"It's very hard to know what to do. The tools to do this (DDoS Attack) can be purchased online incredibly cheaply, while the damage they can do and the cost of mitigating it is exponentially higher.“
Alexander Klimburg, Cyber Security Expert
DDoS (Distributed Denial of Service) is an attack on the computer system aiming at bring the system to a failure, i.e., the creation of conditions under which legitimate users cannot access the victimized resource.
In addition to its direct purpose - resource unavailability and failure of the targeted system, it can be used to take steps towards mastering the system (in contingencies it may provide critical content - for example, the version of the code, etc.) or to mask other subsequent attacks.
DDoS attacks can be divided into two basic types:
- Attack on the channel: the channel is just hammered with an overwhelming mass of specially crafted requests
- Attack on the process: exploiting software and network protocol vulnerabilities, causing limited productivity of hardware, thus blocking customers' access to information system resources
The network DDoS attack type is usually carried out by means of a botnet (zombie networks). The botnet consists of a large number of computers infected with special malware. Usually, the computers are used without the consent or knowledge of their owners.
The botnet is commanded from the control center (by the attacker) to start sending many specially forged requests to the target computer. When the requests consume the available resources, access of legitimate users is blocked.
TYPES OF DDoS MITIGATION SOLUTIONS
Cloud Protection – Service providing DDoS attack protection based on the provider's infrastructure. All traffic is redirected to the proxy of the provider, where traffic is filtered and sent back cleansed from DDoS traffic.
On-Site Protection - protection on the perimeter of the customer's own infrastructure using specialized equipment - devices acting as a filter to all ingress traffic enters client's network.
- No need to invest in special equipment, uplinks, training, etc.
- Freedom and availability in the choice of a supplier
- Diversification of the hosting and protection against DDoS attacks
- Lack of complete control over what is happening
- Unreliable information on attack situation from vendor
- Traffic is redirected for filtering outside the customer's infrastructure
- Exercise total control over the mitigation process
- Comprehensive view of the attack
- No traffic is redirected for filtering outside the customer's infrastructure
- Considerable investment in special equipment, uplinks, training, etc.
- Protection is limited to uplink capacity
- Need to maintain a crew of trained professionals 24/7
Why can’t you stop DDoS attacks yourself?
why is professional mitigation necessary?
- USING YOUR OWN EXISTING EQUIPMENT? Routers and switches will fold under the load, due to insufficient capacity to deal with DDoS. Stateful in-line Firewalls and ISP's are not designed to mitigate such attacks - if they can withstand the flood at all, packets simply pass through them.
- SOFTWARE SOLUTIONS THAT DON’T WORK. The likes of mod_evasive, iptables, Apache / LiteSpeed tuning, kernel tuning are not capable of handling attack size or complexity, thus being useful in a very limited number of occasions.
- ISP’s WON’T HELP. Your service provider has one way to “help” and that’s to nullroute your traffic for a period of their own discretion. You may even get banned for suffering a DDoS attack and bringing others on the shared resource down.
- WHO DO YOU BLOCK? Massive numbers of IP's are attacking you, seems the whole world is after your resource. You need to block all attacking IP's and allow only the good ones. Can you do that? And how?
- HUMAN-LIKE ATTACK BEHAVIOR It's not just the sheer flood you're dealing with. L7 attacks mimic the behavior of real users, thus eating CPU and RAM.
- BANDWIDTH NOT ENOUGH TO MITIGATE Feasibility is important when provisioning bandwidth. How much do you need, and how much can you afford? Is it worth it?
- IS YOUR TEAM UP TO SPEED? With changing attack methods, your team needs to be able to roll with the punches - tweaking defenses, finding solutions. Can they do that? Quickly?
- CAN YOU ISOLATE THE VICTIM? DDoS attacks inflict collateral damage. When you can't isolate the victim of an attack, the others on the network suffer too.
- INSUFFICIENT INSIGHT INTO ATTACK DETAILS You only see the symptoms, without attack details you don't know the cause nor the solution.
THINGS TO LOOK FOR
WHEN PROCURING MITIGATION SOLUTIONS
When you have chosen a good cloud DDoS Mitigation service you will benefit from:
MITIGATION INVISIBILITY - Depending on the DDoS attack type, the vendor must use different bot verification methods, with at least the larger majority of them being almost completely invisible to your visitors, so they don't "feel" the mitigation a hindrance.
SEARCH ENGINE FRIENDLY - It is important to understand that your website needs to remain visible to search engines, so the vendor must provide full support for the most popular search engines. Also, being open to requests for additional search engine support is a plus.
MULTI-GIGABIT PROTECTION - Sizable network channels distributed over multiple Points of Presence around the world, empowering the mitigation solution to provide performance and scalability to keep the protected resource going.
MULTIPLE POINTS of PRESENCE - In order to ensure lowest latency and lag times globally, the vendor will have placed Points of Presence (PoP) in strategic locations announced with BGP Anycast, thus ensuring your visitors’ traffic goes to the cleansing center that is the geographically closest.
And the rules of thumb for On-Site DDoS Mitigation...
While so-called proxy shield vendors are abundant, contemporary market supply of on-premise solutions is represented by a handful manufacturers and software developers, each claiming to have the best product for meaningful, cost-effective DDoS mitigation.
On-premise DDoS Mitigation solutions provided by today’s vendors consist of server boxes of one to several U’s, which one is expected to place in their data center, switch on and watch them do the job. Unfortunately, that’s not always efficient against all floods, as 98% of today’s DDoS attacks can be mitigated automatically with hardware, but the remaining 2% require qualified human intervention. Why is that? DDoS methods are constantly changing to find new vulnerabilities in OS, Browser and Protocol execution. As it happens, predefined counter-measure strategies don’t always work and attack floods do get past the mitigation device.
CONSTANT CARE - The best vendor will offer not just the hardware, but you will also benefit from round-the-clock care so you’re never alone when a new type of flood arrives. The vendor will be able to intervene in times of need, and place a global monitoring system at your disposal to make sure your content is available to the world.
CUSTOM INTEGRATION - The vendor engineers must assess your needs and current or planned network structure. They must ensure best fit in your specific scenario, so you get the most out of the "Box". Look for vendors that have the knowledge and expertise to do that and gladly place it at your disposal.
FLEXIBLE MANNING - A good vendor will man your protection stack with dedicated remote intervention engineers. Alternatively, you must be able to train your own people to monitor and effectively fend off DDoS attacks - the vendor must offer initial and interim training courses for your staff.
TCO SPREAD OVER TIME - Instead of spending USD 1/2M on heartless hardware in one go, you should be able to spread the cost over easy, affordable monthly payments. You want to be protected without it costing you an arm and a leg, with pricing based on affordable monthly installments to cover for hardware, support, upgrade/update and manning requirements.
TAILORED SUPPORT - Flexibility in choosing comfort level in receiving and paying for support is an important aspect of choosing a product or service. Most vendors will give you preset levels of support, while a good vendor, will estimate your support requirements and offer you only what you need, when you need it.
UPGRADES & UPDATES - Total Cost of Ownership (TCO) can be tricky - usually, you’d have to pay for the initial hardware/software configuration and then factor in upgrade, maintenance and update expenditures. A good vendor makes it easy and transparent to assess your TCO.
FAILOVER & REDUNDANCY - With DDoS attacks, it is not uncommon to see criminals increase flood magnitude when faced with successful mitigation at first, thus you may have to deal with a situation where the "Box" is not the weak point in your setup, but your own uplink capacity. For those times, when you can’t wait to upgrade your uplink, a versatile vendor will offer to switch you over to their global proxy protection service (if they have one).
LINEAR SCALABILITY - A good "Box" comes preconfigured to protect your entire inbound channel from all types of DDoS attacks. Optionally, larger modules should be available so you can increase the capacity by adding additional mitigation modules that feature linear scalability in protection power. Instead of having to replace the entire solution with a more powerful one in order to meet your needs, a good vendor gives you a Lego-like approach to building your defenses as high as you require by simply adding perfectly integrated modules on top of your existing protection configuration.