By Steve Liddon, Sr. Architect, Product & Solution Engineering
Before we get into the thick of it, let’s cover the basics.
From a high level, a distributed denial-of-service (DDoS) attack is like an unexpected traffic jam happening at the worst possible time, clogging up the 401 during off-peak hours, and preventing you from making your dinner reservation. More specifically, it is a malicious attempt to disrupt normal operations and force downtime on a targeted server, service, or network by flooding it with unwanted Internet traffic.
Ever since the pandemic, society has shifted to rely heavily on online services for everything from groceries, healthcare, online education, eCommerce, streaming services, and much more. The idea of remote work has been an especially large shift, going from a nice-to-have work perk to the de facto.
This opened the “floodgates” for bad actors to disrupt as many people as possible and extort money from their targets. Some industries have taken the brunt of the DDoS attacks, but with work-from-home policies, all organizations, big and small, are potential victims. Blocking employee VPN access to companies leaves wasted resources at home to work on daily tasks during working hours and can be very costly to some organizations.
Cybercriminals no longer need to go through the trouble of hacking into a company, installing malware and encrypting sensitive data to demand a ransom. Instead, they simply need to launch continuous DDoS attacks against your Internet-facing infrastructure until you pay up for them to move to the next unlucky target. These attacks are known as Ransom DDoS or RDDoS.
Why would someone target you, or your company?
· To cause monetary loss, reputation loss or waste company resources
· To steal confidential information
· To make money
Not all DDoS attackers are cyber criminals. That’s why we like to label them as “bad actors”. Access to DDoS-for-Hire services is easier and cheaper than ever, with some now offering free trials. These days, anyone can take down a target with $5 and a few keystrokes.
So, who is responsible?
· Cyber Criminals
· Disgruntled employees or ex-employees
· Competition (especially in gaming)
· Unhappy customers
· Students trying to get out of exams (we’re not kidding!)
Hackers are on the hunt for new security flaws to increase cyber-attack sophistication. It’s a constant game of cat-and-mouse between cyber criminals and security experts. Just when one hole is plugged another one pops up. For some time now, DDoS attacks relied on compromised IoT devices to launch large amplification/reflection attacks; however, with recent vulnerabilities in high-capacity Internet servers (GitLab, Confluence, Log4J) attackers have created server-class botnets and used them to launch direct-path (non-spoofed) attacks at their targets.
Additional nasty attack strategies on the rise include:
· Multi-Vector Attacks – Why stop at one type of attack when you can do several at the same time to target different vulnerabilities. For example, DNS Amplification, paired with an ICMP Flood and a TCP ACK attack.
· Carpet Bombing Attacks – Typically, a single IP is targeted; but with these ruthless attacks, multiple IPs are attacked at the same time to evade mitigation systems. A bunch of small floods can add up quickly to overwhelm your Internet perimeter.
· Burst Attacks (aka Hit and Run Attacks) – Attack an IP, stop quickly, attack the same IP, and stop again. Continue this pattern and your Internet will be bouncing up and down. This strategy is designed to take advantage of the delay between detecting an attack, and for mitigation to kick in.
· Any combination of the above – Yikes! No thanks 😉
With all this craziness what can be done?
Finding the right DDoS mitigation service for your company’s security requirements should be your first line of defense. You want to stop the influx of unwanted traffic before it can reach your security edge. There are many options to choose from; on-prem solutions, cloud-based, always-on, on-demand, always-on monitoring with quick mitigation. To find the best fit, ask yourself:
· How much downtime can I accept? If you are running an ecommerce website that can’t afford downtime, an always-on solution is ideal, otherwise maybe a more cost-effective solution will work for your security compliances.
· Can my team deploy and continually manage new security appliances on site? If not, explore cloud-based solutions for simple configuration free deployments.
· How much can I spend on DDoS protection? Depending on how quickly you require mitigation to kick in, costs can vary quite a bit.
· Can my Internet Service Provider meet my requirements?
Remember, DDoS Protection is only one tool in your arsenal. You’ll still need to deploy firewalls, IPS/IDS, WAFs, anti-virus, and anti-spam where needed. I encourage all organizations to use security best practices in their deployments. Here are a few suggestions:
· Build a Human Firewall! Train employees regularly on email and Internet security best practices.
· Only allow the required traffic (TCP/UDP ports) to communicate to your web servers and devices, block all other traffic.
· Do your part to stop DDoS attacks on others and make a cleaner Internet: add security measures to prevent your network from being used in a reflection/amplification DDoS attack by enabling outbound access-control-lists (ACL) that allow only traffic from your companies owned/assigned public IPs to reach the WWW. This prevents any compromised devices from sending spoofed packets.
Cyber resiliency is more important than ever
It is becoming more important than ever to invest in cyber resiliency. No matter the size or scale, an attack on your network can be detrimental to your business and costly in the end. The best way to prevent an attack is to stop it before it even begins. If you’re planning to take the journey to outwit those that would do you harm and get secure, DDoS protection can go a long way.
