Taking Charge
Organizations must stop relying on their Internet service providers to protect them from attacks and take matters into their own hands
- By Mark Byers
- Aug 01, 2014
Distributed Denial of Service (DDoS) attacks
are some of the oldest Internet threats
and continue to be the top risk to networks
around the world. As protections have
evolved, the technology used by hackers has
adapted and become much more sophisticated.
New attack types now target applications and services,
and oftentimes, they’re masked in bulk layer 3 and 4 DDoS
events, making it difficult to detect them.
The financial services industry is one of the largest targets of
cyber criminals for DDoS attacks, followed closely by the government
sector. Besides disrupting Internet operations through
a brute-force data onslaught, DDoS attacks have recently been
used to hide more sophisticated attempts to break into financial
and e-commerce information. These attacks often have the intent
of disrupting operations mostly through the destruction of access
to information.
There are generally three categories of motivations behind
DDoS attacks: political, retaliatory and financial. Political attackers
target those who disagree with their political, social or religious
beliefs. When a botnet gets shut down or a major cyber-crime ring
is busted, it can trigger retaliatory attacks against those who aided
or assisted the authorities. Financially-motivated attacks are a payto-
play scheme, where hackers are compensated by a third-party
to conduct the attack on their behalf. With each motivation, the
results are the same—your network and online services are down,
and can remain down for an extended period of time.
Watch Out for Advanced Application
Layer DDoS Attacks
There are many kinds of DDoS attacks that are widely used today,
including older methods from the early days of the Internet
to the latest advanced layer 7 attacks that target application services. SYN flood and HTTP GET floods
are the most common and are used to
overwhelm network connections or overload
servers behind firewalls and intrusion
protection services (IPS).
More worrisome, however, is that application
layer attacks use far more sophisticated
mechanisms to attack organizations’
networks and services. Rather than
simply flooding a network with traffic or
sessions, these attack types target specific
applications and services to slowly exhaust
resources at the application level.
Application layer attacks can be effective
using small traffic volumes and may
appear to be completely normal to most
traditional DDoS detection methods. This
makes them harder to detect than basic
types of DDoS attacks.
DDoS Protection Options
Most ISPs offer layer 3 and 4 DDoS protection
to keep organizations’ links from
becoming flooded during bulk, volumetric
events; however, they don’t have the capability
to detect the much smaller layer-
7-based attacks. Data centers should not
rely on their ISP alone to provide a complete
DDoS solution that includes application
layer protection. Instead, they should
consider putting in place one of the following
measures:
DDoS service providers. There are many
hosted, cloud-based DDoS solutions that
provide layer 3, 4 and 7 mitigation services.
These can range from inexpensive plans
for small websites to large-scale enterprise
plans that can cover multiple sites. They’re
usually very easy to set up and heavily
advertised to small and mid-sized organizations.
Most offer customized pricing
options and many have advanced layer 7
detection services for large organizations
that require sensors to be installed in the
data center.
Although many companies opt to go
this route, some experience unpredictable
and significant overage charges when
they’re hit with high-volume DDoS attacks.
Performance also may not be up to
their expectations as the service providers
redirect DDoS traffic to mitigation centers,
instead of stopping it in real time.
This is especially problematic for short duration
attacks typically encountered.
Firewall or IPS. Almost every modern
firewall and intrusion protection system
(IPS) claims some level of DDoS defense.
Advanced, next-generation firewalls (NGFWs)
offer DDoS and IPS services that
can mitigate many DDoS attacks. Having
one device for firewall, IPS and DDoS is
easier to manage, but one device may be
overwhelmed with volumetric DDoS attacks
and it may not have the sophisticated
layer 7 detection mechanisms other
solutions offer.
Another trade-off is that enabling
DDoS protection on the firewall or IPS
may impact the overall performance of a
single device, resulting in reduced throughputs
and increased latency for end users.
Dedicated DDoS attack mitigation appliances.
These are dedicated, hardwarebased
devices that are deployed in a data
center, used to detect and stop basic (layer
3 and 4) and advanced (layer 7) DDoS
attacks. Deployed at the primary entry
point for all web-based traffic, they can
both block bulk volumetric attacks and
monitor all traffic coming in and leaving
the network to detect suspicious patterns
of layer 7 threats.
By using a dedicated device, expenses
are predictable, as the cost is fixed whether
an organization suffers from one attack
in six months or is attacked every
day. The trade-offs are: These devices are
an additional piece of hardware to manage;
lower-bandwidth units can be overwhelmed
during bulk-volumetric attacks;
and many manufacturers require frequent
signature updates.
Dedicated hardware-based DDoS attack
mitigation solutions come in two
primary versions: Carrier and Enterprise.
Carrier versions are large, expensive solutions
designed for global ISP networks.
Most organizations that want to protect
their private data centers usually look at
the Enterprise models to provide costeffective,
DDoS detection and mitigation.
Today’s models provide capacities that
can handle large-scale, volumetric attacks
for 100 percent layer 3, 4 and 7 protection
or can be used to supplement basic,
ISP-based, bulk DDoS protection with
advanced layer 7 detection and mitigation.
Although these devices require an up-front
investment, compared to hosted solutions,
they are generally much less expensive in
the long run when overage charges are factored
in with the total cost.
Enterprises should look for DDoS attack
mitigation appliances that use adaptive,
behavior-based methods to identify
threats. Such appliances learn baselines
of normal application activity and then
monitor traffic against them. This adaptive/
learning approach has the advantage
of protecting users from unknown zeroday
attacks as the device doesn’t need to
wait for signature files to be updated.
DDoS attacks are on the rise for almost
any organization, large or small.
The potential threats and volumes are increasing
as more devices, including mobile
handsets, join the Internet. If your organization
has a web property, the likelihood
of getting attacked has never been higher.
The evolving nature of DDoS attacks
means that enterprises can no longer depend
solely on their ISP for protection.
Organizations must start making shifts
now that give them greater foresight and
more proactive defenses for network and
application-level services.
This article originally appeared in the August 2014 issue of Security Today.