Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/27/2016
11:00 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Ultimate Guide To DDoS Protection: DDoS Is A Business Problem

In the first of a two-part series, we examine the impact DDoS attacks have on business continuity - and why it is so much more than a network security problem.

DDoS attacks have been around pretty much as long as the Internet’s been around – and they still pose significant risks today for organizations of all sizes and types. But while the network security team is responsible for DDoS prevention, detection, and remediation, it’s not just a network security problem. Because DDoS can shut down an organization for hours – or even days – business repercussions can be significant.

There are many different kinds of DDoS attacks, but they can all be categorized into the following major groups:

Volumetric or connectionless attacks. This is the most common form of DDoS attack and the goal is to overwhelm a site’s bandwidth. These attacks use botnets – networks of infected systems – to flood the target network with so much traffic that operations are slowed or interrupted completely.

TCP state-exhaustion or protocol attacks. These attacks target Web servers, firewalls, load balancers, and other infrastructure elements to disrupt services by exhausting the number of connections these systems can support.

Application-layer or layer-7 attacks. These attacks exploit specific weaknesses in applications, as opposed to network services.

Zero-day attacks. These attacks target previously unknown vulnerabilities in a system or application for which there is no fix or patch yet available. 

The Problem is Growing

The number of DDoS attacks has been increasing and sees no sign of letting up. The Verisign Distributed Denial of Service Trends Report found that DDoS attack activity increased 85% year over year. And the bad news doesn’t stop there. The attacks themselves are getting bigger, with an average attack size of 6.88 Gbps. In the timeframe covered by the report, Verisign mitigated the largest ever attack it has seen at 125 Gbps. The recent attack on the BBC may have been the largest in history – 602 Gbps!

DDoS is Cheap and Easy for Attackers

There are any number of tools freely available on the Internet to help people with malicious intent to perpetrate a DDoS attack. They will need resources to scale the attack, but building a botnet is pretty easy, too. Again, methods and tools are freely available online to help attackers build their own, or they can rent a botnet for as little as $2 per hour or buy a botnet for $700, according to the Wall Street Journal.

With the emergence of DDoS-for-hire or DDoS-as-a-Service, would-be attackers don’t need to have any knowledge or resources at all – just cash. Even this is incredibly cheap – the average cost is reportedly around $40 per hour. These organizations operate as “professional” services with discounts, subscription packages and return policies. They promote themselves as “DDoS simulators” or resources to check your own security defenses – but nothing stops a paying customer from launching an attack on an unsuspecting victim.

The Modern Network is Riddled with Exploit Opportunities

Today’s networks are complex, with a large number of systems, applications, connection points, and protocols. Add mobility and the Internet of things (IoT), and the number of connected devices and components is exploding. With increasing complexity and connection points comes increased potential vulnerabilities that attackers can exploit – which increases security and monitoring challenges. Every system, application, and connection point needs to be built and configured to maximize security and minimize potential vulnerabilities. Using multiple security tools, procedures, and approaches for a defense-in-depth strategy continues to be important.

DDoS Detection: The [Dark] Power of Distributed

Denial of service is the goal of the DDoS attack. But the distributed nature of the attack using botnets – and the use of IP address spoofing – makes the location of the attacking machines difficult to identify. It also makes it more difficult to mitigate because it’s tough to filter based on source address.

Speed is Critical

Kaspersky’s Global IT Security Risks Survey 2014 – Distributed Denial of Service (DDoS) Attacks found that a single DDoS attack can cost companies from $52,000 to $444,000 in lost business and IT spending, depending on the size of the company. This doesn’t even factor in the financial impact of reputational harm. When your organization gets hit by a DDoS attack (no matter what size your company is, it really is a matter of when and not if), you need to be able to detect and respond fast. You need to be able to detect within seconds and mitigate within minutes.

You Detected a DDoS Attack … Now What?

Detecting an attack is just the first step. Once you realize that your organization is under attack, you need to stop the onslaught, but the key is to do this without disrupting legitimate traffic. This requires passing network traffic through “scrubbing” filters. This typically happens in the cloud, which can handle today’s large DDoS attacks, minimizing the impact to your network. 

Related Content:

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/29/2016 | 12:36:33 PM
Ease of Execution
As the article denotes, DDoS is very low in terms of complexity for an attacker to execute. Aside from the fact that it can be so extermely detrimental to a business makes it a dangerous tool in an attackers arsenal. A plausible speculation is that this type of threat will be around for years to come.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/29/2016 | 12:34:16 PM
Effective but Costly
I would recommend, if you had the money to do it, using a traffic scrubber like a prolexic. The traffic is diverted from your network and scrubbed for genuine purpose. Monitoring at the pipe is good too but it has its cons.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11976
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-13179
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
CVE-2020-8918
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
CVE-2020-9244
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R...
CVE-2020-9403
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.