How to defend against DDoS attacks?

DDoS attacks are relatively inexpensive and easy to execute, so every organization is a potential target. How to respond against a DDoS and mitigate the threat?

Distributed denial-of-service (DDoS) attacks are nowadays relatively easy to set-up and execute, and they are very cheap to start; you can buy it for a small amount of money from the comfort of your sofa. Not surprisingly, DDoS is one of the most common and popular cybercrime techniques. The motives behind a DDoS attack can be very different, ranging from revenge, extortion, or even distraction while another cyberattack is carried out. Because of these reasons, increasingly smaller organizations - against which in the past the attacks simply didn’t pay off - have become a victim of the DDoS threat.

Example: DDoS attack on some of the Slovenian banks in October 2017

In the beginning of October 2017, the Slovenian Computer Emergency Response Team (SI-CERT), the national response center for handling incidents relating to the security of electronic networks and information, reported an attempt to interrupt online services at some of the Slovenian banks in order to gain financial benefits. Attackers started DDoS attacks and sent emails to banks, demanding ransom in order to stop the attacks.

The attackers carried out the so-called volume based attacks, meaning that they flooded the target network with a large volume of traffic that saturated the network links between the banks (targets) and their Internet service providers. As regards volume based DDoS attacks, attackers typically use a large number of geographically dispersed network devices that generate a huge amount of network traffic and send it toward target networks. The magnitude of the network traffic usually exceeds a couple of 10 Gb/s or even 100 Gb/s, while the largest known DDoS attacks had a magnitude of over 1 Tb/s! You cannot defend your network against volume based DDoS attacks with standard on-premises security methods. When DDoS traffic floods the link between the target network and the service provider, it is completely irrelevant as to what kind of firewall protects the target network and what kind of security policies are deployed on it or on any other security device within the target network. Moreover, other security mechanisms that protect us from different kinds of attacks won’t help us much when our network is under a DDoS attack. Of course, it is crucial to keep your network devices, servers, and workstations up to date and patched to minimize the risks, but unfortunately all of these measures won’t help you against a DDoS attack. The capacity of the local Internet link is simply too small in comparison with the amount of DDoS traffic.

Can we mitigate a DDoS attack alone?

No. At least not just with standard on-premises security tools. But it is possible to deploy DDoS protection methods in cooperation with your Internet service provider.

It is relatively easy for service providers to detect a DDoS attack in their own network:

  • A sudden and huge increase of traffic from a large pool of addresses toward one particular target address is difficult to ignore.
  • Typically, the traffic uses the same combination of UDP/TCP ports.
  • Source of the traffic usually comes from foreign countries (sources are commonly located in China, United States, Brazil, Russia, and some other countries).

A service provider can identify and block this kind of traffic after the start of the DDoS attack thereby preventing the traffic from flooding the customer’s Internet link. In extreme scenarios, a service provider can also block all traffic between the target network and any foreign country. Public network services in this case remain available to users within the home country, while users from any foreign country can’t access them. After the DDoS attack is over, the service provider simply enables global access again to the customer’s network and all the services are available to everybody again (this was also the procedure used in the banking example from the introduction).

How to defend against even the largest DDoS attacks?

The largest DDoS attacks – with magnitudes exceeding 1 Tb/s – can generate more network traffic than the links of local, smaller service providers can handle. Therefore, the service provider itself becomes a victim of a DDoS attack.

In these cases, we need a solution that includes a scrubbing center. The task of the scrubbing center is to filter the traffic toward the target network or application. The center blocks the DDoS traffic, while at the same time it allows legitimate traffic to pass so that the network services work without interruptions. The scrubbing centers’ main advantage compared to local service providers is that the centers connect to high-capacity links (1 Tb/s or more) to the largest global (Tier-1) Internet service providers. 

The requirement for high performing links also dictates the appropriate geographic locations of scrubbing centers and, therefore, they are usually located close to the main global Internet exchange points. A good scrubbing center also has redundant links. In addition, you can also arrange with the scrubbing center to always filter your traffic or to perform this on demand (in case of a DDoS attack).

Typically, the following two methods to route our traffic over the scrubbing center are used:

  • Border Gateway Protocol (BGP),
  • Changing the DNS name of a service.

When using the BGP method, the scrubbing center advertises our public IP address prefixes. All of the trafficdestined for our public IP addresses (and services) reaches the scrubbing center first where the traffic is analyzed and blocked, if necessary. In order for the filtered traffic to reach our network, we have to set up a logical network connection with the scrubbing center. Most commonly, GRE tunnels are deployed between the customer’s Internet edge devices and the scrubbing center, but some other techniques are also used if supported by the center. We can use this method only if we have a /24 public-address space or larger.

If we would like to route the traffic over the scrubbing center - only to specific servers - we can do this by changing the DNS records. In this case, the center essentially functions as a proxy server.

Which DDoS defense strategy should I choose?

You can protect your network and services against a DDoS attack, but you can’t do it alone. Scrubbing center services are typically more expensive than your local service providers, but they can provide efficient protection even in case of the largest DDoS attacks.

The best DDoS defense strategy mostly depends on the potential business costs that can result from the unavailability of your services. Maybe at first sight it looks better to just pay the ransom to the attackers, but in this case, you will be almost certainly attacked again.

DDoS attacks are here to stay because they are easy to execute. Attacks can be automated and performed at a very low cost.