As DDoS threats become more sophisticated and prevalent it is more important than ever that your company has defenses in place. The number of DDoS attacks are rising each year, hitting an estimated 13.2 million attacks in 2021. Sizes of DDoS attacks, the possibility of being utilized for extortion, and the number of attack vectors used are all increasing along with the frequency. Many defense strategies that could be relied on a few years ago no longer cut it. A multistep defense approach is needed to reach a suitable level of security. In this article we will discuss 6 things you need to do to defend against DDoS attacks from attack prevention to mitigating attacks when they do occur.

DDoS attacks recap

Simply put, a DDoS attack is when a hacker overwhelms a network or application with so much traffic that no legitimate users can get in. They achieve this by launching attacks at either the application layer or the network or transport layers of a target. Different methods are used in these attacks depending on which layer they are targeting and which vulnerabilities they want to exploit. These methods are known as attack vectors.

Source: https://www.f5.com/labs/articles/education/what-is-a-distributed-denial-of-service-attack-

In order to increase the volume and efficacy of these attacks a botnet is generally used. A botnet is made up of infected devices. These can be infected computers, routers, or IoT devices, located all over the world. The hacker hopes that they can create enough inorganic traffic volume to either congest the target to the point of inaccessibility, or to temporarily crash vital infrastructure so that no traffic at all can enter.

If this is all common knowledge to you, read on. If you would like to know more about the specifics of how these attacks work, and why hackers use them, you may find the information in our DDoS rundown article helpful.

5 steps towards prevention and mitigation

1. Know the trends

Knowing the trends of DDoS attacks are just as important as knowing the basics of what they are. If a rundown on DDoS attacks offer the what’s and the why’s, trends offer the when’s, where’s, how’s. The DDoS landscape of today looks different than the landscape of just a couple of years ago.

Trends that will help you be prepared for an attack include knowing which attack vectors to expect, how at risk your company is, and what sizes and frequencies of attacks you can expect. All of this is discussed in greater detail in our DDoS trends article, but some highlights will be discussed here to illustrate the advantages to being up to date on the most current trends.

By knowing that the most commonly used attack vectors include UDP flood and fragmentation attacks, TCP ACK floods, and SYN floods, you can better recognize where the vulnerabilities in your systems lie. This can allow for better monitoring and allow you to get the most efficient strategies in place. 

Knowing the overall risk level of your company based on things like industry, headcount, and geographic location can give you a baseline for what percent of your budget should be spent on DDoS security. The higher your risk, the more your budget should increase.

And finally knowing trends on sizes and frequencies of attacks can again help with detection as well as preparations. Knowing that large attacks can easily surpass volumes of 1 tbps and last for weeks shows the importance of attack resiliency that needs to be built into your security, as well as give credence to the importance of DDoS cloud protection services. Knowing that short and consistent attacks are the most common is important in order to aid in detection as well as understanding the possible shortcomings associated with certain kinds of DDoS cloud protection services.

2. Have a plan

As DDoS attacks become more prevalent the last thing a company needs is to be caught unprepared. A plan should be made and ready before an attack happens so that if it happens it gets mitigated as quickly as possible.

Sourced from PhoenixNap

This plan should include knowing who to call should an attack occur, such as an ISP provider or their DDoS protection service provider. There should be a list of what each security team member will do in the event of an attack. A hierarchy should be established. Everyone should know who reports to who. Critical systems that could be affected should all be noted and their status should be monitored during an attack. A plan should be made about informing customers and stakeholders of the attack. Finally, a disaster recovery and business continuity plan should be in place so that once an attack occurs and is mitigated business can go back to normal as quickly as possible.

Based on recent trends an important step that should be included in this plan is what to do in the case of a ransom DDoS attack. In an interview with Michael Kaczmarek, VP of Product Management at Neustar, he stated that it is critical companies do not pay the ransom demanded in these attacks. He states that up to one fifth of companies are willing to pay 20% or more of their annual revenue to extortionists. 

Paying a ransom is no guarantee that a company will be safe from an attack. Hackers don’t need to keep their word, and it also advertises to other hackers that the company is willing to pay. 70% of companies targeted by a RDDoS attack were targeted more than once. 36% of companies who got hit by a ransom-related DDoS attack paid up. Instead of giving into demands the money would be much better spent increasing defenses so that when the attack does come the company is ready for it.

3. Don’t rely on a firewall

In the past firewalls may have been able to stand up to DDoS attacks. In recent years it has been suggested that firewalls are likely not efficient enough to withstand larger DDoS attacks. As organizations migrated to embrace remote work in the pandemic they increased their reliance on firewalls and VPNs. While these are helpful overall to improve security, hackers have learned to exploit them to the point that they are potentially detrimental to a company in the face of a DDoS attack.

According to NetScout’s World Infrastructure Security Report, 75 percent of enterprises reported DDoS attacks on key pandemic infrastructures, such as routers, firewalls, and VPN concentrators. 83 percent of enterprises that suffered a DDoS attack also reported that firewalls and/or VPN devices contributed to outages. Firewalls can help to protect against certain DDoS attack vectors, such as SYN and UDP flood protection up to a point. TCP floods however can quickly knock out most firewalls by exploiting a vulnerability in “stateful” devices. 

Stateful devices refers to devices which contain state information such as information used for routing, security, and traffic management. TCP flood attacks can work as a state exhaustive DDoS attack. These attacks quickly fill TCP state tables with illegitimate connections and render the firewall useless for a time. If a company relies on their firewall alone for DDoS protection, they are likely to find it inadequate to guard against high levels of traffic, or worse, present an easily exploitable vulnerability themselves. 

4. Bolster your security

If firewalls aren’t adequate protection, what can be done to increase security? The first thing a company can do is strengthen their bandwidth capabilities. Ultimately many DDoS attacks boil down to eating up all available bandwidth. The more bandwidth there is, the harder it will be to exhaust it.

While scaling bandwidth will depend on a company’s budget, it is important to allocate budget to bandwidth in accordance with the size of DDoS attacks they can expect to see, their risk level for getting hit, and how vital keeping services running are to the company. While DDoS attacks that bring down a service will never be good for business some companies rely more heavily on having a smooth service than others. For example, Voice-over IPs and online gaming services rely on a smooth connection at all times, and so they have to worry a great deal about any DDoS attack that may occur. Any company that provides emergency services should also not skimp on bandwidth investments as the results of having down-time can be severe.

Another way to bolster security is by securely segmenting networks and data centers. The aim of this is to reduce the attack surface as much as possible. If a DDoS attack should occur it is better they only take down one aspect of the network and not the whole thing. Having server redundancy includes hosting servers at data centers and colocation facilities in different regions so as to not have any single points of failure.

The last tip for bolstering security does not directly affect managing DDoS attacks, but is an important part of the discussion. DDoS attacks can at times be used as a smokescreen to distract a company and lower their defenses. Hackers will sometimes launch another attack directly following a DDoS attack. This can be infecting systems with malware or attempting to gain unauthorized access into systems for data theft. For this reason security best practices should be used for all aspects of security. If all of a company’s resources go to trying to handle a DDoS attack that company may be caught off guard by other attacks.

5. Know when and how to utilize a DDoS cloud protection service

Cloud DDoS protection services offer a variety of options depending on a business’ needs. These services take place separately from a company’s existing network. Instead, the providers rely on their own infrastructure to comb through traffic and reroute traffic determined to be a part of a DDoS attack.

With the migration to the cloud widely becoming the norm, on-premises DDoS protection can pose some problems. On-premises protection is generally ineffective in protecting applications hosted on public cloud infrastructures. In order to keep all DDoS protection on-premises, and ensure that it is effective, lots of resources need to be spent. Money needs to go to infrastructure, and dedicated in-house specialists need to be available to monitor. For this reason many businesses decide to use a cloud based DDoS protection service.

Different types of services provided include always-on protection and on-demand protection. With always-on service all traffic always gets routed through the service provider. An on-demand service will kick on when a certain volumetric threshold has been met so that it only comes on when a DDoS attack is occuring.

Sourced from GeekFlare

On-demand services run some risks. These services usually experience a gap between when a DDoS attack begins and when it is processed and responded to. Many attacks are planned by hackers to get around these on-demand services. There are many attacks that are short yet very high volume. A DDoS attack can deliver enough volume to knock a system offline in a minute or less. An on-demand service may not have time to begin before the attack is over. Other attacks are able to be low volume so as to not cross the volumetric threshold required for the on-demand service to start, but consistent enough to cause issues for their target. 

Always-on services are constantly scanning and cleaning traffic. This gets rid of the drawbacks of on-demand services, but comes with two drawbacks of their own. Since all traffic gets routed through the DDoS cloud provider’s network there is some additional latency to the traffic. Always-on services are also more expensive than on-demand services, and can be out of the price range of smaller businesses budgets. 

A third option is to use a hybrid cloud protection. This utilizes on-premises protection for all lower volume attacks, but allows for an on-demand service to kick on for the larger volume attacks. This can be a good solution for a company using a hybrid-cloud, where some of the networks are on premises and others are on the cloud. This solution may not be as good as an always-on service if all of the company’s networks are on the cloud. 

If a budget can allow, DDoS cloud protection providers are a great additional defense to be utilized. However, even when a company uses their services they should still be taking their own steps to building their defenses. A DDoS protection provider is not a complete substitute for bolstering security and having a game plan should a DDoS still take down a company’s systems.

6. Know the warning signs and adjust your network perimeter

The sooner a DDoS attack is spotted the more likely it is to be mitigated without harm. Poor connectivity and slow performance are signs the attack is well underway. A company’s security team should look for unusual traffic patterns and failed login attempts. A spike in traffic coming from a similar profile (such as geolocation or system model) can be suspicious activity. Traffic coming from a small amount of IP addresses can also be telling. 

Botnets come in a variety of sizes. There are certain vendors that can be used to scour through logs to look for signs of botnet activity if a company does not want to spend the time and resources to do it on their own. This will be effective for the average attack, though for an attack with 20,000 botnets coming from all over the globe, things may get a bit more troublesome. There is no one clear geolocation for these botnets. Likely the sheer size of the attack will make itself be known quickly enough, but immediate actions need to be made to mitigate the attack.

Utilizing good detection practices becomes important for the smaller attacks because those are the ones that can fly under the radar. Consistent slow traffic may seem “normal”, when in reality short, small DDoS attacks are being launched. Baselines and thresholds are used to monitor times of normal activity (baselines) and therefore set a tolerated deviation from this baseline before alarm bells go off that a DDoS attack may be underway (thresholds). While these are still useful today as they were years ago, they require a bit more sophistication than before.

The reason for a needed increase in sophistication is two-fold. First, as attacks utilize more and more vectors many systems, protocols, and applications can be targeted at once. Secondly, as the internet grows in sophistication there are increasing numbers of service types and applications. There are also higher IP demands than ever before. These make it so that normal traffic patterns fluctuate more than they had in the past. This makes baselines and thresholds more difficult to determine. The increased difficulty makes it all the more critical to know which attack vectors hackers are using and to understand exactly what these vectors are targeting. It also makes it critical to know what sized attacks and what durations of attacks hackers are launching to better understand what a modern DDoS attack will look like. A company self stress testing can be a good way to make sure threshold limits get breached and that their team reacts accordingly.

Conclusion

Defense begins with knowledge. Understanding current DDoS trends shows not only what hackers are doing, but gives insight on why hackers are doing it. Hackers go after vulnerabilities. A trend therefore suggests a vulnerability that hackers are exploiting. DDoS attacks are becoming more sophisticated, but having a good defense strategy in place can help stop attacks, or at the least mitigate them with minimal damage.