WHAT IS A DDOS ATTACK?
A DoS Attack (Denial Of Service) is basically a malicious attempted made by threat-actors to attack the 'Availability' of a targeted system, to its legitimate end-users. These targeted systems can be a website or a web-based application. In this attacks, hackers typically generate a large volume of data-packets or requests with the intention of overwhelming the targeted system.
A DDoS attack is very much similar to DoS attack, except that attackers uses multiple compromised or controlled sources to generate the huge volumes of these requests or data-packets.
DDoS attackers accomplish this by coordinating an army of compromised machines, or 'bots', into a network of devices they control from a remote location that focus a stream of activity toward a single target. These botnets may carry out DDoS attacks with a range of malicious techniques such as:
-
Exhausting your bandwidth with massive volumes of traffic
-
Filling up your system resources with half-open connection requests
-
Crashing web application servers with voluminous requests for random information
-
A METHOD TO THE MADNESSIn general, DDoS attacks can be segregated by which layer of the OSI model they attack. They are most common at the Network (Layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers. For example,
-
UDP reflection attacks target the Network (Layer 3)
-
SYN floods target the Transport (Layer 4)
-
SSL abuse targets the Presentation (Layer 6)
-
HTTP floods, DNS query floods target the Application (Layer 7)
Thus, you can conveniently identify 2-broad categories of DDoS attacks:
1. Infrastructure Layer Attacks
Attacks at Layer 3 and 4, are typically categorized as Infrastructure layer attacks. These are also the most common type of DDoS attack and include vectors like synchronized (SYN) floods and other reflection attacks like User Datagram Packet (UDP) floods, as mentioned above.
These attacks are usually large in volume and aim to overload the capacity of the network or the application servers. But fortunately, these are also the type of attacks that have clear signatures. That's why they are easier to detect.
2. Application Layer Attacks
Attacks at Layer 6 and 7, are often categorized as Application layer attacks. While these attacks are less common, they also tend to be more sophisticated. These attacks are typically small in volume compared to the Infrastructure layer attacks but tend to focus on particular expensive parts of the application thereby making it unavailable for real users.
For instance, a flood of HTTP requests to a login page, or an expensive search API, or even Wordpress XML-RPC floods (also known as Wordpress pingback attacks).
-
How To Mitigate DDoS Attacks?There is a term that is generally used here 'DDoS Mitigation'. It is the practice of either blocking or absorbing malicious spikes in network traffic and application usage caused by DDoS attacks, while still allowing legitimate traffic to flow uninterrupted.
All DDoS mitigation strategies and technologies are meant to counteract the business risks posed by the full range of DDoS attack methods, your company may face. These are primarily designed to preserve the availability of your resources that attackers seek to disrupt.
But another purpose of these is to drastically reduce the amount of time it takes you to respond to DDoS. Particularly when DDoS attack is likely used by the bad guys as a diversionary tactic to carry out other kinds of attacks, such as exfiltration, elsewhere on the network.
The foundation of DDoS mitigation certainly rests in building up robust infrastructure. Keeping resilience and redundancy top-of-mind all the time.
Apart from that there are many techniques and strategies, that you can use to offset the DDoS attacks:
-
You can strengthen your bandwidth capabilities.
-
You can securely segment your networks and data centers.
-
You can establish mirroring and failover mechanisms.
-
You can configure your applications and protocols for resiliency.
-
You can bolster the availability and performance through resources like CDNs.
REMINDER:
The above mentioned strategies are good, but not fail-proof. Particularly in the light of the fact that--
Massive DDoS attack volumes over 500 Gps and even over 1 TBps (and even more) have already been reported and some of them were intensely long attacks that could last over days and even weeks. What's more, attackers are increasing the cadence of attacks and the diversity of protocols and system types they target with their DDoS attempts.
-
What Can You Do Next?The reminder as mentioned above, would warrant you to do something more...
A.
You can minimize your Attack-Surface Area that can be attacked.
If you do that you are limiting the options for attackers and allowing yourself to build protection in the first place. For example, you would ensure that you don't expose your applications or resources to ports, protocols, or applications from where they don't expect any communication. In some cases, you can do this by placing your resources behind CDNs, or Load Balancers and by restricting direct Internet traffic to certain parts of your infrastructure like your database servers. In other cases, you can use firewalls or Access Control Lists (ACLs) to control what traffic reaches your applications.
B.
You must always have redundant Bandwidth. It is also known as redundant 'Transit capacity'. When you are architecting your applications, you should make sure your hosting provider provides you ample redundant Internet connectivity that allows you to handle extra-large volumes of traffic. Additionally, you can go a step further by employing smart DNS resolution services which provide an additional layer of network infrastructure for serving content and resolving DNS queries from locations that are often closer to your end-users.
C.
This also a great mitigation approach, to have extra scaled-up 'Server capacity.' Most DDoS attacks are volumetric attacks that use up a lot of resources. That's why, it is very important that you can quickly scale up or down on your computation resources. You can either do this by running on larger computation resources or those with features like more extensive network interfaces or enhanced networking that support larger volumes. Additionally, it is also common to use load balancers to continually monitor and shift loads between resources to prevent overloading any one resource.
D.
You must forever know -- what is your normal and abnormal traffic. There is a concept known as 'Rate Limiting'. You do this by firmly establishing a baseline of how much traffic that is allowed or accepted. If the traffic starts to go beyond your established baseline, then this extra traffic is denied access or response. If you are not satisfied at this level, you can go one step further and intelligently only accept traffic that is legitimate by analyzing the individual packets themselves. To do this, you need to understand the characteristics of good traffic that (your) target-system usually receives and be able to compare each packet against this baseline. This approach is sometimes called as 'Scrubbing' your traffic.
E.
You can deploy Web-Application Firewall (WAF) for sophisticated Application attacks. A WAF provides you protection against some other attacks too, e.g., SQL injection or cross-site request forgery, that attempt to exploit a vulnerability in your application itself. Additionally, due to the unique nature of these attacks, you can easily create customized mitigations against illegitimate requests which could have characteristics like disguising as good traffic or coming from bad IPs, unexpected geographies, etc.
F.
You should give some serious thought to cloud-based DDoS mitigation solutions such as Cloudflare, Akamai, Imperva, Redware, etc or managed security solution providers. When your monitoring and anomaly detection system senses malicious traffic or activity, your DDoS mitigation infrastructure should then ideally be able to reroute that traffic through cloud-based filtering system before crossing the network edge, leaving legitimate traffic to continue unabated through existing systems as usual. The scrubbing done by that external resource helps organizations better block and absorb high-volume DDoS activity, maintaining uptime even in the face of targeting by massive botnets.
G.
Additionally, you must bolster your DDoS mitigation strategies through effective 'Incident Response Planning.' This includes developing playbooks for numerous attack scenarios and regularly stress-testing capabilities to ensure that defenses can perform as expected when they are under-attack.
-
Kindly write 
your comment on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM