David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
There are numerous types of DDoS protection for your business. I’d like to expand on that topic and discuss how organizations are affected by non-volumetric DDoS attacks and what they can do to recover.
Volumetric DDoS is the big boy on the field or as I call it – the bully of Internet attacks. It gets the majority of the attention and when aimed at someone’s Internet presence it lumbers in and then bludgeons the services and infrastructure into submission. Without the proper preparation on the part of the target, the bullying and intimidation lasts until either the attacker runs out of money to pay for the service or the target company meets the demands.
However, volumetric DDoS are only one facet of DDoS and the other types can be even more difficult respond to and to detect. Volumetric attacks are often detected fairly rapidly because of their size and collateral damage, but resource starvation and application level attacks are normally lower key. They often start out well below the radar unless advanced DDoS technology is deployed or specific systems and application monitoring are in place.
In the case of a resource starvation attack, the goal is usually to attack the hosting system via service calls to the Internet Protocol (IP) stack like tcp-syn requests. Calls to the underlying operating system or authentication system are also used to tie up processes, memory, and IP ports until the system cannot accept or respond to any more requests for connections. To win at this game, the attacker must have done some basic reconnaissance to know what operating system is being run.
Application-based DDoS attacks perform a similar function but focus not on the network or operating system stack, but on a specific target application. The attacker will present a wide variety of bogus data inputs to forms, attack login screens with bogus credentials and find any other interfaces for the application to throw data at. The goal is to both affect the application, the application server and/or the back end database. To do this well, the attacker has to have done some reconnaissance and know more about these components making this more of a precision attack than the others.
As the bully, volumetric attacks are designed to make a big show to get attention, but both resource and application DDoS attacks are often much smaller than volumetric attacks because they are targeted. The goal of the latter two is often not to take the system out of commission, but to use the attack to actually compromise the system to create a foothold in the network for the attacker. Though volumetric attacks are often used in conjunction with the resource and application attacks to draw attention from the compromise or data extraction, there is no requirement to do so.
The defense for resource and application-level attacks requires a significantly higher level of precision than volumetric filtering. Volumetric attacks are very often leveraged as a front for the others because to an untrained eye or less effective defense system, resource and application attacks look like real traffic so they are often passed through to their target which is great for the attacker.
To be successful the DDoS filtering defense must be system and application aware and preferably integrated with the DDoS volumetric filtering to facilitate a feedback system between them. Without that feedback the problem becomes almost a chicken and an egg scenario. Which comes first? IF volumetric response is first it has to be configured very loosely to try to ensure that all of the good traffic gets through for filtering by resource and application filters. This will most likely not only reduce the efficacy of the volumetric scrubbing but it is bound to still drop some desired traffic and add significant load on the latter two scrubbers. Placing resource and application scrubbers in front of the volumetric scrubbers is a no starter.
DDoS is a technology problem and requires a strong technology solution. If you are going to come through DDoS unscathed you will need not only a strong technology partner but a strong incident response program. Choose wisely on both counts.