How to Defeat a DDoS Attack
Author: Tzury Bar Yochay, CTO and co-founder of Reblaze
Your organization’s website is down. Your servers are non-responsive. Incoming traffic has stopped. And you don’t know why, or how, any of this has happened. All you know is that you got a ransom demand from an unknown hacker, promising that the DDoS will continue indefinitely until you send him several dozen Bitcoins.
This is the nightmare scenario for many executives today. DDoS (Distributed Denial of Service) attacks can now reach sizes that were unthinkable even a few years ago. (Last year’s attack on Github reached a staggering 1.7 Tbps.)
Worse, they have become extremely common. Around the world, on any given day, there are usually one or more attacks going on. If your organization hasn’t been targeted recently, it probably will be soon.
Obviously, you cannot prevent an attacker from choosing your organization as his next victim. However, you can prevent his attacks from succeeding, as we’ll discuss in this article.
This assumes though that your security posture is set up correctly. For many organizations today, this is not the case. Before describing the correct way to mitigate DDoS attacks, let’s start by discussing the mistakes that many organizations are still making in this area.
How Not to Mitigate DDoS
There are many different kinds of DDoS attacks, but they all have the same goal: to make the targeted system unavailable to its intended users. The largest and most dramatic attacks are volumetric—their goal is to overwhelm their targets by sending an overwhelming volume of traffic.
For many years, the standard approach to DDoS mitigation was an appliance in front of the protected network. There are different kinds of appliances (physical versus virtual, multipurpose WAF versus dedicated DDoS device, etc.), but the main point here is that an appliance was located between the protected network and the upstream ISP.
There are several problems with this approach. The first is that appliances are difficult to administer and keep up to date. As new attacks arise, they don’t necessarily offer effective protection immediately.
The more important problem is that each appliance is downstream from the ISP. This means that appliances are inherently unable to mitigate DDoS attacks beyond a certain size. A large-enough volume of traffic can saturate the incoming Internet pipe before the appliance has an opportunity to scrub it. This can force the upstream ISP to defend itself by blackholing all traffic for the targeted network. The end result is that the victim’s web applications become unavailable to customers and users. (Notice that this is exactly the goal which the attackers are trying to achieve.)
Another problem is that many security solutions have not kept pace with the evolution of DDoS. For example, modern attackers often rotate IP addresses, which evades detection methods such as rate limiting and blacklisting.
Also, many security solutions are not effective against all forms of DDoS. Volumetric DDoS on Layers 3 and 4 (i.e., Network and Transport Layer attacks such as UDP Floods, ICMP Floods, SYN Floods, etc.) are relatively easy to identify. But Layer 7 attacks (on the Application Layer) are much more subtle and harder to detect. Many solutions don’t even address them.
Defeating an Attack: What is Needed
When an organization decides to improve its DDoS protection, there are two possible motives:
• Executives want to achieve a robust security posture before attacks occur
• Executives need to defeat an attack which is already underway, and is not being mitigated properly by their current security solution(s).
These scenarios might seem different, but in practical terms, they’re almost identical. An in-progress attack introduces one new element: accelerated timing (more on this below). But other than that, any organization that wants robust DDoS protection needs the same thing: a security solution with the following feature set.
Traffic scrubbing that occurs upstream from the ISP, as discussed above.
Immediate and automated updates as new forms of attack arise. Generally, this requires a fully managed solution which ensures that the network’s security posture is always effective and up to date.
Comprehensive protection against all known forms of DoS and DDoS, including on Layer 7. As mentioned previously, detecting Layer 7 attacks is more difficult than attacks on Layers 3/4. For example, there are many ways for an attacker to open a legitimate connection to a targeted server—but then the attacker interacts with it extremely slowly, which keeps the session active for a very long time. Doing this for hundreds or even thousands of sessions simultaneously can consume all the server’s resources for incoming connections, making it unavailable to legitimate users. To prevent DDoS, a security solution must provide protection across all layers.
Dynamic processing. Older DDoS security solutions relied upon packet inspection and looked for signatures of known attacks within the incoming requests. However, modern attacks have a variety of ways to avoid detection, generally by leveraging and combining legitimate requests to create attacks (as illustrated by the session exhaustion example above). To defeat them, a security solution must maintain history and context over time for all the server’s connections, sessions, requestors, and so on.
Autoscaling of bandwidth and other resources to absorb even massive volumetric attacks, with a large-enough capacity to do so.
Full visibility into incoming traffic, showing all details for all requests. Most security solutions do not display this information, which makes it difficult, if not impossible, to diagnose an attack and implement appropriate countermeasures.
Sophisticated bot detection abilities (since DDoS traffic must, by its nature, be automated). This includes the ability to accurately identify and track individual requestors even as they attempt to evade identification. The most sophisticated attacks use bots which can rotate among different IPs and “identities” to appear as completely different requestors. To be effective, a security solution must be able to defeat these attempts at deception.
A single-tenant environment. Robust DDoS protection is insufficient if the protected network is sharing resources with other clients with lesser forms of protection. In a multi-tenant environment, it’s possible for a DDoS aimed at one tenant to affect them all.
Choosing a DDoS mitigation solution can be confusing. They are many available in various forms: physical appliances, virtual appliances, cloud platforms, and so on.
However, only cloud platforms can provide the complete feature set shown above. Note too that even among cloud platforms, there are significant differences. Only a few can provide most, or all of the features listed here. Therefore, when selecting a solution provider, it’s important to carefully consider the options available.
How to Defeat an Attack that is Already Underway
An in-progress DDoS can be very stressful. Nevertheless, even large volumetric assaults can still be shut down quickly, if the correct measures are taken.
A good cloud security solution can be deployed into, and running on, the public cloud in just a few minutes. And shortly after that, an organization can have all its incoming traffic routed through this platform for scrubbing, as the requests pass through on their way to the protected network. (The time required for this second step depends on the speed with which a DNS change can propagate. Usually, it’s only a few minutes.)
If the cloud security solution is a robust platform with the feature set listed above, this means that even a massive DDoS can be resolved in a matter of minutes. The hostile traffic will be blocked before it can reach the protected network. Bandwidth and other resources will scale automatically as needed, limited only by the capacity of the global cloud. Meanwhile, legitimate traffic passes immediately through to the protected network, which remains performant and available to customers and users.
Obviously, a cloud security platform will work the same regardless of the presence, or lack, of an in-progress attack at the time that the solution is deployed. The only real difference is a matter of urgency: when no attack is currently occurring, the deployment can occur more deliberately. The organization can enable the solution for one web application at a time, monitor and fine-tune it to increase accuracy (by eliminating false positives and so on), and then go live.
On the other hand, when an attack is occurring, the fine-tuning process can be skipped. This will create a small rate of false positives and/or false negatives for a short time (until the fine-tuning can be done).
But when an attack is occurring, it’s better to have 90 percent of your traffic working correctly than to have zero percent getting through to your servers—especially when the other 10 percent can be restored in a few days or less.
Conclusion: DDoS attacks can be very dramatic, and the largest ones receive lots of publicity. But effective mitigation tools are available, once you know how to distinguish among the various solutions being offered.
You won’t be able to stop attackers from choosing your network as their target – but you can prevent their attacks from succeeding. And that’s good enough.
About Tzury Bar Yochay
Tzury Bar Yochay is the CTO and co-founder of Reblaze. Having served in technical leadership in several software companies, Tzury founded Reblaze to pioneer an innovative new approach to cyber security. Tzury has more than 20 years of experience in the software industry, holding R&D and senior technical roles in various companies. Prior to founding Reblaze, he also founded Regulus Labs, a network software company. As a thought leader in security technologies, Tzury is frequently invited to present at industry conferences around the globe.