Applications are the face of your company. Customer goodwill is won or lost in a heartbeat these days, so downtime of any description is not an option. Every second you are out of commission is a potential prelude to financial and/or reputational loss.
While there are a multitude of fancy new cyber-attacks that can disrupt and harm, it is a distinctly “old school” threat that remains among the most prominent (and disruptive).
Distributed Denial of Service (DDoS) attacks aren’t new. In fact, the first known incident resembling a denial of service attack reportedly occurred in 1974 when a 13-year-old at the University of Illinois took down a room full of terminals connected to a learning management system.
Times have changed since, but DDoS attacks have continued to evolve, grow teeth, and wreak havoc. This is particularly true in the wake of COVID-19, with a number of industry reports from the past two quarters highlighting significant spikes across the world.
Yet, even before the pandemic, the DDoS threat was on an upward trajectory. For example, an analysis of F5 Security Incident Response Team data recently noted that 77% of all attacks against service providers in 2019 were DDoS-related. In 2017, it was around 30%.
DDoS attacks typically come in three forms. High bandwidth attacks, also known as volumetric floods, are the most common. A massive amount of traffic is sent to the targeted victim’s network with the goal of consuming so much bandwidth that users are denied access.
Then there’s protocol attacks (sometimes called “computational” or “network” attacks), which deny service by exploiting either weaknesses in, or the normal behavior of, protocols. These are typically OSI layer 3 and layer 4 protocols such as ICMP (Internet Control Message Protocol), TCP (Transport Control Protocol), UDP (User Datagram Protocol), and others. The goal is to exhaust the computational capabilities of the network or intermediate resources (such as firewalls) and achieve denial of service.
Finally, and arguably the toughest of the bunch, are application layer attacks (also known as OSI layer 7 attacks), which target web servers, web application platforms, and specific web-based applications rather than the network itself. This is when attackers attempt to crash the server and make a website or application inaccessible. These attacks can target known application vulnerabilities, its underlying business logic, or abuse higher-layer protocols like HTTP/HTTPS (Hypertext Transfer Protocol/Secure) and SNMP (Simple Network Management Protocol). Attacks of this nature often use less bandwidth and don’t always indicate a sudden increase in traffic, which makes them much harder to detect and mitigate without false positives. Application layer attacks are measured in requests per second.
One of the biggest challenges facing security teams is the ease with which a DDoS attack can be launched; a vast array of online resources means almost anyone can become a cybercriminal at the click of a button. There are also services that you can pay to attack the target of your choice. Everyone is at it too, whether it is hacktivists, disgruntled ex-employees, “script-kiddies” leveraging ready-made code, or nation-state actors.
Unfortunately, there’s no way to completely avoid being a target, but there are several steps you can take to better protect your organization.
First of all, it is crucial to have a DDoS response plan in place. This should be a playbook that outlines every step for incident response (people, processes, roles, procedures, etc.).
To effectively mitigate app-based DDoS attacks, all organizations need to:
When it comes to implementing specific DDoS protection solutions, you should always base it on the frequency your organization is attacked (or the likelihood thereof), your in-house skillsets to defend against an attack, available budgets, and your network’s capacity and limitations. Deployment options include:
In addition to these recommendations, you should also ensure your network infrastructure is protected with firewalls and intrusion detection systems that monitor and analyze network traffic. Furthermore, it is advisable to use anti-virus solutions to curb malware infections, as well as load balancing and redundancy to help maintain availability.
At the same time, it is important to not overlook technical and administrative controls such as limiting remote administration to a management network (instead of the entire internet), and frequently scanning Internet-facing network ports and services.
Everyone should take DDoS seriously, expect to be attacked at some point, and have plans and mitigation measures in place that are intimately aligned with business objectives.