden on their web servers.
• 4 per cent are using other techniques.
• 2 per cent have no mitigation at all.

Not everyone can afford to fight DDoS alone

Large investment banks and multinationals have the budgets needed to implement sophisticated Intelligent DDoS Mitigation Systems, load-balancers and Intrusion Prevention Systems. But for the vast majority of businesses, such solutions are too costly and too complex.

As an alternative, many smaller firms are turning to service providers for help, with 74 per cent of service providers seeing an increase in demand for DDoS Detection/Mitigation services last year, according to Arbor Networks' survey.

How DDoS mitigation services work

Requests sent to particular IP address ranges are rerouted, so they pass through the network of a very large Internet transit provider. These providers have high-capacity peering links to lots of different ISPs in lots of different locations. This setup turns the distributed nature of a DDoS attack against the attacker, by making it harder to saturate the inbound peering connections linking the target to the outside world.

The inbound traffic is 'scrubbed', with most suspicious traffic filtered out before it can reach the target's servers and firewalls. This helps protect against volumetric attacks that would otherwise consume almost all of the target's available bandwidth.

Besides reducing the aggregate volume of malicious traffic, DDoS mitigation services block most malicious connection attempts, reducing the risk that systems under attack will become unreachable due to state exhaustion or a lack of memory.

Sophisticated application layer filtering is then applied to the remaining traffic to help guard against a wide variety of difficult-to-detect application layer attacks.

Underpinning most DDoS mitigation services are near real-time traffic monitoring systems. These let the service operator drill down into their traffic flows, so they can tell what's really going on and adjust filtering rules rapidly. Some of these rule changes are made automatically by software, others are made by staff skilled at fighting DDoS attacks.

DDoS isn't just a problem for large firms

It's easy to assume that DDoS attacks are only a problem for large, high profile organisations. Unfortunately, many DDoS attacks are on soft targets – smaller organisations ill equipped to fend off the attacks.

As a business ISP, hSo provides connectivity to hundreds of organisations. We see which of our customers are attacked and which are not.

Frankly, you'd be surprised by who gets targeted. It's seldom the organisations whose names you would recognise. It's often smaller firms – minding their own business, hurting no-one - that get attacked for no obvious reason.

The business case for DDoS protection

Given the uncertainty over whether you'll be attacked, it can be hard to build a business-case for investing in in-house DDoS mitigation capabilities.

One benefit of DDoS mitigation services is that payments are better aligned with the amount of mitigation you really need. You don't spend a fortune buying costly hardware you might never need. Instead, you pay a retainer, coupled with an event fee that's contingent on the scale and duration of the attack mitigation required.

If you're unlucky enough to be attacked, DDoS mitigation services aren't cheap. But nor is the alternative – doing nothing, and suffering substantial business disruption.

Every business needs to decide for itself whether to pay for DDoS protection, or to hope for the best and wait out any attacks.

To a large extent, it's an economic decision. You calculate how much a sustained period of downtime will cost – in lost employee productivity and profits foregone. Then weigh that cost against the cost of doing nothing.

You should also bear in mind the reputational damage that can be caused by a sustained DDoS attack. If your web site disappears for five minutes, few people are likely to notice. If your site is down for five weeks, that’s likely to adversely affect your business.

Similarly, if your staff can't send emails for an hour, it's a nuisance. If they can't send emails for a week, it's a crisis – one that's visible to customers, disruptive to business processes, and likely to cause huge backlogs.

Once you know how much downtime costs your organisation, and how long a period of downtime is deemed unacceptable to the powers that be, you're in a position to pick a DDoS mitigation strategy that's proportionate and affordable.

For larger organisations, this may involve buying sophisticated DDoS prevention hardware. For smaller organisations, DDoS mitigation services are likely to be a more sensible option.

DDoS attacks are becoming larger and ever more frequent. This dark cloud does have a silver lining, though.

The options for fighting back against DDoS attacks are likely to improve, as ever more vendors and service providers pile into the DDoS mitigation market – offering new services and increasing competition.

The DDoS threat is getting worse, but at least you'll have better, cheaper tools with which to fight it.