Denying the deniers: tackling DDoS attacks
- Published: Wednesday, 17 February 2016 09:15
By Professor Avishai Wool.
Distributed denial of service (DDoS) attacks are an old attack vector but they continue to be popular; and highly effective. Indeed, recent research released by Arbor Networks in its Annual Worldwide Infrastructure Security Report stated that DDoS attacks are on the rise, with half of the 354 global respondents’ data centers / centres suffering DDoS attacks: a 33 percent increase from 2014.
DDoS attacks have increased in frequency for some time: giving hackers a relatively uncomplicated method to bring a website down or disrupt a web service. Although DDoS attacks do not involve the stealing of data, they can be highly damaging in other ways, not least by affecting the trust and reputation that a company has among its customers. This can lead to financial damage through lost customers and lost business. Moreover, DDoS attacks can be used as a diversionary smokescreen for more aggressive attacks, as was the case with the November 2015 TalkTalk breach.
So what can organizations do to help protect themselves against the threat of DDoS and mitigate the effects of such attacks?
The first step is being able to quickly detect that you are under attack, and having a procedure in place to deal with it. Illegitimate traffic can be hard to distinguish from legitimate traffic, but the typical signs of a DDoS attack are a sharp increase in traffic to your website followed by a slowing down of performance.
Once a DDoS attack is underway, you have a number of options in terms of dealing with the bombardment:
ISP blocking and scrubbing: it is advisable to deal with the attack in an environment that’s removed from your network, to prevent it from affecting other areas of network performance. If you suffer a DDoS attack contact your Internet Service Provider, as many offer DDoS protection services such as blocking the originating IP addresses or ‘scrubbing’ malicious packets. They will also probably have greater bandwidth than you and are therefore likely to be able to deal with the attack more efficiently and effectively.
Blackholing: a common response to a DDoS attack is to simply route all website traffic into a black hole, thus taking the website offline until the attack ceases. The problem with this approach is that it blocks all traffic, both good and bad, which basically means that the hacker has achieved their objective.
Routers and firewalls: You can set up routers and firewalls policies to filter non-critical protocols, block invalid IP addresses and shut off access to specific high-risk segments of your network in the event of an attack. However, be aware that these techniques are somewhat ineffective against more sophisticated attacks that use spoofing or valid IP addresses.
Content delivery network: using a content delivery network to create replicas of your website for customers in different locations can help reduce the impact of the DDoS attack as well as make the extra DDoS related traffic easier to combat.
Anti-DDoS technology: many of the leading firewall appliance vendors offer specialized anti-DDoS modules, that can be deployed at the perimeter of your network or data center, which are designed to detect and filter malicious traffic. However, these are not automated and need to be constantly managed and updated by your operations team.
While there is no single ‘silver bullet’ solution that can stop a DDoS attack in its tracks once the traffic starts hitting your website, you can lessen its impact on your business by using a combination of the methods I’ve outlined here. As DDoS continues to be used as a cyber-weapon against websites and online resources, organizations should ensure that they have a response plan in place that includes these mitigation techniques, to help deny attempted denial-of-service attacks.
Professor Avishai Wool is CTO of AlgoSec.