Eliminating Single Points of Failure, Part 2
The Risk DDoS Attacks Pose to Enterprises
What is the impact of a DDoS Attack?
Denial of Service attacks affect enterprises from all sectors (e-gaming, Banking, Government etc.), all sizes (mid/big enterprises) and all locations. They target the network layer up through the application layer, where attacks are more difficult to detect since they can easily get confused with legitimate traffic.
A denial of service attack generates high or low rate attack traffic exhausting computing resources of a target, therefore preventing legitimate users from accessing the website. A DDoS attack can always cause an outage, but often they have the stealth impact of slowing down network performance in way that enterprise IT teams do not even realize the network is under attack and simply think the network is congested, not knowing the congestion is actually caused by an attack.
Type of attacks
There are many types of DDoS attacks targeting both the network and the application layers. They can be classified upon their impact on the targeted computing resources (saturating bandwidth, consuming server’s resources, exhausting an application) or upon the targeted resources as well:
- Attacks targeting Network Resources: UDP Floods, ICMP Floods, IGMP Floods.
- Attacks targeting Server Resources: the TCP/IP weaknesses -TCP SYN Floods, TCP RST attacks, TCP PSH+ACK attacks – but also Low and Slow attacks such as Sockstress for example and SSL-based attacks, which detection is particularly challenging.
- Attacks targeting the Application Resources: HTTP Floods, DNS Floods and other Low and Slow attacks as Slow HTTP GET requests (e.g. Slowloris) and Slow HTTP POST requests (e.g. R-U-Dead-Yet).
Why are they hard to detect?
DDoS attacks are hard to detect and block since the attack traffic is easily confused with legitimate traffic and therefore difficult to trace. A distributed denial of service attack usually comprises more than three unique attack vectors, thus increasing the attacker’s chances penetrate its target and escape basic DoS mitigation solutions.
What are the common DDoS attack mitigation approaches?
Recent DDoS attacks have taught us that traditional network security solutions such as firewall, IPS and WAF cannot stop DDoS attacks. They are all stateful devices and their session tables get full under a network flood. In addition, DDoS attacks are not simply about volume. Some sophisticated techniques can cause network outages while completely evading conventional detection – such as Low and Slow, or SSL- based attack.
Organizations that want to guarantee the availability of online services from DDoS attacks should consider a dedicated DDoS attack mitigation solution that is specifically designed to deal with today’s emerging threats, combining volumetric protection with behavioral mechanism that identifies application attacks on real time and puts a best case filter in place that blocks the attack while letting legitimate user traffic through and maintaining the SLA.
There are three approaches to DDoS attack mitigation:
- On-premise – When a DDoS solution is deployed on premise, organizations benefit from an immediate and automatic attack detection and mitigation solution. Within seconds of the start of an attack, the online services are well protected and the attack is mitigated. However, on premise DDoS solutions cannot handle volumetric network floods that saturate the Internet pipe of the enterprise. Such attacks must be mitigated from the cloud.
- Cloud – Often referred to as “clean pipe,” this type of mitigation is guaranteed to block network flood attacks from ever reaching the organization’s network or data center, as attacks are mitigated before they reach the connection between the ISP/MSSP and the organization. However, cloud-based DDoS mitigation services cannot block application DDoS attacks nor do they provide the detection layer as they are focused on mitigation.
- Hybrid – Hybrid DDoS solutions offer best-of-breed attack mitigation by combining on premise and cloud mitigation into a single, integrated solution. With a hybrid solution, attack detection and mitigation starts immediately using the on premise mitigation device to prevent availability-based attacks from harming the application layer. In case of a pipe saturation threat, the hybrid solution activates the cloud mitigation and the traffic is diverted to the cloud, where it is scrubbed before being sent back to the enterprise. An ideal hybrid solution also shares essential information about the attack between on premise mitigation devices and cloud devices in order to accelerate and enhance attack mitigation once it reaches the cloud.
In the last 10 years, cyber security attacks have become significantly more sophisticated. We have seen the rise of application specific attacks that target the applications on a network (HTTP, DNS, SIP/VoLTE, other) and try to overwhelm the server application, not the connectivity pipe. Detection algorithms needed to evolve to keep up.
In conclusion, Firewalls are a necessary first step in protecting IT networks, however its protection is limited to create the first line of defense – marking the border between the internal network and the outside world. As we have discussed, DDOS attacks are a very common form of attack which is easily launched that cannot be protected by a firewall. DDOS attacks can cause outages or congestion in the network and many of the most sophisticated attacks cannot be mitigated by conventional solutions.