DDoS Attack - What Options Are You Left With?

A distributed denial of service (DDoS) attack occurs when an attacker makes it impossible for a service to be delivered. This is done by thwarting access to servers, devices, services, networks, applications, or specific transactions within applications. It's different from a DoS attack in which one system sends malicious data or requests because in a DDoS attack multiple systems are sending them. As such, your system drowns which causes your internet bandwidth, CPU, and RAM capacity to become overwhelmed.

When your company experiences a DDoS attack it could be a minor annoyance or it could actually take your entire business offline. This depends on what class of attack your company experiences. These include:

Attacks using massive amounts of bogus traffic (a.k.a. ICMP, UDP, and spoof-packet flood attacks) take down your website and server

Attacks using packets to target your network's infrastructure and its management tools (e.g. SYN Floods, Smurf DDoS)

Attacks targeting your organization’s application layer are conducted by flooding applications with maliciously crafted requests to make your online resources sluggish or completely unresponsive

Regardless of the type of attack you're experiencing, you can't underestimate the importance of threat intelligence in a DDoS attack.

Early Warning Signs of a DDoS Attack

Cyber security intelligence will let you know that you're under attack. This starts by delivering news of early warning signs which is important because in the beginning, these can look like something that isn't malicious. These will cause availability issues including downed servers or systems and too many legitimate requests from legitimate users.

The most well-known DdoS attack occurred in early 2000. Originating from Canadian high school student Michael Calce, a.k.a. MafiaBoy it took out Yahoo!. Named “Calce,” it eventually managed to successfully disrupt other such sites including Amazon, CNN, and eBay. Although this wasn't the first DDoS attack, it is the most publicized and successful. It's literally transformed these attacks from a minor nuisance into a powerful business disruption. Since then DDoS attacks have become a common way of exacting revenge and conducting extortion as a means of online activism and cyberwar.

Today's DDoS attacks are much more than a software development method. They've grown bigger – from 150 requests per second in the mid-1990s to over 1,000 Gbps per second today. This is something that's been seen since 2000 by two other notable attacks:

Dyn DNS was struck by a DDoS attack in October 2016. Originating from Mirai botnet, this came from tens of millions of IP addresses and 400,000. It infected more than 100,000 IoT devices, including IP cameras and printers, as well as companies including Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter.

On February 28, 2018 a DDoS attack hit the hosting service GitHub with 1.35 TB per second of traffic. Fortunately, GitHub was only knocked offline intermittently and managed to beat the attack back entirely in under 20 minutes. However, the assault peaked at 1.2 TB a second.

How DDoS Attacks Evolve

DDoS are becoming more commonly conducted through rented botnets today. CSO Online says that we should expect this trend to continue. However, this isn't the only trend we should expect to see. Another trend is the use of multiple attack vectors within an attack (a.k.a. Advanced Persistent Denial-of-Service APDoS).

Typically, APDoS attacks the application layer (e.g. databases, applications) but they may also attack the server. According to Chuck Mackey, managing director of Binary Defense, “This goes beyond simply 'flooding.'” Additionally, attackers don’t just directly target their victims but also the organizations on which they depend (e.g. ISPs, cloud providers). As such, you can view these attacks as high-impact broad-reaching attacks.

This changes the impact of DDoS attacks on organizations by expanding their risk. Now businesses aren't only concerned with DDoS attacks on themselves, but they must also concern themselves with how these attacks affect their business partners, vendors, and suppliers. This is different from in the past when the old adage was that a business is only as secure as its weakest link. Today the weakest link can and often is, one of the third parties. This is evidenced by recent breaches.

As criminals continue perfecting their DDoS attacks, technology and tactics also continue to evolve. This is because of the addition of new IoT devices, the rise of machine learning and AI. All these things are playing a role in changing the nature of these attacks. Many experts believe that attackers will eventually integrate these technologies into attacks too. When this happens it'll be more difficult for cybersecurity to catch up with DDoS attacks – especially those that can't be stopped by simple ACLs or signatures. This is yet another direction in which DDoS defense technology needs to evolve.

What are Your DDoS Protection Options

With all these changes, you're probably wondering what your DDoS protection options are. This is especially true when you think about the high-profile nature of these attacks and their potentially devastating consequences. These are things that many security vendors now suddenly find themselves thinking about in terms of what kind of DDoS protection solutions they can offer.

According to Arbor Networks there are a couple of solutions you must consider. In doing so it's important to look at both their strengths and their weaknesses.

The first is existing infrastructure solutions. These include firewalls, intrusion detection/protection systems, application delivery controllers, and load balancers. While essential to your defense strategy, they aren't designed to solve security problems associated with DDoS detection and mitigation.

The second is Content Delivery Networks (CDN). These address a DDoS attack's symptoms by absorbing large volumes of data. There are three issues with the fact that CDN lets in all information:

You need enough bandwidth (over 300 Gbps) to absorb a large amount of traffic when under a DDoS attack, which can be quite costly

There are ways around the CDN and its threat intelligence

CDNs can't protect you from an application-based attack

Most DDoS attackers rely on botnets. These are a collection malware-infected systems that are centrally controlled on a network. Usually the infected endpoints are computers and servers. However, they're increasingly including IoT and mobile devices too. Attackers harvest these systems by identifying vulnerable systems that they can infect through phishing attacks, malvertising attacks, and other mass infection techniques. Many attackers today also rent these botnets from those who built them. These are just some of the trends we need to watch out for so we can protect our businesses now and in the future.