Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/1/2020
09:00 AM
Dark Reading
Dark Reading
Sponsored Article
50%
50%

DDoS Attack Mitigation: Don't Sacrifice Speed for Security

Why common strategies for stopping DDoS attacks sometimes cause the same slowdowns they're trying to prevent.

The website and network outages and slow traffic speeds caused by DDoS attacks can hurt conversions, increase drop-off rates, and degrade your customer experience. Research shows that 25% of users will leave a website that takes longer than four seconds to load. The consequences of lost uptime and performance can be severe for companies in certain industries. For instance, in financial trading platforms, a one millisecond advantage can be worth $100 million a year to a major brokerage firm. In e-commerce, Amazon discovered that 100 milliseconds of extra load time cost them 1% in sales.

Unfortunately, common strategies for stopping DDoS attacks sometimes cause the same slowdowns they’re trying to prevent. For example, many DDoS mitigation providers rely on one of two methods for stopping an attack: scrubbing centers, or on-premise scanning and filtering via hardware boxes. The problem with both approaches is that they impose a latency penalty that can adversely affect your business.

Scrubbing
The DDoS mitigation method of scrubbing involves re-routing all of your network traffic to scrubbing servers in designated geographic locations in an attempt to filter or ‘scrub’ out malicious traffic from the non-malicious. In an ideal scenario, the scrubbing server will only forward non-DDoS packets to the online application that is under attack.

In reality, scrubbing creates three issues: latency, operational expenses, and a lack of expertise to discern between good and bad traffic Bandwidth management can quickly become complex and expensive when maintaining multiple scrubbing centers. Each scrubbing server requires multiple terabits per second,  (Tbps) of bandwidth to properly defend against today’s DDoS attacks that meet or exceed 1Tbps in size. When an organization has only one scrubbing center, it acts as a bottleneck and creates large amounts of latency while all network traffic is filtered and then forwarded back to the original server.

Scrubbing is also expensive. For multiple scrubbing servers to handle a probable 100 Gbps of attack traffic at line rate, they’ll need specialized network and server hardware, including line cards in routers, network adapter cards in servers, and the actual servers. To efficiently use scrubbing centers, network engineers need to have expertise in TCP/IP, DNS, HTTP, and TLS protocols to properly pinpoint malicious traffic from non-malicious, which increases in difficulty as bad actors attempt to camouflage their DDoS packets as legitimate.

On-Premise Hardware Boxes
Another DDoS mitigation uses on-premise hardware boxes to scan traffic and filter out malicious requests. Similar to scrubbing, the scanning hardware introduces network latency and inhibits performance due to the bottleneck nature of re-routing network traffic through the boxes to complete the scanning process. Since scanning hardware is a single point of defense, a local hardware box needs enough network capacity to sort through multiple-Tbps of incoming traffic to filter out unwanted packets. On-premise anti-DDoS appliances often have a bandwidth limit by default, which is based on the combination of the organization’s network capacity and the box’s hardware capacity.

Always-On or On-Demand Mitigation?
A better way to detect and mitigate DDoS attacks is to do so close to the source — at the network edge. By scanning traffic at the closest point of presence in a global, distributed network, high service availability is assured, even during substantial DDoS attacks. This approach reduces the latency penalties that come from routing suspicious traffic to geographically distant scrubbing centers. It also leads to faster attack response times.

But even when mitigating DDoS attacks at the network edge, there is another important choice to make: always-on protection versus on-demand protection. Always-on protection constantly scans traffic for potential attacks, while an on-demand approach only works once an attack has been detected. In general, an always-on approach reduces time-to-mitigation, since it does not rely on human awareness of an attack. When accompanied with flat-rate pricing, always-on can also be less expensive on a dollar-per-Mbp basis for companies that experience attacks frequently. However, there are reasons why on-demand protection might be a better fit. A common one is control: some organizations might not want to add a persistent additional hop to their end-to-end network. In addition, always-on protection can make troubleshooting network issues more complex.

Learn more about how Cloudflare’s DDoS protection service and always-learning global Anycast cloud network—with points of presence in 200 cities in 90 countries—makes fast, unmetered mitigation possible. With 35 Tbps of network capacity and near-instant mitigation, Cloudfare can endure the largest network DDoS attacks while continuing to allow good traffic, and simultaneously keep your websites, applications, and entire networks elevated in performance and availability.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
roger nichols
50%
50%
roger nichols,
User Rank: Apprentice
6/24/2020 | 4:33:54 AM
Your DDoS mitigation makes no sense.. T
Your DDoS mitigation makes no sense.. There is nothing worse than Cloudflare's captha.. Nothing makes me more happy than seeing a site is protected by cloudflare... your math on financial losses by the millisecond are absolutely conjecture.. Try to do better. :)
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29510
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
CVE-2021-23906
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.
CVE-2021-23907
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The count in MultiSvGet, GetAttributes, and MultiSvSet is not checked in the HiQnet Protocol, leading to remote code execution.
CVE-2021-23908
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution.
CVE-2021-23909
PUBLISHED: 2021-05-13
An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution.