DDoS attacks have become commonplace these days.  The offending attackers may be hacktivists, cyber-criminals, and nation states or just about anyone else with an Internet grudge and a PayPal or Bitcoin account.  These attacks themselves often require no technical skill.  Someone with a bone to pick can simply purchase the use of any number of nodes on one or more botnets for an hourly fee (long term rate discounts available); use a Graphical User Interface (GUI) to organize the attack and then launch it.

The purpose of an attack can be to disrupt business for Internet bullying or extortion, or to distract an organization while other attacks are launched to attain a different target.  The latter is a bit scarier because the attacker has a plan to work their way into the victim’s network elsewhere, while the target’s resources are all focused on the DDoS.

There are three main types of DDoS attacks and multiple subtypes. It is important to note this because each solution handles the different types with various levels of efficacy.

Volumetric/Flood:  This straight-up bully attack hits a target with so much traffic that it is overwhelmed.  These attacks often affect the Internet connection as much as they impact the end-target host

Resource Starvation:  Attacks the underlying operating system and network stack resources in an attempt to crash either or both.  This does not rely so much on the total volume of traffic but more on the types and combinations of traffic that will best affect the application or application services.

Application:  This assaults the application at layer 7 of the OSI model and is an attempt to crash the application itself or the underlying application server.  Again, this does not rely on total traffic volume but the types and combinations of traffic that will best affect those subsystems.

Fortunately, there are options available to protect against DDoS attacks. Let’s take a look.


Go on with business as usual. Every day is a roll of the dice and for smaller companies without a significant web presence, this may work. For companies with a more significant web presence, each day is a roll of the dice with some probability that you will become a victim.

Short Term: Nothing to implement.

Long Term: May cost the business everything in the event of an attack.


This involves having a back-up site in case the primary business site is attacked.  If by some odd chance the attacker is identifying you only by IP address, this will work. However, it is flawed at best.

Since the vast majority of Internet traffic is identified by DNS, as soon as you roll over, the DDoS traffic will follow you to the Disaster site when the DNS is rerouted

This will vary by the size (floor space, CPU’s RAM, connection) and type (hot, warm, or cold) of the Disaster Recovery site.  However, since DR planning generally does not include provisions for DDoS, you will most likely not get much usefulness out of this.


These appliances are made by a number of reputable vendors but differ in their throughput and efficacy against the various types of attacks.  They use proprietary and patented engines to sort the bad traffic from the good, letting only the good traffic through.

As with any process of this sort, there will be some mislabeling.  Some good traffic will probably get filtered while some bad traffic will get through.  However, the losses are not enough to cause the servers and applications to see a significant change in performance.

The critical issue is if you experience a volumetric DDoS attack, your internet pipe will fill up so non-malicious traffic will still be essentially stopped because of the access connection “traffic jam.”

The appliances supporting these solutions can be purchased through vendors and cost may vary by vendor, time of the month/quarter, amount purchased, and also the volume of attacks that you are trying to repel.

Think about what you expect your Internet connection growth to be over the next 3-5 years and size your purchase based upon that number plus 25%.


Some hosting and cloud vendors offer DDoS mitigation as a premium service add-on.  Check your contract to see if this add-on is available.
Many of them only deal with volumetric attacks, taking advantage of their connections and resources to deal with the volume.  This option may not be wholly effective against resource and application attacks.  (In many cases they are reselling one of the mitigation services and purchasing the carrier grade DDoS mitigation appliances.)

This type of service is generally better at fighting volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being effective.  Depending upon the technology or provider being used, effectiveness against the resource or application attacks will vary.

The good news is these are generally operating expenses, not capital expense charges.  The bad news?  You have to be very watchful and deliberate about the service provider you choose.

There are (generally) two charging models.  The 1st is a flat rate.  While more expensive up front, the advantage is cost awareness.

The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks.  Lower up-front costs, but when attack(s) come, the costs cannot be foreseen.  It boils down to risk tolerance and luck.

Note:  For large volumetric attacks against companies with large Internet connections and recurring attacks – the charge for the by-the-attack/by-volume services can get into the millions of dollars.

4a: On-Demand DDoS Mitigation 4b: Automatic DDoS Mitigation
Description

This type of service is only activated when the customer identifies an issue and contacts its provider. The technologies are generally the same as the automatic services but the provider has a little more set up to do to make it operable. This implementation is often done to reduce the provider’s cost-of-service or infrastructure so they can purchase a less capacity system or service and only use it when a customer calls in to enable it.

Description

Automatic should respond faster, but that depends on whether it is “Always-on” or “Always Available.” “Always-on” generally means the service is integrated into the infrastructure and always looking for trouble against subscribed customers. “Always Available” generally means that you are using an on-demand service. The primary difference being that the provider is performing internal monitoring and will activate the service for you without the need to call them.

Cost

This is generally a lower cost than an automatic solution. Providers can oversubscribe the service, assuming not all customers will be attacked simultaneously. The downside is activation speed and the pre-activation impacts, since it may take some time to get the mitigation operational.

Cost

This type of service is generally a little more costly than the on-demand because it is Always-on” or “Always Available” so the provider has to purchase more solutions or service to support each active customer.


This skips the middle man of the provider model above.

Customers who purchase this service either change their DNS or their Internet routing so all traffic, normal and attack, is redirected to the provider as a middle-man.  The mitigation services’ facility is purpose-built with specialized hardware and a “secret sauce” that the provider has created to identify and remove the bad traffic.

This type of service is generally better at dealing with the volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being affected.  Depending upon the technology or provider that it is using, effectiveness against resource or application attacks will vary.

The good news is these are generally operating expenses, not capital expense charges.  The bad news?  You have to be very watchful and deliberate about the service provider you choose.

There are (generally) two charging models.  The 1st is a flat rate.  While more expensive up front, the advantage is cost awareness.

The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks.  Lower up-front costs, but when attack(s) come, the costs cannot be foreseen.  It boils down to risk tolerance and luck.

5a: On-Demand DDoS Mitigation 5b: Automatic DDoS Mitigation
Description

This type of service is only activated when the customer identifies an issue and contacts its provider.  This approach is often done to remediate an attack in progress for organizations that do not currently have protection.  There is a significant delay in operationalizing these because all of the network/DNS changes have to be made and propagate across the Internet.

Description

All of your traffic passes through the provider, making this always-on and ready to go.  For the major providers, it is very possible you will not know there is a DDoS attack until the provider notifies you.

That is just the way it should be, business as usual.

Cost

This has no cost until activated but be forewarned that if you are suffering from an attack to the point where you call one of the providers, it is highly probable that the emergency-setup fees will be significant.

Cost

For the DDoS Mitigation service, the cost comes down to which defense model you choose:  by the number of attacks, by attack volume or a fixed rate.  If you choose one of the former then the cost may be lower for the months or years that you do not get attacked, but can skyrocket when activated.


This approach uses a combination of an on-premise system and the specialized mitigation or provider-based solution.  The goal here is to gain the best of both worlds by having the external service clear out the bulk traffic and then use the on-premise system to surgically remove any other remnants of the resource or layer 7 attacks that are getting through.

Most effective but also most expensive as it uses both solutions.

6 Types of DDoS Protection for Your Business

Advertisements