Somedays, it feels like the whole internet is slowing down, or like the critical applications you use on a day-to-day basis aren’t responding. Sometimes, that feeling isn’t just you (or the result of your slow computer). Instead, it’s the result of a distributed denial of service (DDoS) attack—a serious problem that has only been growing worse since the start of the Covid-19 quarantine.
If your organization makes its revenue from the internet—via an application, a website, an ecommerce storefront, and so on—then DDoS attacks can be your undoing. Unmitigated DDoS attacks make it impossible for customers to access your service, and they can last for hours or days at a time. These attacks are equivalent to unplanned outages, which costs up to $5,600 per minute according to an estimate from Gartner.
Although DDoS attacks can be costly, most of them are relatively easy to mitigate with a few preventive steps. By the same token, traditional security tools might not cut it. Here are a few things you should know about DDoS attacks and how to prevent them.
You may already know about DDoS attacks like that of the Mirai botnet, which made the internet essentially unusable for hours during one memorable afternoon in October 2016. What you might not know is that Mirai’s attacks have been dwarfed many times over by its successors. The largest DDoS attack ever recorded took place in February 2018. Although the attack was mitigated by its target, Amazon Web Services, smaller DDoS attacks have been proliferating uncontrollably.
In Q1 2020, DDoS attacks increased 24% over the same period in the previous year. These attacks were also longer and more intense on average. Attacks doubled once again in Q2. Unlike Q1, many of these attacks were smaller and of shorter intensity, which speaks to an increase in another disturbing trend—DDoS for hire.
DDoS attacks are increasing for a number of reasons. First, the pandemic has changed normal patterns of network usage, putting new stresses on data centers, web applications, and internet backbones. This means that even relatively small DDoS attacks can have an outsized affect—and attackers flock to weakness.
Second, there’s money to be made. If you’re an ecommerce company, having your competitor’s online shopfront take a nosedive is potentially to your benefit. People often pay attackers directly in order to sabotage their rivals, using services known colloquially as booters and stressers. Because more people are shopping online (again due to the pandemic) booters and stressers can also have a greater affect.
DDoS attacks work by sending large amounts of fake traffic to a web application or service. If the DDoS attack is large enough, then the target can’t handle the volume of junk data, and the website, service, or application crashes.
Back in the early days of the internet, DDoS attacks were known simply as DoS attacks. This is because there was nothing distributed about them. Attackers would simply send fake internet traffic from a single host. Security professionals caught onto this tactic quickly, however, and they were able to write firewall rules that would automatically discard large increases in traffic volume.
Nowadays, however, attackers send traffic from multiple hosts. This makes it much more difficult for automated systems like firewalls to understand whether the traffic is real. What’s more, DDoS attacks can have dozens, hundreds, or even thousands of hosts. A favorite tactic is for attackers to gain remote access to as many computers as possible, and tie them together into what’s known as a botnet—a remote controlled army of zombie computers that can send vast amounts of fake traffic to targeted victims.
Mitigating a DDoS attack is a multi-step process. First, you need to detect an increase in activity on your network. Next, you need to understand that the increase in traffic is driven by fake packets. Lastly, you need to identify the hosts at the source of the fake packets and block them. What’s more, you need to do this on a continuous basis, as attackers will bring new hosts online throughout a DDoS attack.
Firewalls on their own don’t stop DDoS attacks. First, DDoS attacks will target ports that firewalls must keep open, such as port 80. Attackers can also create fake traffic that will pass inspection by most firewalls. There are even attacks specifically designed to overload firewalls by flooding their state tables.
In addition to firewalls, companies employ network monitoring software, such as SIEM and IDS tools. These tools let users augment their firewalls with the ability to detect and flag suspicious traffic, even dropping suspicious traffic automatically. These tools are much like a firewall in some respects, but the redundancy they add to your security tools makes it much more difficult for DDoS attacks to escape notice.
Some companies deploy DDoS Detection & Mitigation tools that combine multi-vector distributed denial-of-service defenses, utilizing threat intelligence to recognize, filter and block malicious traffic. Once DDoS attacks reach a certain volume, organizations may not be able to handle the flood of fake traffic. In these cases, they commonly subscribe to what’s known as DDoS scrubbing services. In effect, businesses struck by large-volume DDoS attacks can divert all of their traffic to a large data center run by a third party. The data center uses advanced analytics, including machine learning, to discern good traffic from bad. Only the good traffic gets forwarded to the business.
As inline active blocking devices like DDoS Detection & Mitigation tools are sitting in the direct stream of traffic, external bypass TAPs play a pivotal role in managing the devices availability and ensuring no single points of failure (SPOF) are a risk—protecting against network downtime. Bypass TAPS provide DDoS tools operation isolation and tool sandboxing, which means you can easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline.
With the growing number of security tools, IT teams are looking for ways to simplify their security stack. Garland’s EdgeLens allows teams to manage both inline and out-of-band tools including both the DDoD, IDS, IPS and SIEM from one device, providing the reliability of bypass TAPs with the advanced features of a packet broker.
Looking to add inline or out-of-band security monitoring solutions, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
