Four ways to defend against DDoS attacks
- 17 September, 2013 18:28
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Given that Distributed Denial of Service (DDoS) attacks are becoming more frequent, it is a good time to review the basics and how you can fight back.
A DDoS is an attack method used to deny access for legitimate users of an online service. This service could be a bank or e-commerce website, a SaaS application, or any other type of network service. Some attacks even target VoIP infrastructure.
An attacker uses a non-trivial amount of computing resources, which they either built themselves or, more commonly, by compromising vulnerable PC's around the world, to send bogus traffic to a site. If the attacker sends enough traffic, legitimate users of a site can't be serviced.
For example, if a bank website can handle 10 people a second clicking the Login button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can login. There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage, and just plain old boredom.
DDoS attacks vary in both sophistication and size. An attacker can make a fake request look like random garbage on the network, or more troublesome, make the attack traffic look exactly like real web traffic. In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target's bandwidth.
The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack). These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target. A more complex Layer 7 attack "simulates" a real user trying to use a web application by searching for content on the site or clicking the "add to cart" button.
There are four main types of protection from DDoS attacks:
* Do It Yourself. This is the simplest and least effective method. Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try and use its existing firewalls to block the traffic. Back in the early 2000s, when attacks were pretty simple, this could work. But these days, attacks are far too large and complex for this type of protection. A firewall will melt quite quickly under the load of even a trivial attack
* Specialized On-Premises Equipment. This is similar to "Do It Yourself" in that an enterprise is doing all the work to stop the attack, but instead of relying on scripts or an existing firewall, they purchase and deploy dedicated DDoS mitigation appliances. These are specialized hardware that sit in an enterprise's data center in front of the normal servers and routers and are specifically built to detect and filter the malicious traffic. However, there are some fundamental problems with these devices:
" They are costly CAPEX purchases that may sit around and do nothing until you get attacked. They also can be expensive to operate. You need skilled network and security engineers to work these devices - there is no magic "mitigate DDoS" button.
" They must be constantly updated by the operations team to keep up to date with the latest threats. DDoS tactics change almost daily. Your team must be prepared to update these devices to the latest threats.
" They can't handle volumetric attacks. It's unlikely that an enterprise would have enough bandwidth coming in to handle the very large DDoS attacks occurring today. These hardware appliances don't do any good when the attack exceeds network capacity.
* Internet Service Provider (ISP). Some enterprises use their ISP to provide DDoS mitigation. These ISP's have more bandwidth than an enterprise would, which can help with the large volumetric attacks, but there are three key problems with these services as well:
" Lack of core competency: ISP's are in the business of selling bandwidth and don't always invest in the required capital and resources to stay ahead of the latest DDoS threats. It can become a cost center to them - something they have to provide, so they do it as cheaply as possible.
" Single provider protection: Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider. Having two providers is a best practice to maximize uptime. ISP DDoS mitigation solutions only protect their network links, not the other links you might have, so now you need DDoS mitigation services from different providers, doubling your cost.
" No cloud protection: Similar to the above, a lot of Web applications these days are split between enterprise-owned data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc. ISP's can't protect traffic on these cloud services.
* Cloud Mitigation Provider. Cloud mitigation providers are experts at providing DDoS mitigation from the cloud. This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic, whether you use multiple ISP's, your own data center or any number of cloud providers. They can scrub the traffic for you and only send "clean" traffic to your data center.
Cloud mitigation providers have the following benefits:
" Expertise: Generally, these providers have network and security engineers and researchers who are monitoring for the latest DDoS tactics to better protect their customers.
" Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on its own to stop the biggest volumetric attacks.
" Multiple types of DDoS mitigation hardware: DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats. Cloud providers should take advantage of multiple technologies, both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks
Cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs. They are the most cost effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.
Read more about wide area network in Network World's Wide Area Network section.