Distributed Denial of Service (DDoS) attacks can be catastrophic, but the right knowledge and tactics will drastically improve the host organisation’s chances of successfully mitigating such episodes. Here, Adrian Taylor explores the five ways in which automation can significantly improve response times during a DDoS attack, while assessing the means to block such attacks.
Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime. Downtime usually means the loss of money. The longer your systems are down, the more your profits will sink.
Automated DDoS defence is faster than manual DDoS defence, but by how much? Andy Shoemaker, the founder and CEO of Nimbus DDoS, recently conducted a study to find out. The results speak volumes: automated DDoS defence improves attack response time five-fold.
The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes. That’s a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.
An automated defence system cuts down on response time in five major ways. Such systems can:
Instantly detect incoming attacks: Using the data it has collected during ‘peace time’, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers
Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing centre – no more manual BGP routing announcements of suspicious traffic
Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic
Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks
Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone
An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports that you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.
Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems. By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors are able to launch them.
Three key strategies for blocking DDoS attacks
While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.
After all, DDoS attacks are asynchronous in nature: You cannot prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while also protecting your users.
Each of the three strategies (listed below) for blocking DDoS attacks is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.
While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it’s equally fraught with indiscriminate collateral damage to legitimate users.
Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat. Specifically, a defence system can analyse data rate or query rate from multiple characteristics (eg BPS, PPS, SYN-FIN ratio, session rate, etc) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.
Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real-time. For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common Command and Control and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.
Reputation: To use reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks. The system will then use that intelligence to block any matching IP addresses during an attack.
Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection. They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.
Knowing that, it’s safe to say that these three mitigation strategies are all well worth the time and investment.
Adrian Taylor is Regional Vice-President at A10 Networks