Despite being an old threat, DDoS attacks are still an important part of a cybercriminal's arsenal. How are these attacks evolving, and why are they still so destructive?
DDoS attacks are a very important part of attackers' arsenals and they are evolving all the time. Some of the latest DDoS attacks are really old in essence but are being generated in new ways. The latest craze is the NTP attacks, instead of a few hacked servers sending a mass UDP flood, we have thousands of different servers sending a UDP flood using NTP as the vector. At the end of the day it's still a UDP flood, which has been around since the 90’s. These are what we call the “Big and Dumb attacks". It doesn’t mean they can’t be problematic, if your upstream provider lets 10Gb/Sec of UDP to flood your network. Stopping them is fairly straightforward, given that 99% of websites only require TCP ports 80/443, we leverage our upstream provider's network to do this.
The hardest attacks to stop effectively are a combination of many different attack types, I refer to it as a “salad bowl”. You can add as many different ingredients as you like or have available. A combination of a 2Gb/Sec TCP SYN attack, sprinkled with some malformed packets and throw in a 5,000 unique IP based Slowloris (JS LOIC) type HTTP get attack and for good measure harness 2,000 zombies infected with “headless browsers”. All this happens at once on a website that has 2,000 or more legitimate users, and it can prove to be a difficult task to figure out without the proper tools and experience. Most website operators just don’t have these resources available 24/7.
What options do organizations have when it comes to protecting against DDoS attacks?
There are two basic categories of DDoS protection: hardware-based solutions and cloud-based solutions.
Hardware DDoS solutions involve a physical appliance that usually looks like a small server, and are engineered to perform a certain task under a certain set of circumstances. They are shipped to the client who then installs, monitors, and troubleshoots it themselves, or pays a fee to the provider to do so.
Cloud-based DDoS solutions use a global network of interconnected hardware and software solutions augmented by manual monitoring and mitigation by security engineers. These techniques are deployed in a layered manner that is constantly adapted as the DDoS environment evolves, creating a virtual filter for each client. Cloud-based DDoS protection is usually much less expensive in the long run, easier to deploy and manage, and doesn't burn up network capacity in the same way hardware options do. But the biggest benefit of using a cloud DDoS protection service is that it allows organizations to focus on their core business and leaves DDoS problems to the experts that manage them.
Unless you belong to a large corporate entity, with tons of technical people, lots of money, and a very robust network infrastructure, you should go with a cloud based DDoS protection service. This can be supplied by your hosting provider or a third party service that specializes in DDoS protection services. It’s the experience part that usually is the missing component for most organizations. You can go out and spend 150K on DDoS protection hardware, but if you don’t know how to use it, it won’t do much. DDoS mitigation hardware can be very difficult to operate on sophisticated layer 7 attacks.