DDoS attacks have been around pretty much as long as the Internet’s been around – and they still pose significant risks today for organizations of all sizes and types. But while the network security team is responsible for DDoS prevention, detection, and remediation, it’s not just a network security problem. Because DDoS can shut down an organization for hours – or even days – business repercussions can be significant.
There are many different kinds of DDoS attacks, but they can all be categorized into the following major groups:
Volumetric or connectionless attacks. This is the most common form of DDoS attack and the goal is to overwhelm a site’s bandwidth. These attacks use botnets – networks of infected systems – to flood the target network with so much traffic that operations are slowed or interrupted completely.
TCP state-exhaustion or protocol attacks. These attacks target Web servers, firewalls, load balancers, and other infrastructure elements to disrupt services by exhausting the number of connections these systems can support.
Application-layer or layer-7 attacks. These attacks exploit specific weaknesses in applications, as opposed to network services.
Zero-day attacks. These attacks target previously unknown vulnerabilities in a system or application for which there is no fix or patch yet available.
The Problem is Growing
The number of DDoS attacks has been increasing and sees no sign of letting up. The Verisign Distributed Denial of Service Trends Report found that DDoS attack activity increased 85% year over year. And the bad news doesn’t stop there. The attacks themselves are getting bigger, with an average attack size of 6.88 Gbps. In the timeframe covered by the report, Verisign mitigated the largest ever attack it has seen at 125 Gbps. The recent attack on the BBC may have been the largest in history – 602 Gbps!
DDoS is Cheap and Easy for Attackers
There are any number of tools freely available on the Internet to help people with malicious intent to perpetrate a DDoS attack. They will need resources to scale the attack, but building a botnet is pretty easy, too. Again, methods and tools are freely available online to help attackers build their own, or they can rent a botnet for as little as $2 per hour or buy a botnet for $700, according to the Wall Street Journal.
With the emergence of DDoS-for-hire or DDoS-as-a-Service, would-be attackers don’t need to have any knowledge or resources at all – just cash. Even this is incredibly cheap – the average cost is reportedly around $40 per hour. These organizations operate as “professional” services with discounts, subscription packages and return policies. They promote themselves as “DDoS simulators” or resources to check your own security defenses – but nothing stops a paying customer from launching an attack on an unsuspecting victim.
The Modern Network is Riddled with Exploit Opportunities
Today’s networks are complex, with a large number of systems, applications, connection points, and protocols. Add mobility and the Internet of things (IoT), and the number of connected devices and components is exploding. With increasing complexity and connection points comes increased potential vulnerabilities that attackers can exploit – which increases security and monitoring challenges. Every system, application, and connection point needs to be built and configured to maximize security and minimize potential vulnerabilities. Using multiple security tools, procedures, and approaches for a defense-in-depth strategy continues to be important.
DDoS Detection: The [Dark] Power of Distributed
Denial of service is the goal of the DDoS attack. But the distributed nature of the attack using botnets – and the use of IP address spoofing – makes the location of the attacking machines difficult to identify. It also makes it more difficult to mitigate because it’s tough to filter based on source address.
Speed is Critical
Kaspersky’s Global IT Security Risks Survey 2014 – Distributed Denial of Service (DDoS) Attacks found that a single DDoS attack can cost companies from $52,000 to $444,000 in lost business and IT spending, depending on the size of the company. This doesn’t even factor in the financial impact of reputational harm. When your organization gets hit by a DDoS attack (no matter what size your company is, it really is a matter of when and not if), you need to be able to detect and respond fast. You need to be able to detect within seconds and mitigate within minutes.
You Detected a DDoS Attack … Now What?
Detecting an attack is just the first step. Once you realize that your organization is under attack, you need to stop the onslaught, but the key is to do this without disrupting legitimate traffic. This requires passing network traffic through “scrubbing” filters. This typically happens in the cloud, which can handle today’s large DDoS attacks, minimizing the impact to your network.