Defending against DDoS Attacks: What you need to know

Image

Patience is one of those time-dependent, and often situational circumstances we experience. Few things define relativity better than patience.  Think of the impatience of people who have to wait ten minutes in a line at a gas station, yet the thought of waiting ten minutes for a perfectly brewed cup of coffee seems entirely reasonable. It can’t be about the cost, since even the smallest cup of coffee is equal to, if not more expensive than a gallon of gasoline. It’s all about the time you are willing to wait.

Impatience with technology is legendary. We have all grown frustrated if a piece of technology doesn’t immediately respond. As far back as 2010, it was understood that anything longer than 10 seconds was too long to wait for a web page to load, causing the visitor to get distracted, or move on to something else. As recently as 2022, this time has been reduced, with visitors abandoning a site in as little as 6 seconds. These are the types of statistics that make Distributed Denial of Service (DDoS) attacks so attractive to some attackers.

Ransomware is the big attack technique these days, mostly because they can be profitable for the attackers. However, DDoS attacks are not motivated by money; they are motivated by message. That is, the attacker wants to let a business know very clearly that they have run afoul of a specific business practice or ideology, and the punishment is to render the business unavailable. This is often the work of “hacktivists”, attackers who want to disrupt a business without necessarily seeking any monetary gain.

DDoS attacks can often be intense, involving hundreds of thousands of computers all over the world sending overwhelming amounts of traffic to a site to halt it, possibly crashing the host server. The attack can last for hours or days depending upon the intent of the attacker.

For a business such as a financial institution, this can impact everything from customer activity, to interbank transactions. Recently, the most popular DDoS targets have been health care companies. This, of course, could have graver impacts, as it could affect the availability of everything, from medical services, to medication maintenance.

What is a DDoS Attack?

In general, a DDoS attack is a type of cyberattack that uses large numbers of computers and huge volumes of traffic to overwhelm a server or network, slowing it or rendering it completely unresponsive. DDoS attacks generally require that the attacker control a large group of computers. These computers are usually owned by normal, unsuspecting consumers all over the world and have been compromised, rendered under the control of the attacker. The collection of these computers form a robot network, also known as a botnet.

The botnet is then used to focus traffic, such as a simple request to view a web page or something more malicious, towards a single target, or group of targets. In one attack in 2022, the target sustained traffic that exceeded 850 Gigabits per second. Though there are multiple variants of DDoS attacks, the four “main” variants are as follows:

• Flooding or Volumetric Attack – A flooding attack sends a large amount of traffic to a victim network to congest the network with traffic. With enough traffic, the target server or network becomes too busy, and legitimate clients cannot access the system.
• Amplification Attack – This attack manipulates publicly-accessible domain name systems, making them flood a target with large quantities of a specific type of data packet. Often, the attacking packets are spoofed (or faked) in order to hide the origin of the attack, or to defeat potential firewall defenses.
• Resource Depletion Attack – Similar to an amplification attack, a resource depletion attack floods the victim server with bogus information packets to seize up the server, so it cannot respond to legitimate requests for information.
• Diversion or Ransom Attack – In this attack, a DDoS act is initiated against the target server to distract the security team and incident responders while the attacker uses different methods to penetrate the network. One popular variant of this attack is to flood the victim’s servers constantly until a ransom is paid to discontinue the attack. A second variant of this attack is to divert the incident response team with a DDoS attack while implanting malware on the network designed to steal data, or exploit a known vulnerability.

Defending Against DDoS Attacks

Defending against a concentrated and sustained DDoS attack can be like defending against a charging stampede of elephants – there are too many attackers and not enough of you. Your defenses are completely overwhelmed. Though it’s not always possible to defend against a large, organized DDoS attack without some impact to the targeted network, there are strategies that can help mitigate the effects of even the most vicious DDoS attacks:

1. Recognize the signs of a DDoS attack: the first and best defense against a DDoS attack is the ability to recognize it early. Unfortunately, not all DDoS attacks are easy to distinguish from normal spikes in network or web traffic, or a sudden slowdown in network performance. Invest in the right technology, expertise and training to help you tell the difference, or use an anti-DDoS service, as discussed below.
2. Incident response planning: Be ready with a great incident response program and include in it a DDoS mitigation plan.
3. Contact your ISP provider: If your company is feeling the effects of a DDoS attack, it is likely affecting your ISP provider as well. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack, rather than have you call for support. When choosing an ISP, inquire whether any DDoS protective services are available, and consider whether you might want to engage a backup ISP in the event of an attack to keep your business running.
4. Have your threat intel handy: Half the battle in today’s environment is knowing what to look for. What are the potential indicators of compromise that an attack is underway? What threat vectors are most popular? If any of your peers have also been targeted, how have they responded to those attacks? Join your local information sharing network, and use the threat intelligence service provider or network with your peers to understand the source of threats and attacks.
5. Other Mitigation Defenses and Tools: There are two tools that companies should consider in addition to standard signature-based firewalls and routers (to reject known bad traffic) when thinking about mitigation strategies: (1) Load balancers to balance traffic across multiple servers within a defined network with the goal of creating additional network availability, and (2) a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.

Today, with the large-scale commoditization and distribution of sophisticated cyber-attack tools, more and more people have access to sophisticated malware that facilitates DDoS attacks. As artificial intelligence starts to permeate all areas of technology, it is reasonable to assume that future attacks will be AI-driven, possibly creating a reemergence of this nuisance. Don’t let your environment end up being a source of impatience for your clients.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.