The looming Cyber Threat of a DDoS Attack
Even if you are not an avid reader, you most likely have come across the news of the largest ever DDOS cyber-attack—the report of the attack published on BBC, CNN, and other leading news broadcasting networks. The target of the attack was AWS (Amazon Web Services). AWS is an enormous cloud-services provider and a significant money-maker for Amazon. As of June 18, 2020, Amazon is the richest company on the face of the planet with a net worth of $1000 Billion.
What is a DDoS attack
A distributed denial of service attack (DDoS) is a widespread and common cyber-attack. It exhausts the computer system's resources to the point that it is either significantly degraded or completely lost. The goal of the attack is to make the system unavailable and deny access to legitimate users. Typically the three primary targets of a DDoS attack are web services, computer systems, and networks. The motivation for these attacks can be political, financial, and ideological. Mostly the DDoS attack is executed by making use of hundreds and thousands of compromised systems on the internet called botnets, which are controlled by the bad actors. The target system is flooded with requests many times higher than its maximum capacity.
Businesses rely on service availability. Even a few minutes of a website outage can have a notable impact resulting in loss of revenue, data, reputation, and customer trust. According to recent research by Kaspersky Labs, 20% of businesses with 50 or more employees have suffered at least one DDoS attack. A one in five chance of being hit. An Average DDoS attack causes several hours of downtime with a mean cost of up to US$417,000 to recover. The report highlights that some attacks are even more damaging, creating a service outage from two days to a week, and in cases for several weeks or more.
Types of DDoS Attack
Now we understand what a DDoS attack is, the next step is to discover the kind of DDoS attacks. It is necessary to have this information as if we don't know the types. It is hard to plan an effective prevention and mitigation strategy.
The DDoS attacks broadly categorized into two types, Bulk / Volumetric and Non-Volumetric.
The goal of a volumetric attack is to overwhelm the internet bandwidth of the target site. It is also known as bulk traffic or flooding attack. The volumetric attack types include UDP-based, ICMP-based, syn-based floods, and few other types of spoofed packet floods. It is executed using botnets or the Memcached technique that leverages the amplification feature of a famous database caching system—the volumetric attacks measured in bits per second (BPS).
Top 3 Volumetric DDoS Attacks in recorded history:
1) Amazon Web Services (Size 2.3 TBPS)
2) Git Hub (Size 1.3 TBPS)
3) Dyn affected Airbnb, Netflix, Paypal and Visa (Size 1.2 TBPS)
In a non-volumetric DDoS attack, the target is not to bring down the whole site, but instead, the focus is on the individual infrastructure component, service, or application. The non-volumetric attack types flood the protocols and services running at Layer 4 and Layer 7 of the OSI model. It includes fragmented packet attacks, Ping of death, HTTP Get and Post floods, and low and slow attacks. The non-volumetric also uses protocol exploits and anomalies. These attacks designed to exhaust the finite resources dedicated to the concurrent number of connections the computer system can handle. These attacks are harder to detect because not as many machines are required to execute the attack. The traffic rate is low and appears to be legitimate. The attacker tries to monopolize the target-specific system processes and transactions—the non-volumetric attack size measured in packets per second (PPS).
All organizations, either from the public or private sector, offering online services to their consumers, can be a target. The DDoS threat applies to both cloud and on-premise hosted services. Companies with no internet published services are also at risk and can unknowingly contribute to a DDoS if the computers in the network are compromised and are used to attack a target on the internet. This behavior will overwhelm not only the destination but also the internet bandwidth and network performance of the local site.
Leading Anti DDoS Technology Solutions
The efficacy of a DDoS solution mainly depends on the type of DDoS threat from which it protects. Ideally, you will have a combination of a scrubbing center subscription and on-premise hardware or software-based protection.
Volumetric DDoS Protection Solution
The complete protection from a volumetric DDoS attack is only possible by making use of a scrubbing center. There are several cloud-based scrubbing centers vendors. In this solution, the client infrastructure and the identified critical assets are continuously monitored. As soon as a DDoS attack is detected, the user traffic is immediately diverted to the scrubbing center that cleans the traffic, checks the hygiene, and forwards the legitimate connections to the target servers.
Leading volumetric DDOS protection vendors are AWS Shield, Cloudflare, Verisign, F5 Silverline, and Akamai.
Non – Volumetric DDoS protection solution
These are hardware-based on-premise solutions that protect from non-volumetric DDoS attacks and are well known as Network Behavior Analysis solutions. NBA solutions continuously monitor network behavior by performing anomaly detection and advanced statistical techniques. The common techniques are aggressive connection aging, protocol header validation, cookie insertion in TCP sequence field, syn retransmissions, sequence validation, state transition anomalies validation, IP reputation, domain name reputation, and source tracking. You can define and rate limit the expected traffic to your services. If a traffic pattern observed beyond the estimated rate, strict action taken to block, throttle, and rate limit the offending sources. Most NBA solutions also have the BGP flowspec feature. It automates the distribution of traffic filters to internet boundary routers. The BGP flowspec allows mitigation by using the BGP NLRI type, which includes several components such as destination and source subnet, protocol, and ports. The on-premise hardware-based NBA solution can signal and integrate with a cloud scrubbing center to divert the traffic during volumetric DDoS attacks.
Arbor Network's AED, Radware's Defense Pro, and Fortinet's FortiDDOS are among the leading hardware-based NBA solutions available in the market.
Another cost-effective option with limited DDoS functionality is to protect using your Internet border UTM firewall solutions such as Cisco FTD, Palo Alto, and Fortigate.
A risk-based approach to DDoS Protection
Smart leadership always seek proactive strategies to address the cyber risks to the organization and its business interests.
Follow my guidelines to reduce your risk by identifying, planning, preparing, and preventing your organizations from a future DDoS attack.
About the Author
Farhan Imtiaz works for Dimension Data / NTT as a Cyber Security Manager and looks after the consulting, services, and support business in the Middle East Region. He has more than 15 years of hardcore experience in technology and cybersecurity sales, consulting, solutions, services, support, and managed services. He has successfully delivered projects for Finance, Health, Education, Military, Aviation, Utility, Manufacturing, Food, Travel & Tourism, and Oil and Gas industries in both the Public and Private Sectors.
@FiTechHere is a good example: