By Farhan Imtiaz GISSP Member.
Even if you are not an avid reader, you most likely have come across the news of the largest ever DDOS cyber-attack—the report of the attack published on BBC, CNN, and other leading news broadcasting networks. The target of the attack was AWS (Amazon Web Services). AWS is an enormous cloud-services provider and a significant money-maker for Amazon. As of June 18, 2020, Amazon is the richest company on the face of the planet with a net worth of $1000 Billion.
What is a DDoS attack?
A distributed denial of service attack (DDoS) is a widespread and common cyber-attack. It exhausts the computer system’s resources to the point that it is either significantly degraded or completely lost. The goal of the attack is to make the system unavailable and deny access to legitimate users. Typically the three primary targets of a DDoS attack are web services, computer systems, and networks.
The motivation for these attacks can be political, financial, and ideological. Mostly the DDoS attack is executed by making use of hundreds and thousands of compromised systems on the internet called botnets, which are controlled by bad actors. The target system is flooded with requests many times higher than its maximum capacity.
Businesses rely on service availability. Even a few minutes of a website outage can have a notable impact resulting in loss of revenue, data, reputation, and customer trust. According to recent research by Kaspersky Labs, 20% of businesses with 50 or more employees have suffered at least one DDoS attack. A one in five chance of being hit. An Average DDoS attack causes several hours of downtime with a mean cost of up to US$417,000 to recover. The report highlights that some attacks are even more damaging, creating a service outage from two days to a week, and in some cases for several weeks or more.
Types of DDoS Attack
Now we understand what a DDoS attack is, the next step is to discover the kind of DDoS attacks. It is necessary to have this information as if we don’t know the types. It is hard to plan an effective prevention and mitigation strategy. The DDoS attacks are broadly categorized into two types, Bulk / Volumetric and Non-Volumetric.
The goal of a volumetric attack is to overwhelm the internet bandwidth of the target site. It is also known as bulk traffic or flooding attack. The volumetric attack types include UDP-based, ICMP-based, syn-based floods, and a few other types of spoofed packet floods. It is executed using botnets or the Memcached technique that leverages the amplification feature of a famous database caching system—the volumetric attacks measured in bits per second (BPS).
Top 3 Volumetric DDoS Attacks in the recorded history.
In a non-volumetric DDoS attack, the target is not to bring down the whole site, but instead, the focus is on the individual infrastructure component, service, or application. The non-volumetric attack types flood the protocols and services running at Layer 4 and Layer 7 of the OSI model. It includes fragmented packet attacks, Ping of death, HTTP Get and Post floods, and low and slow attacks. The non-volumetric also uses protocol exploits and anomalies.
These attacks are designed to exhaust the finite resources dedicated to the concurrent number of connections the computer system can handle. These attacks are harder to detect because not as many machines are required to execute the attack. The traffic rate is low and appears to be legitimate. The attacker tries to monopolize the target-specific system processes and transactions—the non-volumetric attack size measured in packets per second (PPS).
All organizations, either from the public or private sector, offering online services to their consumers, can be a target. The DDoS threat applies to both cloud and on-premise hosted services. Companies with no internet published services are also at risk. They can unknowingly contribute to a DDoS if the computers in the network are compromised and are used to attack a target on the internet. This behaviour will overwhelm not only the destination but also the internet bandwidth and network performance of the local site.
Leading Anti-DDoS Technology Solutions
The efficacy of a DDoS solution mainly depends on the type of DDoS threat from which it protects. Ideally, you will have a combination of a scrubbing centre subscription and on-premise hardware or software-based protection.
Volumetric DDoS Protection Solution
Complete protection from a volumetric DDoS attack is only possible by making use of a scrubbing centre. There are several cloud-based scrubbing centre vendors. In this solution, the client infrastructure and the identified critical assets are continuously monitored. As soon as a DDoS attack is detected, the user traffic is immediately diverted to the scrubbing centre that cleans the traffic, checks the hygiene, and forwards the legitimate connections to the target servers.
Leading volumetric DDOS protection vendors are AWS Shield, Cloudflare, Verisign, F5 Silverline, and Akamai.
Non – Volumetric DDoS protection solution
These are hardware-based on-premise solutions that protect from non-volumetric DDoS attacks and are well known as Network Behavior Analysis solutions. NBA solutions continuously monitor network behaviour by performing anomaly detection and advanced statistical techniques. The common techniques are aggressive connection ageing, protocol header validation, cookie insertion in TCP sequence field, syn retransmissions, sequence validation, state transition anomalies validation, IP reputation, domain name reputation, and source tracking. You can define and rate limit the expected traffic to your services.
If a traffic pattern is observed beyond the estimated rate, strict action is taken to block, throttle, and rate limit the offending sources. Most NBA solutions also have the BGP flowspec feature. It automates the distribution of traffic filters to internet boundary routers. The BGP flowspec allows mitigation by using the BGP NLRI type, which includes several components such as destination and source subnet, protocol, and ports. The on-premise hardware-based NBA solution can signal and integrate with a cloud scrubbing centre to divert the traffic during volumetric DDoS attacks.
Arbor Network’s AED, Radware’s Defense Pro, and Fortinet’s FortiDDOS are among the leading hardware-based NBA solutions available in the market. Another cost-effective option with limited DDoS functionality is to protect using your Internet border UTM firewall solutions such as Cisco FTD, Palo Alto, and Fortigate.
A risk-based approach to DDoS Protection
Smart leadership always seek proactive strategies to address the cyber risks to the organization and its business interests.|
Follow my guidelines to reduce your risk by identifying, planning, preparing, and preventing your organization from a future DDoS attack.
- Identify your internet published services (on-premise and cloud)
- Assess the services against your cyber risk management framework.
- Rate the services based on their criticality.
- Perform a quantitative and qualitative risk analysis to gauge the potential damage from a DDoS attack.
- Build your business case, meet the business stakeholders, and showcase the findings by demonstrating the TCO and ROI of possessing a DDoS strategy and solution.
- Align with your internal Business Continuity Management and Disaster Recovery teams.
- Perform your due diligence and explore the best protection options.
- Reach out to your technology and consulting partners.
- Implement and test the process and technology.
- Monitor your critical services and infrastructure 24/7.
- Integrate the DDoS solution with your SOC and Empower its detection and response function.
FARHAN IMTIAZ, CISM, CISA, CISSP, CEH, CCIE, is a Cyber Security Manager working with Dimension Data and holds extensive experience in the areas of Consulting, Managed Services, CSOC, Incident Response, IT/OT/IoT and Security Solutions Architecture. He can be reached via his LinkedIn.
Main Image credit goes to information-age.com