The Best Defense Against Three Types of DDoS Attacks
:: By Sharon Bell, CDNetworks ::
In the Middle Ages, towering walls were built to secure the perimeters of castles, protecting the people and valuables within the area. In our modern homes and businesses, locked doors, complex alarm systems, even guards, protect our most valuable possessions.
On our websites, these types of physical manifestations of security may not be visible, but the virtual equivalent of them is entirely necessary. Cyber attacks on websites across all industries are increasingly common. Small businesses and large enterprises (and everything in between) are vulnerable. One of the growing threats to websites of all kinds is distributed denial of service attacks, more often referred to as DDoS attacks.
What is a DDoS attack?
Hackers gain access to a network of computers or other Internet-enabled devices (often called a botnet) and use them to orchestrate an attack on an online service (such a website or server). The goal is to overwhelm the system with pointless traffic or requests to slow website performance, or crash the system altogether.
DDoS attacks can render a website useless for a period of time (depending on the severity of the attack) and costs an Internet-reliant company upward of $40,000 per hour. It also can harm customer trust and brand reputation.
Our internal data shows some staggering numbers from 2014 and provides a preview for this year:
Our internal data shows some staggering numbers and provides a preview for this year's end:
• 29 percent increase in DDoS attack frequency
• 64-fold increase in amplification (volume-based) attacks
• Two-fold increase in high-traffic attacks of over 20G
• 39 percent of all attacks target gaming companies
Not all DDoS attacks are the same. There are many ways hackers can utilize a distributed network to target websites, but the most common types can be divided into three broad categories: volume-based, protocol and application layer attacks. Let’s take a look at each category and how websites can mount a defense against each type.
The most common of DDoS attacks, the goal in a volume-based attack is to flood the website with traffic, clogging up available bandwidth and making it unavailable for legitimate traffic. This category includes UDP floods, ICMP floods and other spoofed-packet floods. It should be noted that volume-based attacks are only getting bigger – 100 Gbps attacks (or greater) are no longer considered unusual and DDoS attacks between 1 and 5 Gbps nearly tripled in number between 2012 and 2013.
For websites in frequently targeted industries (gaming, finance, ecommerce), ensuring the network and website has capacity to handle this type of traffic can be both daunting and expensive.
Defense starts with network infrastructure. Not only should businesses be able to accommodate global users and handle normal traffic (and legitimate spikes in traffic), they should also have the ability to take on unusual amounts of traffic that is often the hallmark of a DDoS attack. A cloud-based infrastructure (with some extra capacity to maneuver if necessary) coupled with high-performance servers will help ward off a volume-based DDoS attack.
Server resources, and related equipment, such as firewalls and load balancers are targeted in this type of DDoS attack. This umbrella category includes SYN floods, Ping of Death and Smurf DDoS. Essentially, hackers use their botnet to flood websites or other resource servers with phony protocol requests to consume available resources. In the case of a SYN flood, the botnet directs a succession of SYN requests to the victim’s system until it’s rendered useless. Other DDoS protocol attacks send large fragmented packets (more than the IP defines) to overwhelm the system.
An anti-DDoS device is one way to protect a website or business from a protocol DDoS. Armed with the latest threat information (if properly updated and maintained), an anti-DDoS device can be a first line of defense and alert in the event of a DDoS attack.
Application layer attacks
Application layer attacks, or L7 attacks, target vulnerabilities in the application interface of websites (such as HTTP or other Web applications). L7 attacks often occur slowly, and often mimic human interaction with a server, which is a challenge for other devices to determine validity. The goal is still the same as other DDoS attacks – to overload the system with enough traffic to slow or crash it.
One of the ways to defend a website is to implement a Layer 7 (L7) switch to direct potentially malicious traffic away from a website. This type of defense works in GET, POST and slow attacks.
Secure the Castle, Before It Needs Securing
Going back to our earlier example of securing the castle in the Middle Ages, rulers did not wait until they were attacked to build a wall and secure the castle. It was an integral part of the initial plan.
Likewise, today’s websites have to take extra precautions and remain vigilant to ensure a safe environment for their website and their customers that use it. A DDoS attack is not simply a nuisance, it can have serious business consequence from lost revenue to loss of customer trust. When it comes to DDoS threat and mitigation, an old adage rings true: “An ounce of prevention is worth a pound of cure.”
Sharon Bell is the Director of Marketing for CDNetworks, a global CDN service provider.