• Articles
  • Tutorials
  • Interview Questions

DDoS Mitigation - What Is, Techniques, & Steps

DDoS Mitigation - What Is, Techniques, & Steps

There are multiple ways that one can use to protect a network and/or applications from DDoS attacks. The main challenge lies in how legitimate traffic and malicious traffic are differentiated. There are several DDoS mitigation methods that exist, each with its own advantages and weaknesses. We will explore them in detail in this blog.

Before we can learn about DDoS attack mitigation, let’s first get a quick overview of DDoS attacks. Only then, we will be able to learn how they can be remediated and addressed in the right way.

Learn how to prevent cyber attacks from this video.

Video Thumbnail

What is a DDoS attack?

Distributed Denial of Service or DDoS attacks are a subclass of Denial of Service or DoS attacks. What is a DoS attack? This type of attack is designed to shut down a network or machine, making it unusable or inaccessible to its intended users.

A DDoS attack involves the use of multiple connected online devices, collectively called a botnet, that overwhelms a target website with fake traffic. It doesn’t attempt to breach the security perimeter and instead, focuses on making websites and servers unavailable to authorized and legitimate users.

DDoS attacks are often used as a smokescreen to conceal other malicious activities that are actually, attempting to breach the target’s security perimeter.

A successful DDoS attack is very noticeable because of its impact on an entire online user base making it a popular choice for anyone looking to make a noticeable impact or champion a cause.

DoS attacks can be divided into application-layer attacks and network-layer attacks and can happen in repeat assaults or short bursts. Either way, its impact can last for days, weeks, or even months, till the matter is fully resolved.

Thus, DDoS attacks can be extremely detrimental to organizations. It can lead to loss of revenues, businesses having to pay out hefty compensations, erosion of consumer trust, and long-term reputation damage.

What is DDoS Mitigation?

DDoS mitigation is the practice of protecting a server or network from a DDoS attack by successfully blocking and absorbing malicious spikes in network traffic and application usage. A cloud-based protection service or special network equipment is used to mitigate the incoming threat. Doing so does not impede the legitimate traffic flow.

DDoS mitigation counteracts the business risks that are a result of DDoS attacks against an organization. These mitigation techniques are designed specifically to prioritize the preservation of the availability of resources that attackers aim to disrupt.

DDoS mitigation also aims at expediting the response time to DDoS attacks as most times, the attacks are more of a diversionary tactic that attempts to distract from other more serious attacks elsewhere on the network.

Stages of DDoS Mitigation

There are 4 DDoS mitigation steps for attacks that use a cloud-based provider:

Detection

To stop a distributed attack, a website should be able to differentiate between an attack and a high volume of legitimate traffic. IP reputation, previous data, and common attack patterns are able to help with the detection of an actual attack.

Response

During the response stage, the DDoS protection network is able to intelligently drop identified malicious bot traffic and is able to take in the rest of the traffic. The network can prevent the disruption using WAF page rules for application layer or L7 attacks or by using another filtration process to handle lower-level or L3 and L4 attacks.

Routing

The traffic is then, intelligently routed to provide an effective DDoS mitigation solution that breaks the remaining traffic into manageable chunks.

Adaptation

A good network will keep an eye on patterns in the traffic like specific attacks from certain countries, repeating offending IP blocks, or improperly-used protocols. By being aware of attack patterns and adapting accordingly, security can be tightened against future possible attacks.

EPGC in Cyber Security and Ethical Hacking

Choosing the Right DDoS Mitigation Service

Choosing the Right DDoS Mitigation Service

The more traditional DDoS mitigation solutions require equipment that is used on a website to filter incoming traffic. However, this type of expensive equipment has to be purchased and maintained. These types of mitigation solutions rely heavily on networks that are capable of absorbing attacks.

If there is a large DDoS attack, the network infrastructure is most likely going to be taken out upstream, which will prevent on-site solutions from being of any use or help. Therefore, certain characteristics need to be considered before purchasing a cloud-based DDoS mitigation service.

Scalability

An effective DDoS mitigation solution is expected to have the capability of adapting to the requirements of a growing business as well as responding to the growing size of the DDoS attacks that are encountered.

Flexibility

A web-property is able to adapt to incoming threats in real time if ad hoc policies and patterns are created. To be able to implement page rules and ensure those changes across the entire network can be critical in keeping a site working during an attack.

Reliability

DDoS protection is only put into effect when you need it, but it should be functional when it is time for it to work. Reliability is essential in a DDoS mitigation solution for it to be a successful protection strategy.

The service should have high uptime rates and site reliability engineers should be around at all times to ensure that the network is online and new threats are identified at the earliest. Failover, redundancy, and an expansive data center network should be the center of the platform strategy.

Network Capacity

Network capacity essentially reflects the overall scalability that they offer during an attack and is a great way to benchmark a DDoS mitigation service.

Most cloud-based DDoS mitigation services provide a multi-Tbps network capacity, which is beyond any individual customer’s requirement. On the other hand, on-premise services are capped by default by the organization’s network pipe size and internal hardware capacity.

Large networks that have extensive data transfer capabilities can help a mitigation provider to analyze and respond to attacks efficiently and quickly, often preventing attacks before they even occur. A good network analyzes data from attack traffic.

Key features:

  1. Bandwidth (Measured in Gbps or Tbps)

An attack exceeding the bandwidth of a DDoS provider is capable of hitting the servers.

  1. Deployment model (Cloud-based or on-premise)

Cloud-based solutions are elastically scalable and can protect against high-volume DDoS attacks.

Processing Capacity

The processing capabilities, represented by forwarding rates, should also be considered when choosing a mitigation solution. This is measured in Mpps (mega packets per second or million packets per second).

Today, attacks are capable of going above 50 Mpps (with some reaching even as high as 200-300 Mpps or beyond). An attack like that could exceed a mitigation provider’s processing power and its defenses could collapse. Due to this possibility, it is crucial to inquire about such limitations.

Key features:

  1. Forwarding Rate (Measured in Mpps)

An attack that exceeds the forwarding rate of a DDoS provider is capable of hitting servers.

  1. Forwarding Technique (DNS or BGP routing)

DNS routing is always active (always on) and is capable of protecting against application-layer and network-layer attacks. BGP routing can either be always on or activated on demand. It is capable of providing protection against virtually any attack.

Latency

It is important to note that at some point, legitimate traffic to a website or application will pass through a DDoS provider’s network:

  • If the DDoS services are running on demand, the traffic will switch over to the DDoS provider when an attack occurs
  • If the DDoS services are always-on, all the traffic will pass through the provider’s servers

The connection between the DDoS provider and the data center must be well-functioning to avoid high latency issues for users. The following points should be evaluated first:

  • The geographical PoP (points of presence) offered by the DDoS provider and how close they are to the data center(s)
  • Whether the DDoS provider offers PoPs to the location of the main customer base
  • Whether the most advanced routing techniques are offered by the DDoS provider for optimal connectivity with the data center and the users

There are two options available as DDoS mitigation solutions:

  1. Always-on: The DDoS mitigation provider constantly protects the service or network
  2. On-demand: Only inserted when there is an attack

Get 100% Hike!

Master Most in Demand Skills Now!

Time to Mitigation

From the time that an attack is detected, the time to mitigation is critical. While most attacks can cause damage within minutes, the recovery process can go on for hours. This downtime can have a negative impact on an organization for weeks and months.

Preemptive detection helps add a distinct advantage to always-on DDoS mitigation solutions. The near-instant mitigation often protects organizations from the get-go during any attack. A solution should be able to respond to an attack within seconds.

However, such response levels cannot be expected from all always-on solutions making it important to inquire about time to mitigation when evaluating a DDoS protection provider.

Network Layer Mitigation

Network layer DDoS rely on very large-scale traffic and are volumetric in nature. It is capable of causing huge damage to infrastructure. The methods that DDoS providers use to mitigate network attacks aim to separate legitimate traffic from malicious ones. They do so by eliminating malicious packets while allowing legitimate packets to reach their destination.

The Following are the methods that are supported by DDoS mitigation service providers:

  1. Null Routing: Also known as blackholing, it directs all traffic to a non-existent IP address. However, null routing introduces the possibility of a high ratio of false positives leading to the elimination of malicious and legitimate visitors alike.
  2. Sinkholing: Sinkholing is capable of diverting the malicious traffic away from its target with the help of a list of known malicious IP addresses to identify the DDoS traffic. This method, however,  can’t be used against IP spoofing. While sinkholing may also lead to false positives due to botnet IPs also used by the legitimate users, it is not as indiscriminate as null routing.
  3. Scrubbing: This method routes all entering traffic through a security service. Malicious network packets can be detected based on their header content, point of origin, type, size, etc. The challenge, however, lies in scrubbing at an inline rate without causing a lag or affecting legitimate users.
  4. IP masking: It hides the IP of the origin server and prevents direct-to-IP DDoS attacks.

Application Layer Mitigation

Application-layer DDoS attacks are much stealthier than network-layer ones. It mimics legitimate user traffic to avoid security measures. Therefore, its solution should be able to profile any incoming HTTP or HTTPS traffic and on top of that, it should be able to distinguish between legitimate visitors and DDoS bots.

Key Features:

  1. Multiple inspection methods that identify legitimate traffic

Cross-inspection of HTTP/S header content should be provided, IP and Autonomous System Number (ASN) should be checked, and behavioral patterns should be inspected by service providers to check the legitimacy of each user session.

  1. Multiple challenges

To test whether the traffic is malicious or legitimate, security services sometimes use challenges, such as testing whether each of the requests can parse JavaScript and hold cookies. The overuse of CAPTCHAs, “delay pages”, and other filtering methods should be avoided to prevent bothering legitimate visitors and hurting website engagement.

Protection of Secondary Assets

Let’s explore the secondary assets that need to be protected as well:

  1. Protecting Applications
  2. Protecting APIs

Network infrastructure has multiple servers and other IT assets including DNS servers, web servers, FTP servers, email servers, and back-office CRM or ERP platforms. These can be targeted during a DDoS attack scenario and cause downtime or paralyze a business.

It is important to consider the risks to the entire network infrastructure and determine the components that need protection. It is handy to remember that DNS service is one of the most common attack targets and the single point of failure.

Key features:

  1. DNS name server protection

It provides protection against DNS floods and other DDoS attacks that attempt to crash or disrupt DNS name servers.

  1. Application protection

It involves the protection of common applications like CRM, FTP, email, and ERP.

Pricing and SLA

Pricing and SLA

The pricing for DDoS mitigation services follows various structures as mentioned below:

1. Pure Pay-as-you-go Pricing

With this payment plan, there are no charges if there is no attack. But when there are, the expenses are huge for the cloud resources that have to be used to mitigate the attack. You may need to request a refund for those resources, and it’s important to understand in advance under which circumstances a refund will be provided.

2. Pay-as-you-go Pricing Based on Attack Volume

DDoS assaults can last several hours to days (sometimes weeks). Therefore, pricing based on cumulative attack bandwidth (“n” Gbps/month) or a cumulative number of hours under attack (“n” hours/month) can quickly get out of hand.

3. Service-based Pricing

Some offerings include a base price for DDoS protection, with pricing for special services like provisioning, implementation, and others. While these services can prove to be of value, it is important to remember that they are also the cost of the DDoS mitigation solution, and should be included in the total cost of ownership.

4. Simple Flat Monthly Fee

This payment plan is the most preferred option for long-term agreements. The flat fee should include full coverage for all relevant attacks.

There are other factors to consider as well when comparing prices for mitigation solutions:

  • There are different capacities in different scrubbing centers offered by different providers. The total capacity across all the scrubbing centers may not necessarily reflect the scrubbing center attack mitigation capacity in the geography of your interest i.e. where your data center is.
  • The Service Level Agreement (SLA) is another crucial factor to consider—sometimes, more so than the cost.

Key pricing features:

1. Uptime Guarantee

While five nines (99.999%) is considered to be the best-case scenario, under three nines (99.9%) is considered to be unacceptable.

2. Protection Levels

The service provider’s SLA should define the attack types, size, as well as duration that they will cover.

3. Support Service Level

The SLA should also mention response times for support issues. The support service levels are usually defined depending on the severity levels of the problem.

Support

It is always wise to ensure that the service provider offers professional support services even if the DDoS mitigation service is fully automated. An automated service is usually preferred because it provides a fast response to attacks.

The need may arise to talk to the service provider to understand what is happening in the event of an attack and resolve such critical issues that are affecting legitimate traffic. It is essential to make sure that the DDoS mitigation service operates a Security Operations Center or SOC that has security specialists available on call 24×7 all year round for emergencies.

Generalist or Specialist

There is a diverse range of services, providers, and technologies that make up the DDoS mitigation market. Specialty companies that are more security-focused offer more advanced solutions. They designate experts to handle ongoing security research and round-the-clock monitoring of new attack vectors.

Generalists like hosting providers and ISPs provide basic mitigation solutions as an “add-on” to their core services. Their aim is to upsell these services to existing customers. The mitigation services that are offered by generalists only suffice for small and simple attacks.

If online applications are employed for regular business operations, then it makes more sense to opt for a specialist DDoS protection provider as it poses the lowest risk for the organization.

It is also advised to consider additional security offerings when selecting a DDoS mitigation service provider.

Conclusion

A well-rounded DDoS mitigation provider will offer other security solutions like data security, application security, and network protection as well along with its DDoS mitigation services. It is better to opt for a solution that comes integrated with additional security features as it will offer well-rounded security to an organization.

Course Schedule

Name Date Details
Cyber Security Course 14 Dec 2024(Sat-Sun) Weekend Batch View Details
21 Dec 2024(Sat-Sun) Weekend Batch
28 Dec 2024(Sat-Sun) Weekend Batch

About the Author

Lead Penetration Tester

Shivanshu is a distinguished cybersecurity expert and Penetration tester. He specialises in identifying vulnerabilities and securing critical systems against cyber threats. Shivanshu has a deep knowledge of tools like Metasploit, Burp Suite, and Wireshark.