Taking Charge Organizations must stop relying on their Internet service providers to protect them from attacks and take matters into their own hands

Taking Charge

Organizations must stop relying on their Internet service providers to protect them from attacks and take matters into their own hands

  • By Mark Byers
  • Aug 01, 2014

Taking Charge Organizations must stop relying on their Internet service providers to protect them from attacks and take matters into their own handsDistributed Denial of Service (DDoS) attacks are some of the oldest Internet threats and continue to be the top risk to networks around the world. As protections have evolved, the technology used by hackers has adapted and become much more sophisticated. New attack types now target applications and services, and oftentimes, they’re masked in bulk layer 3 and 4 DDoS events, making it difficult to detect them.

The financial services industry is one of the largest targets of cyber criminals for DDoS attacks, followed closely by the government sector. Besides disrupting Internet operations through a brute-force data onslaught, DDoS attacks have recently been used to hide more sophisticated attempts to break into financial and e-commerce information. These attacks often have the intent of disrupting operations mostly through the destruction of access to information.

There are generally three categories of motivations behind DDoS attacks: political, retaliatory and financial. Political attackers target those who disagree with their political, social or religious beliefs. When a botnet gets shut down or a major cyber-crime ring is busted, it can trigger retaliatory attacks against those who aided or assisted the authorities. Financially-motivated attacks are a payto- play scheme, where hackers are compensated by a third-party to conduct the attack on their behalf. With each motivation, the results are the same—your network and online services are down, and can remain down for an extended period of time.

Watch Out for Advanced Application Layer DDoS Attacks

There are many kinds of DDoS attacks that are widely used today, including older methods from the early days of the Internet to the latest advanced layer 7 attacks that target application services. SYN flood and HTTP GET floods are the most common and are used to overwhelm network connections or overload servers behind firewalls and intrusion protection services (IPS).

More worrisome, however, is that application layer attacks use far more sophisticated mechanisms to attack organizations’ networks and services. Rather than simply flooding a network with traffic or sessions, these attack types target specific applications and services to slowly exhaust resources at the application level.

Application layer attacks can be effective using small traffic volumes and may appear to be completely normal to most traditional DDoS detection methods. This makes them harder to detect than basic types of DDoS attacks.

DDoS Protection Options

Most ISPs offer layer 3 and 4 DDoS protection to keep organizations’ links from becoming flooded during bulk, volumetric events; however, they don’t have the capability to detect the much smaller layer- 7-based attacks. Data centers should not rely on their ISP alone to provide a complete DDoS solution that includes application layer protection. Instead, they should consider putting in place one of the following measures:

DDoS service providers. There are many hosted, cloud-based DDoS solutions that provide layer 3, 4 and 7 mitigation services. These can range from inexpensive plans for small websites to large-scale enterprise plans that can cover multiple sites. They’re usually very easy to set up and heavily advertised to small and mid-sized organizations. Most offer customized pricing options and many have advanced layer 7 detection services for large organizations that require sensors to be installed in the data center.

Although many companies opt to go this route, some experience unpredictable and significant overage charges when they’re hit with high-volume DDoS attacks. Performance also may not be up to their expectations as the service providers redirect DDoS traffic to mitigation centers, instead of stopping it in real time. This is especially problematic for short duration attacks typically encountered.

Firewall or IPS. Almost every modern firewall and intrusion protection system (IPS) claims some level of DDoS defense. Advanced, next-generation firewalls (NGFWs) offer DDoS and IPS services that can mitigate many DDoS attacks. Having one device for firewall, IPS and DDoS is easier to manage, but one device may be overwhelmed with volumetric DDoS attacks and it may not have the sophisticated layer 7 detection mechanisms other solutions offer.

Another trade-off is that enabling DDoS protection on the firewall or IPS may impact the overall performance of a single device, resulting in reduced throughputs and increased latency for end users.

Dedicated DDoS attack mitigation appliances. These are dedicated, hardwarebased devices that are deployed in a data center, used to detect and stop basic (layer 3 and 4) and advanced (layer 7) DDoS attacks. Deployed at the primary entry point for all web-based traffic, they can both block bulk volumetric attacks and monitor all traffic coming in and leaving the network to detect suspicious patterns of layer 7 threats.

By using a dedicated device, expenses are predictable, as the cost is fixed whether an organization suffers from one attack in six months or is attacked every day. The trade-offs are: These devices are an additional piece of hardware to manage; lower-bandwidth units can be overwhelmed during bulk-volumetric attacks; and many manufacturers require frequent signature updates.

Dedicated hardware-based DDoS attack mitigation solutions come in two primary versions: Carrier and Enterprise. Carrier versions are large, expensive solutions designed for global ISP networks. Most organizations that want to protect their private data centers usually look at the Enterprise models to provide costeffective, DDoS detection and mitigation. Today’s models provide capacities that can handle large-scale, volumetric attacks for 100 percent layer 3, 4 and 7 protection or can be used to supplement basic, ISP-based, bulk DDoS protection with advanced layer 7 detection and mitigation. Although these devices require an up-front investment, compared to hosted solutions, they are generally much less expensive in the long run when overage charges are factored in with the total cost.

Enterprises should look for DDoS attack mitigation appliances that use adaptive, behavior-based methods to identify threats. Such appliances learn baselines of normal application activity and then monitor traffic against them. This adaptive/ learning approach has the advantage of protecting users from unknown zeroday attacks as the device doesn’t need to wait for signature files to be updated.

DDoS attacks are on the rise for almost any organization, large or small. The potential threats and volumes are increasing as more devices, including mobile handsets, join the Internet. If your organization has a web property, the likelihood of getting attacked has never been higher.

The evolving nature of DDoS attacks means that enterprises can no longer depend solely on their ISP for protection. Organizations must start making shifts now that give them greater foresight and more proactive defenses for network and application-level services.

This article originally appeared in the August 2014 issue of Security Today.

Featured

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events

  • Report: 82 Percent of Phishing Emails Used AI

    KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today launched its Phishing Threat Trend Report, detailing key trends, new data, and threat intelligence insights surrounding phishing threats targeting organizations at the start of 2025. Read Now

  • NRF Supports Federal Bill to Thwart Retail Crime

    The National Retail Federation recently announced its support for the Combating Organized Retail Crime Act of 2025. The act was introduced by Chairman Chuck Grassley, R-Iowa, Senator Catherine Cortez Masto, D-Nev., and Representative Dave Joyce, R-Ohio. Read Now

  • ISC West 2025 Brings Almost 29,000 Industry Professionals to Las Vegas

    ISC West 2025, organized by RX and in collaboration with the Security Industry Association, concluded at the Venetian Expo in Las Vegas last week. The nation’s leading comprehensive and converged security event attracted nearly 29,000 industry professionals and left a lasting impression on the global security community. Over five action-packed days, ISC West welcomed more than 19,000 attendees and featured 750 exhibiting brands. Read Now

    • Industry Events
    • ISC West

  • Tradeshow Work Can Be Fun

    While at ISC West last week, I ran into numerous friends and associates all of which was a pleasant experience. The first question always seemed to be, “How many does this make for you?” Read Now

    • Industry Events
    • ISC West
Most   Popular

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.