How To Select A DDoS Mitigation Service

Download the entire Dark Reading July 2012 Digital Issue

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit.

This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won't cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates.

Proactively securing a mitigation service can be a good insurance policy--in fact, it's better than insurance, which pays off only after damage is done. That's because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent--many attackers will move on to easier prey when they see an initial DDoS attack fail--but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment.

Big And Small Companies At Risk

Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. "We've seen very small companies come to us and they can't figure out why they're under attack," says Chris Richter, VP of security products and services at Savvis. They ask, "'What have we done?'"

Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one's safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you're not an expert with the right tools.

There are three main distributed denial-of-service categories:

>> Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic--so-called ICMP or UDP floods.

>> Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic.

>> Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker's perspective, L7 exploits aren't anonymous. The attacking client's identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique's effectiveness at much lower volumes and the traffic's stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect.

Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They're also getting more common: Mark Teolis, founder and CEO of DOSarrest, a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren't cacheable and are very CPU-intensive--things like filling a shopping cart, searching a database, or posting a complex form.

Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. "We've had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it'll bring down the entire site," he says.

Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour--but there are 20,000 bots involved. Conventional network security appliances just can't handle that kind of scenario. And meanwhile, legitimate customers can't reach your site.

IT Pro Impact

Why a DDoS Mitigation Service Could Save Your Assets
Our full report on DDoS mitigation services is free with registration.

This report includes 17 pages of action-oriented analysis. What you'll find:

• Ways to detect when you're under attack
• Insights into top security threats for enterprises and federal cybersecurity pros

Get This And All Our Reports