There are multiple ways that one can use to protect a network and/or applications from DDoS attacks. The main challenge lies in how legitimate traffic and malicious traffic are differentiated. There are several DDoS mitigation methods that exist, each with its own advantages and weaknesses. We will explore them in detail in this blog.
Before we can learn about DDoS attack mitigation, let’s first get a quick overview of DDoS attacks. Only then, we will be able to learn how they can be remediated and addressed in the right way.
Learn how to prevent cyber attacks from this video.
What is a DDoS attack?
Distributed Denial of Service or DDoS attacks is a subclass of Denial of Service or DoS attacks. What is a DoS attack? This type of attack is designed to shut down a network or machine, making it unusable or inaccessible by its intended users.
A DDoS attack involves the use of multiple connected online devices, collectively called a botnet, that overwhelms a target website with fake traffic. It doesn’t attempt to breach the security perimeter and instead, focuses on making websites and servers unavailable to authorized and legitimate users.
DDoS attacks are often used as a smokescreen to conceal other malicious activities that are actually, attempting to breach the target’s security perimeter.
A successful DDoS attack is very noticeable because of its impact on an entire online user base making it a popular choice for anyone looking to make a noticeable impact or champion a cause.
DoS attacks can be divided into application-layer attacks and network-layer attacks and can happen in repeat assaults or short bursts. Either way, its impact can last for days, weeks, or even months, till the matter is fully resolved.
Thus, DDoS attacks can be extremely detrimental to organizations. It can lead to loss of revenues, businesses having to pay out hefty compensations, erosion of consumer trust, and long-term reputation damage.
Get 100% Hike!
Master Most in Demand Skills Now !
What is DDoS Mitigation?
DDoS mitigation is the practice of protecting a server or network from a DDoS attack by successfully blocking and absorbing malicious spikes in network traffic and application usage. A cloud-based protection service or special network equipment is used to mitigate the incoming threat. Doing so does not impede the legitimate traffic flow.
DDoS mitigation counteracts the business risks that are a result of DDoS attacks against an organization. These mitigation techniques are designed specifically to prioritize the preservation of the availability of resources that attackers aim to disrupt.
DDoS mitigation also aims at expediting the response time to DDoS attacks as most times, the attacks are more of a diversionary tactic that attempts to distract from other more serious attacks elsewhere on the network.
Stages of DDoS Mitigation
There are 4 DDoS mitigation steps for attacks that use a cloud-based provider:
To stop a distributed attack, a website should be able to differentiate between an attack and a high volume of legitimate traffic. IP reputation, previous data, and common attack patterns are able to help with the detection of an actual attack.
During the response stage, the DDoS protection network is able to intelligently drop identified malicious bot traffic and is able to take in the rest of the traffic. The network can prevent the disruption using WAF page rules for application layer or L7 attacks or by using another filtration process to handle lower-level or L3 and L4 attacks.
The traffic is then, intelligently routed to provide an effective DDoS mitigation solution that breaks the remaining traffic into manageable chunks.
A good network will keep an eye on patterns in the traffic like specific attacks from certain countries, repeating offending IP blocks, or improperly-used protocols. By being aware of attack patterns and adapting accordingly, security can be tightened against future possible attacks.
Get your Cyber Security Certification from Intellipaat.
Choosing the Right DDoS Mitigation Service
The more traditional DDoS mitigation solutions require equipment that is used on a website to filter incoming traffic. However, this type of expensive equipment has to be purchased and maintained. These types of mitigation solutions rely heavily on networks that are capable of absorbing attacks.
If there is a large DDoS attack, the network infrastructure is most likely going to be taken out upstream, which will prevent on-site solutions from being of any use or help. Therefore, certain characteristics need to be considered before purchasing a cloud-based DDoS mitigation service.
An effective DDoS mitigation solution is expected to have the capability of adapting to the requirements of a growing business as well as responding to the growing size of the DDoS attacks that are encountered.
A web property is able to adapt to incoming threats in real-time if ad hoc policies and patterns are created. To be able to implement page rules and ensure those changes across the entire network can be critical in keeping a site working during an attack.
DDoS protection is only put to effect when you need it, but it should be functional when it is time for it to work. Reliability is essential in a DDoS mitigation solution for it to be a successful protection strategy. The service should have high uptime rates and site reliability engineers should be around at all times to ensure that the network is online and new threats are identified at the earliest. Failover, redundancy, and an expansive data center network should be the center of the platform strategy.
Network capacity essentially reflects the overall scalability that they offer during an attack and is a great way to benchmark a DDoS mitigation service.
Most cloud-based DDoS mitigation services provide a multi-Tbps network capacity, which is beyond any individual customer’s requirement. On the other hand, on-premise services are capped by default by the organization’s network pipe size and the internal hardware capacity.
Large networks that have extensive data transfer capabilities can help a mitigation provider to analyze and respond to attacks efficiently and quickly, often preventing attacks before they even occur. A good network analyzes data from attack traffic.
- Bandwidth (Measured in Gbps or Tbps)
An attack exceeding the bandwidth of a DDoS provider is capable of hitting the servers.
- Deployment model (Cloud-based or on-premise)
Cloud-based solutions are elastically scalable and can protect against high-volume DDoS attacks.
The processing capabilities, represented by forwarding rates, should also be considered when choosing a mitigation solution. This is measured in Mpps (mega packets per second or million packets per second).
Today, attacks are capable of going above 50 Mpps (with some reaching even as high as 200-300 Mpps or beyond). An attack like that could exceed a mitigation provider’s processing power and its defenses could collapse. Due to this possibility, it is crucial to inquire about such limitations.
- Forwarding Rate (Measured in Mpps)
An attack that exceeds the forwarding rate of a DDoS provider is capable of hitting servers.
- Forwarding Technique (DNS or BGP routing)
DNS routing is always active (always-on) and is capable of protecting against application-layer and network-layer attacks. BGP routing can either be always on or activated on demand. It is capable of providing protection against virtually any attack.
It is important to note that at some point, legitimate traffic to a website or application will pass through a DDoS provider’s network:
- If the DDoS services are running on-demand, the traffic will switch over to the DDoS provider when an attack occurs
- If the DDoS services are always-on, all the traffic will pass through the provider’s servers
The connection between the DDoS provider and the data center must be well-functioning to avoid high latency issues for users. The following points should be evaluated first:
- The geographical PoP (points of presence) offered by the DDoS provider and how close they are to the data center(s)
- Whether the DDoS provider offers PoPs to the location of the main customer base
- Whether the most advanced routing techniques are offered by the DDoS provider for optimal connectivity with the data center and the users
There are two options available as DDoS mitigation solutions:
- Always-on: The DDoS mitigation provider constantly protects the service or network
- On-demand: Only inserted when there is an attack
Time to Mitigation
From the time that an attack is detected, the time to mitigation is critical. While most attacks can cause damage within minutes, the recovery process can go on for hours. This downtime can have a negative impact on an organization for weeks and months.
Preemptive detection helps add a distinct advantage to always-on DDoS mitigation solutions. The near-instant mitigation often protects organizations from the get-go during any attack. A solution should be able to respond to an attack within seconds.
However, such response levels cannot be expected from all always-on solutions making it important to inquire about time to mitigation when evaluating a DDoS protection provider.
Network Layer Mitigation
Network layer DDoS rely on very large-scale traffic and are volumetric in nature. It is capable of causing huge damage to infrastructure. The methods that DDoS providers use to mitigate network attacks aim to separate legitimate traffic from malicious ones. They do so by eliminating malicious packets while allowing the legitimate packets to reach their destination.
Following are the methods that are supported by DDoS mitigation service providers:
- Null Routing: Also known as blackholing, it directs all traffic to a non-existent IP address. However, null routing introduces the possibility of a high ratio of false positives leading to the elimination of malicious and legitimate visitors alike.
- Sinkholing: Sinkholing is capable of diverting the malicious traffic away from its target with the help of a list of known malicious IP addresses to identify the DDoS traffic. This method, however, can’t be used against IP spoofing. While sinkholing may also lead to false positives due to botnet IPs also used by legitimate users, it is not as indiscriminate as null routing.
- Scrubbing: This method routes all entering traffic through a security service. Malicious network packets can be detected based on their header content, point of origin, type, size, etc. The challenge, however, lies in scrubbing at an inline rate without causing a lag or affecting the legitimate users.
- IP masking: It hides the IP of the origin server and prevents direct-to-IP DDoS attacks.
Application Layer Mitigation
Application-layer DDoS attacks are much stealthier than network-layer ones. It mimics legitimate user traffic to avoid security measures. Therefore, its solution should be able to profile any incoming HTTP or HTTPS traffic and on top of that, they should be able to distinguish between legitimate visitors and DDoS bots.
- Multiple inspection methods that identify legitimate traffic
Cross-inspection of HTTP/S header content should be provided, IP and Autonomous System Number (ASN) should be checked, and behavioral patterns should be inspected by service providers to check the legitimacy of each user session.
- Multiple challenges
Protection of Secondary Assets
Let’s explore the secondary assets that need to be protected as well:
- Protecting Applications
- Protecting APIs
Network infrastructure has multiple servers and other IT assets including DNS servers, web servers, FTP servers, email servers, and back-office CRM or ERP platforms. These can be targeted during a DDoS attack scenario and cause downtime or paralyze a business.
It is important to consider the risks of the entire network infrastructure and determine the components that need protection. It is handy to remember that DNS service is one of the most common attack targets and the single point of failure.
- DNS name server protection
It provides protection against DNS floods and other DDoS attacks that attempt to crash or disrupt DNS name servers.
- Application protection
It involves the protection of common applications like CRM, FTP, email, and ERP.
Sign up for this CEH training and learn from industry experts.
Pricing and SLA
The pricing for DDoS mitigation services follows various structures as mentioned below:
1. Pure Pay-as-you-go Pricing
With this payment plan, there are no charges if there is no attack. But when there is, the expenses are huge for the cloud resources that have to be used to mitigate the attack. You may need to request a refund for those resources, and it’s important to understand in advance under which circumstances a refund will be provided.
2. Pay-as-you-go Pricing Based on Attack Volume
DDoS assaults can last several hours to days (sometimes weeks). Therefore, pricing based on cumulative attack bandwidth (“n” Gbps/month) or a cumulative number of hours under attack (“n” hours/month) can quickly get out of hand.
3. Service-based Pricing
Some offerings include a base price for DDoS protection, with pricing for special services like provisioning, implementation, and others. While these services can prove to be of value, it is important to remember that they are also the cost of the DDoS mitigation solution, and should be included in the total cost of ownership.
4. Simple Flat Monthly Fee
This payment plan is the most preferred option for long-term agreements. The flat fee should include full coverage for all relevant attacks.
There are other factors to consider as well when comparing prices for mitigation solutions:
- There are different capacities in different scrubbing centers offered by different providers. The total capacity across all the scrubbing centers may not necessarily reflect the scrubbing center attack mitigation capacity in the geography of your interest i.e. where your data center is.
- The Service Level Agreement (SLA) is another crucial factor to consider—sometimes, more so than the cost.
Key pricing features:
1. Uptime Guarantee
While five nines (99.999%) is considered to be the best-case scenario, under three nines (99.9%) is considered to be unacceptable.
2. Protection Levels
The service provider’s SLA should define the attack types, size, as well as duration that they will cover.
3. Support Service Level
The SLA should also mention response times for support issues. The support service levels are usually defined depending on the severity levels of the problem.
It is always wise to ensure that the service provider offers professional support services even if the DDoS mitigation service is fully automated. An automated service is usually preferred because it provides a fast response to attacks.
The need may arise to talk to the service provider to understand what is happening in the event of an attack and resolve such critical issues that are affecting the legitimate traffic. It is essential to make sure that the DDoS mitigation service operates a Security Operations Center or SOC that has security specialists available on call 24×7 all year round for emergencies.
Generalist or Specialist
There is a diverse range of services, providers, and technologies that make up the DDoS mitigation market. Specialty companies that are more security-focused offer more advanced solutions. They designate experts to handle ongoing security research and round-the-clock monitoring of new attack vectors.
Generalists like hosting providers and ISPs provide basic mitigation solutions as an “add-on” to their core services. Their aim is to upsell these services to existing customers. The mitigation services that are offered by generalists only suffice for small and simple attacks.
If online applications are employed for regular business operations, then it makes more sense to opt for a specialist DDoS protection provider as it poses the lowest risk for the organization.
It is also advised to consider additional security offerings when selecting a DDoS mitigation service provider.
A well-rounded DDoS mitigation provider will offer other security solutions like data security, application security, and network protection as well along with its DDoS mitigation services. It is better to opt for a solution that comes integrated with additional security features as it will offer well-rounded security to an organization.
Have you joined our Cyber Security Community yet?