Intro to DDOS — Attack Mitigation (Part 2)

In part 1 of this series, we went over what a DDOS attack is, its impact and some examples of different types of attacks. In this article we are going to go over some common methods companies use to protect against these attacks.

As a refresher, during a DDOS attack, a bad actor aims to disrupt a server from responding to legitimate traffic by sending an influx of illegitimate traffic. DDOS attack mitigation refers to the techniques used to ensure business continuity when a server is under an attack. A good place to start when determining what DDOS protection your service may need, is to first understand how your service is expected to be used (traffic patterns, protocols etc). From there, you can begin to come up with some policies which restrict abusive behavior. When it comes to DDOS attack mitigation, we want to make sure all of our bases are covered by having defense at multiple layers of the stack (L3/L4 and L7). We also want to ensure that this protection kicks in as early as possible, ideally at the edge devices (routers, firewalls, gateways etc) which sit at the boundary of the network, in order to minimize the impact on the target server.

Load balancers

Load balancing is the method of distributing requests across a network of servers. It is pretty much a requirement for building scalable applications. Load balancers alone are not a form of a DDOS protection, but they do offer an extra layer in between the client and server and distribute load to ensure no single server is overwhelmed. When used along with some of the below DDOS protection techniques, they can be used to detect and drop malicious traffic before it reaches the target server.

Rate limiting/Total inflight request quotas

Rate limiting is a technique which limits the amount of traffic a server processes within a given time window. Any requests over the predefined limit will be dropped. Not only is this technique used for DDOS protection, but also for charging users for fair usage of a service. A policy may set a limit on requests per second, connections per second, total concurrent connections or bytes per second from a given source IP. Rate limiting can be implemented at different layers including the application itself, a load balancer, a proxy etc.

Timeouts

In part 1 of this series, we discussed a DDoS attack technique called a Slow Loris attack in which a client opens a connection and periodically sends small amounts of meaningless data to keep the connection open. The goal is to exhaust the available sockets (connections) on the target server. Along with setting limits on the minimum rate at which data is transmitted, implementing timeouts can help mitigate this type of attack. For example, a timeout which waits a maximum of 10 seconds for a headers frame to be received from the client before closing the connection may be considered.

Web Application firewall

A WAF (Web Application Firewall) sits between a client and the target server. Its function is to protect a server against attacks by filtering malicious traffic and using configured policies to block this traffic. As opposed to a Firewall which operates at L3/L4, a WAF operates at the application layer (L7) meaning it deals with HTTP(S) requests. Along with protecting against DDOS attacks, A WAF may also protect against cross-site request forgery (CSS), SQL injection and cross-site scripting (XSS).

Intrusion Detection System/ Intrusion Protection System

An IPS (Intrusion Protection System) is similar to a WAF in that it is an inline device which monitors, detects and filters malicious traffic except that it works at the network level (L3/L4). It inspects each packet and if it deems a packet as malicious, the IPS may drop it and block all future traffic from that source IP or port. An IDS (Intrusion Detection System) is a device that passively analyzes overall traffic on a network and tries to detect anomalies. A few common methods include:

• Signature based detection — packets are compared with known attack patterns called “signatures”.
• Statistic Anomaly detection — traffic is compared to the system’s baseline traffic to find anomalies.
• Stateful protocol analysis detection — Protocol deviations are detected by comparing events to predetermined activity profiles

Now these solutions are definitely not trivial to implement. Luckily, there are many open source solutions and security providers out there with these tools available to use. The risk is too large to remain unprotected.

Happy coding! :)