If you are asking for help, it means you have not planned for being under DDoS attack. You should have.
Distributed Denial of Service (DDoS) has become the most common form of cyber-attack. There have been numerous public cases of organisations being “DDoSd”, rendering their sites and resources to become unavailable. An attack can last from a few minutes to days and can result in major disruption to users and the organisation being targeted.
What is DDoS?
The goal of DDoS is to disrupt a particular service by sending it more traffic than it can cope with and prevent legitimate traffic from reaching its destination. This causes financial damage, affects users and can have a subsequent effect on other related services with an organisation.
There are several ways in which attackers can orchestrate a DDoS attack. They mainly involve the use of botnets (robot networks). Botnets are devices such as IoT devices and servers that are connected to the internet that have been maliciously taken control of by attackers. They are used to send useless traffic to a target so that it is overwhelmed and cannot processes legitimate traffic.
DoS (denial of service attacks) are similar to DDoS attacks however they have a single source that sends the malicious traffic.
Organisations can have financial penalties imposed on them as a result of not being able to provide their services from regulatory bodies or for breaching service-level agreements.
The reputation and image of an organisation can be adversely impacted by having its services unavailable due to being DDoSd.
A report by Cisco states that there was a 776% growth of attacks between 2018 and 2019 and that the number of attacks will double from 2018 (7.9 million to 2023 (15.4 million).
DDoSaaS or Distributed Denial of Service-as-a-Service is an offering made by ill-natured organisations. They provide attackers with the ability to simply hire botnets for a fee instead of having to set up their own botnet with DDoS capabilities.
Type of DDoS attacks
DDoS attacks are split into 3 main types: protocol, application and volumetric.
These attacks target the networking capabilities of the target. The intention is to exploit any networking weaknesses. Examples of these types of attacks are
- Syn floods attempt to consume network state tables in load balancers, firewalls and other network components
- SSL/TLS exhaustion disrupts the SSL/TLS handshake by sending useless data to the services to consume the security processing resource
Volumetric attacks send large amounts of data to consume network bandwidth resources. Examples of these attacks are
- ICMP floods send multiple request packets to the server in order to get it to continually send response packets
- NTP Amplification attacks make use of the network time protocol which make NTP servers to respond to spoofed IP addresses. The NTP servers respond to the spoofed IP address request and send large amounts of traffic to the real IP address.
These attacks target the “application layer”. Attacks will focus on websites and will result in the application or website being unusable to the user. Examples of application DDoS attacks are
- HTTP/S Flooding is where multiple HTTP GET or POST requests are sent to the target. The application will attempt to respond to all of these requests.
- Slowloris attacks send partial requests to the target and aim to keep connections open on the application for as long as possible.
Malicious online gamers have been known to initiate DDoS attacks on their competition in order to cause small amounts of lag or slowing down. This millisecond delay of their competitor can be enough for the gamer to gain an advantage.
How can DDoS be prevented?
The first thing to do is know normal. An organisation must understand the metrics of its service when processing a normal load of legitimate traffic. This needs to include off-peak, peak and expected amount of traffic for an exceptional event such as a new product launch. This will allow the identification of suspicious traffic if there is an unexpected amount of resource usage or traffic affecting the service. Alerting and automation based on these metrics will allow for possible remediation and sound the alarm to the operational and security teams.
Confirm that all services, applications and servers are regularly updated and security patched. This will ensure that attackers do not exploit any known vulnerabilities as part of their attacks.
Reduce the attack surface area by checking that there are no services that are exposed to the internet needlessly. If there are internal services that need to be connected to the internet, then access should be restricted to specific users, locations and security protocols.
Web Application Firewalls (WAFs) can be implemented. They sit in front of web applications and have a range of security functions that include filtering DDoS traffic from reaching its intended target based on security policies.
Content Delivery Networks (CDNs), offered by cloud providers, store static content on edge locations to allow for faster delivery to the client from the closest edge location. They can prevent DDoS attacks by offloading requests for content to the CDN instead of the organisational resources. CDNs can usually be integrated with WAFs for additional security.
Prepare to scale by making use of autoscaling and load balancing technologies for resources. In the event of a DDoS attack, resources will be provisioned and will attempt to consume the DDoS attack while guaranteeing that legitimate traffic is being handled with no or little interruption.
Identify resources that are at the highest risk for a DDoS attack and verifying that they are segregated from other resources. This will safeguard the resources that are not under attack and let them continue to operate.
DDoS attacks can often be used as a diversion by attackers. They will initiate a DDoS attack to move an organisation’s focus to deal with it. This could lead to other malicious attacks on resources. It is important to perform health checks on other resources in the event of a DDoS attack to confirm that they are operating as expected.
IP blocking and black hole routing can help against DDoS attacks by either blocking the traffic coming from suspicious IPs or to direct traffic targeting IPs to a nonexistent resource. This can help in small attacks but can be limited as it is heavily dependent on source IPs which can be easily spoofed or changed.
Incident response planning, simulation and training should be undertaken so that employees know how to act in the situation and respond. Teams should have well-defined runbooks to follow which are maintained and reviewed regularly. The runbooks should contain details of which authorities to contact in the event of a prolonged DDoS attack.
Make use of DDoS services offered by Cloud Providers such as AWS Shield and Azure’s DDoS Protection. These services offer real-time network traffic analysis, attack details, DDoS insurance and rapid response teams to support the attack investigation.
The number of DDoS attacks on organisations are becoming more common and are expected to substantially grow over the next few years. It’s essential that organisations know the expected behaviour is of their resources which will help to determine if a DDoS attack is occurring. There are many ways in which DDoS can be prevented and there should be more than a single method implemented. The layered approach will protect important organisational resources being brought to its knees by a DDoS attack.
About the Author
Sat Gainda is a Cloud Solutions Architect at Version 1, working on enterprise-level engagements that utilise innovative Cloud systems. Stay tuned to Version 1 on Medium for more Cloud-focused posts from Sat.