Blocking DDoS Attacks: Cutting Down on Response Times Using Automation

Distributed Denial of Service (DDoS) attacks can be catastrophic, but the right knowledge and tactics will drastically improve the host organisation’s chances of successfully mitigating such episodes. Here, Adrian Taylor explores the five ways in which automation can significantly improve response times during a DDoS attack, while assessing the means to block such attacks.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime. Downtime usually means the loss of money. The longer your systems are down, the more your profits will sink.

Automated DDoS defence is faster than manual DDoS defence, but by how much? Andy Shoemaker, the founder and CEO of Nimbus DDoS, recently conducted a study to find out. The results speak volumes: automated DDoS defence improves attack response time five-fold.

The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes. That’s a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

Instantly detect incoming attacks: Using the data it has collected during ‘peace time’, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers

Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing centre – no more manual BGP routing announcements of suspicious traffic

Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic

Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks

Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone

An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports that you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems. By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors are able to launch them.

Three key strategies for blocking DDoS attacks

While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You cannot prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while also protecting your users.

Each of the three strategies (listed below) for blocking DDoS attacks is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it’s equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat. Specifically, a defence system can analyse data rate or query rate from multiple characteristics (eg BPS, PPS, SYN-FIN ratio, session rate, etc) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.

Adrian Taylor

Adrian Taylor

Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real-time. For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common Command and Control and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.

Reputation: To use reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks. The system will then use that intelligence to block any matching IP addresses during an attack.

Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection. They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the time and investment.

Adrian Taylor is Regional Vice-President at A10 Networks

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts