Types of DDoS Attacks: Best Practices and Techniques

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Distributed Denial of Service Attacks: Protection Methods and Best Practices

In two recent blog entries, I discussed botnets — best practices in botnet detection and dealing with botnet command & control servers.

This time I’ll be exploring one of their most commonplace tasks: distributed denial of service attacks.

What is a distributed denial of service attack?

The fundamental premise of distributed denial of service attacks is simple: flooding services or public websites with so much network traffic they can’t function properly (or at all). This can take a devastating toll on targeted organizations — shutting off their revenue streams, and damaging both their brands and customer relationships, with a single stroke.

Historically, distributed denial of service attacks have taken several common forms:

Basic denial of service (DoS) simply involves a single computer/source slamming the targeted site or service with excessive requests (e.g., to view the site or run a search function).
Distributed denial of service (DDoS) is a variation in which a botnet is used to generate the traffic. Because the botnet is distributed over hosts in many locations, it’s slower and harder for an organization to mount an effective defense. Simple rules, such as blocking a particular domain or IP range, no longer apply.
Reflected distributed denial of service is still more sophisticated yet. Here, the botnet poses as the targeted site, using spoofed IP addresses, and tricks other servers/services (not associated with the botnet) into overwhelming the target. For instance, a botnet might persuade public servers that have enabled the Network Time Protocol (NTP) into sending excessive network traffic to the target.

The goal of the attacker is the same in all cases. If the site’s architecture can’t block the traffic, or scale to meet the demand level, the site or service is effectively taken offline, and the organization suffers significant business consequences. Attackers often leverage this fact to extort payments in a modern-day version of the protection racket.

Distributed denial of service attack examples

According to Akamai, distributed denial of service attacks have seen a year-over-year increase of more than 132%. This is a trend that has been only increasing over time, so if you haven’t been hit . . . you will be. In fact, experts predict that in the near future all Internet-connected businesses will find this to be an at-least annual event.

“Half of the q2 2015 DDoS attacks employed multiple attack vectors, a trend that has continued for the past year. Multi-vector attacks typically leverage attack toolkits from the DDoS-for hire underground.”
– Akamai State of the Internet Security Q2 2015 Report

Here are some recent headlines to contemplate:
DDoS

Distributed denial of service attack mitigation and protection techniques

DDoS attacks launched by botnets truly have two victims: the targeted organization (whose services/sites are shut down) and the hosts of the botnet (whose architectures are being commandeered to perform illegal actions, while legitimate business activity is compromised).

So mitigating and protecting against distributed denial of service really means addressing both scenarios. Common steps would certainly include:

1. Applying all relevant security patches, as quickly as possible after they are published, to all relevant endpoints
2. Shutting down unnecessary services/ports when possible (such as NTP or UDP)
3. Standard botnet protection as described here in my earlier blog entries

Distributed Denial of Attack Response Options

Beyond this, organizations have a variety of effective denial of service attack protection options.

One, called network ingress filtering, is codified by the Internet Engineering Task Force as BCP 38. It contains best practices to detect and handle any incoming traffic that uses spoofed IP addresses; spoofed packets are simply discarded before being sent to servers. This technique is particularly effective against distributed denial of service attacks when used by an organization’s Internet Service Provider (ISP), so arranging with the ISP to implement is well worth the time.

Another powerful response to distributed denial of service attacks: contract with a third-party provider that specializes in filtering such attacks. Essentially, if an attack should occur, incoming traffic can be routed to the contractor to scrub, which then sends back only the legitimate traffic to the organization. The scrubbing process involves sophisticated algorithms that examine packets in various respects (IP address, HTTP header information, etc.) and is often itself operating in a high-performance, scalable cloud architecture, to ensure it can handle even the largest attacks.

Dedicated network solutions/appliances, deployed internally, are also available to help organizations cope with distributed denial of service attacks. These work in a roughly similar fashion — by creating a baseline of expected traffic, they can detect and respond to a DDoS attack, scrubbing out false traffic and forwarding only what is left to services. However, since this approach still requires consuming limited internal resources such as bandwidth and processing power, it’s typically not as scalable in handling the most devastating attacks as a third-party specialist.

Also important, though it feels counter-intuitive to security professionals: advertising to the public that the organization is prepared for distributed denial of service attacks. If an attacker perceives in advance that a DDoS attack isn’t likely to be successful, the odds fall that the attack will be launched in the first place! (Compare this to not just installing a security system in your home, but advertising its existence with a sign in your front yard.)

The future of distributed denial of service attack detection, protection, and mitigation

DDoS attacks continue to evolve. Today, for instance, advanced persistent threat (APT) attacks can flood both a targeted organization and its ISP via scheduled sequences of many different attack vectors (such as the application layer, cross-site scripting, and SYN packet floods) — and they can last for a period of weeks.

So, going forward, organizations will have to develop a defensive strategy of equal sophistication. They will need to take advantage of all the techniques described above, and new ones as they emerge, to create a layered, multifaceted security architecture that prevents and defends against the effects of distributed denial of service attacks as comprehensively as possible.

Original Post

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
3269 Followers
About AT&T CyberSecurity
AT&T Cybersecurity’s edge-to-edge technologies provide phenomenal threat intelligence, collaborative defense, security without the seams, and solutions that fit your business. Our unique, collaborative approach integrates best-of-breed technologies with unrivaled network visibility and actionable threat intelligence from AT&T Alien Labs researchers, Security Operations Center analysts, and machine learning – helping to enable our customers around the globe to anticipate and act on threats to protect their business. --
Promoted Content
2018 Threat Intelligence Report
Threat intelligence has become a significant weapon in the fight against cybersecurity threats, and a large majority of organizations have made it a key part of their security programs. This threat intelligence report, produced by Cybersecurity Insiders, explores how organizations are leveraging threat intelligence data, the benefits and most critical features of threat intelligence platforms, and the biggest cyber threats organizations are using their threat intelligence to combat. Download this report now to learn industry findings around threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel