By Steve Liddon, Sr. Architect, Product & Solution Engineering

Before we get into the thick of it, let’s cover the basics. 

From a high level, a distributed denial-of-service (DDoS) attack is like an unexpected traffic jam happening at the worst possible time, clogging up the 401 during off-peak hours, preventing you from making your dinner reservation.  More specifically, it is a malicious attempt to disrupt normal operations and force downtime on a targeted server, service, or network by flooding it with unwanted Internet traffic.

It’s been a messy couple of years on the Internet backbone. With the pandemic, society has shifted to rely heavily on online services for everything, from groceries, healthcare, online education, ecommerce, streaming services, and much more. The idea of remote work has been an especially large shift, going from a nice-to-have work perk, to the de facto.

This opened the “flood gates” for bad actors to disrupt as many people as possible and extort money from their targets. Some industries have taken the brunt of the DDoS attacks, but with work-from-home policies, all organizations, big and small, are potential victims. Blocking employee VPN access into companies leaves wasted resources at home to work on daily tasks during working hours and can be very costly to some organizations.

Cyber criminals no longer need to go through the trouble of hacking into a company, installing malware and encrypting sensitive data to demand a ransom. Instead, they simply need to launch continuous DDoS attacks against your Internet-facing infrastructure until you pay up for them to move to the next unlucky target. These attacks are known as Ransom DDoS or RDDoS.

Why would someone target you, or your company?

·       To cause monetary loss, reputation loss or waste company resources

·       To steal confidential information

·       To make money

Not all DDoS attackers are cyber criminals. That’s why we like to label them as “bad actors”.  Access to DDoS-for-Hire services is easier and cheaper than ever, with some now offering free trials. These days, anyone can take down a target with $5 and a few keystrokes.

So, who is responsible?

·       Cyber Criminals

·       Disgruntled employees or ex-employees

·       Competition (especially in gaming)

·       Unhappy customers

·       Students trying to get out of exams (we’re not kidding!)

Hackers are on the hunt for new security flaws to increase the sophistication cyber-attacks. It’s a constant game of cat-and-mouse between cyber criminals and security experts. Just when one hole is plugged another one pops up.  For some time now, DDoS attacks relied on compromised IoT devices to launch large amplification/reflection attacks; however, with recent vulnerabilities in high-capacity Internet servers (GitLab, Confluence, Log4J) attackers have created server-class botnets and used them to launch direct-path (non-spoofed) attacks at their targets.  In the second half of 2021, for the first time since 2018, direct-path attacks (TCP ACK, TCP SYNC) have become the tool of choice over DNS Amplification attacks.(i)

Additional nasty attack strategies on the rise include:

·     Multi-Vector Attacks – Why stop at one type of attack when you can do several at the same time to target different vulnerabilities.  For example, DNS Amplification, paired with an ICMP Flood and a TCP ACK attack.

·     Carpet Bombing Attacks – Typically, a single IP is targeted; but with these ruthless attacks, multiple IPs are attacked at the same time to evade mitigation systems.  A bunch of small floods can add up quickly to overwhelm your Internet perimeter. 

·     Burst Attacks (aka Hit and Run Attacks) – Attack an IP, stop quickly, attack the same IP, and stop again.  Continue this pattern and your Internet will be bouncing up and down.  This strategy is designed to take advantage of the delay between detecting an attack, and for mitigation to kick in.

·     Any combination of the above – Yikes! No thanks 😉

With all this craziness what can be done?

Finding the right DDoS mitigation service for your company’s security requirements should be your first line of defense. You want to stop the influx of unwanted traffic before it can reach your security edge. There are many options to choose from; on-prem solutions, cloud-based, always-on, on-demand, always-on monitoring with quick mitigation.  To find the best fit, ask yourself:

·     How much downtime can I accept?  If you are running an ecommerce website that can’t afford downtime, an always-on solution is ideal, otherwise maybe a more cost-effective solution will work for your security compliances. 

·     Can my team deploy and continually manage new security appliances on site?  If not, explore cloud-based solutions for simple configuration free deployments.

·     How much can I spend on DDoS protection?  Depending on how quickly you require mitigation to kick in, costs can vary quite a bit.

·     Can my Internet Service Provider meet my requirements?

Remember, DDoS Protection is only one tool in your arsenal. You’ll still need to deploy firewalls, IPS/IDS, WAFs, anti-virus, and anti-spam where needed.  I encourage all organizations to use security best practices in their deployments.  Here are a few suggestions:

·     Build a Human Firewall! Train employees regularly on email and Internet security best practices.

·     Only allow the required traffic (TCP/UDP ports) to communicate to your web servers and devices, block all other traffic.

·     Do your part to stop DDoS attacks on others and make a cleaner Internet: add security measures to prevent your network from being used in a reflection/amplification DDoS attack by enabling outbound access-control-lists (ACL) that allow only traffic from your companies owned/assigned public IPs to reach the WWW. This prevents any compromised devices from sending spoofed packets.

Cyber resiliency is more important than ever

It is becoming more important than ever to invest in cyber resiliency. No matter the size or scale, an attack on your network can be detrimental to your business and costly in the end. The best way to prevent an attack is to stop it before it even begins.  Start your journey today to outwit those that would do you harm and get secure with Beanfield’s DDoS protection!

[i] Threat Intelligence Report – Issue 8: Findings from the 2nd half 2021. Netscout. https://www.netscout.com/threatreport/