Distributed Denial of Service (DDoS) attacks are designed to overwhelm network resources and render them unavailable to legitimate users. According to the Verizon 2017 Data Breach Investigations Report, security incidents related to DDoS attacks are more common than any other attack category. There were 11,226 reported DDoS attacks in 2016, that’s a significant increase from the 2,435 reported in 2014.
Organizations engaging in preemptive DDoS prevention and mitigation strategies are better able to limit the potential damage emerging from a DDoS attack. But, a one size strategy doesn’t fit all.
Selecting the Right DDoS Protection Strategy
Selecting a DDoS prevention strategy is a four-step process.
- Conducting a risk assessment to identify an organization’s infrastructure vulnerabilities, single-points of failure, and post-attack financial impact. DDoS attacks can target servers (e.g., web, email, DNS, file), websites, web applications, banking, trading and e-commerce platforms, and VoIP systems.
- Understanding the three broad categories of DDoS attacks:
- Volume attacks saturate the bandwidth of the targeted server.
- Protocol attacks consume server resources or intermediate device connections such as firewalls and load balancers.
- Application layer attacks flood the server with requests, causing the server to crash.
- Mapping the risk assessment results to the DDoS attack categories to identify which preventive strategies would be most appropriate and effective for the organization.
- Implementing the appropriate strategies.
Volume and Protocol DDoS Protection Strategies
Volume and protocol attacks are almost always executed with botnets, and sometimes include complex, multi-stage assaults similar to Advanced Persistent Threats (APTs). Given that, recommended DDoS protection strategies should include the following.
- Border Gateway Protocol (BGP) Routing: Protects multiple service types and protocols across an entire subnet range of IP addresses (i.e., a C-class subnet). This solution protects against HTTP/HTTPS, SMTP, FTP, VoIP, and other protocol attacks. It also provides protection from direct-to-IP address attacks, which target a specific, vulnerable IP address. In both cases, if there is a DDoS attack, BGP will use a GRE tunnel to forward incoming traffic to globally-dispersed ‘scrubbing’ centers, thus preventing network overload.
- Dedicated IP: Protects multiple service types and protocols for organizations without a C-class subnet. This solution uses a dedicated IP address through which all incoming traffic is inspected and filtered. Suspicious or malicious traffic is blocked, while acceptable traffic is forwarded through a redundant, secure, symmetric GRE tunnel to the origin IP address.
- Cross-Connect: Similar to BGP routing, but without a GRE tunnel. Instead, the scrubbing centers are directly connected to the organization’s network.
- Proxies: Protects DNS servers by creating a proxy in front of the DNS server. The proxy inspects all incoming DNS requests, filtering out any malicious requests. The proxy also blocks any attempts to use the DNS server as a platform for DNS Amplification attacks targeting other servers.
Application Layer DDoS Protection Strategies
Application layer DDoS attacks try to mimic legitimate incoming web traffic, such as web browsers, to establish a full, three-way TCP connection. Application layer protection requires a traffic profiling solution that can accurately distinguish between humans, human-like bots, and hijacked devices.
The profiling solution should include the following services:
- Reputation Intelligence: Uses a global network of sensors, endpoint devices, and honeypots to identify and block bots originating from suspect IP addresses, URLs, domains, applications, or anonymous proxies.
- Progressive Challenges: Minimizes false-positives by using a set of transparent challenges to distinguish between humans, good and bad human-like bots, and hijacked devices. CAPTCHA is an example of a progressive challenge.
- Behavior Anomaly Detection: Creates a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; spotlights the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.
- Web Threat and Malware Detection: Uses a Web Application Firewall (WAF) to intercept, inspect, and validate all HTTP and HTTPS requests/responses between a client and web application; blocks SQL injections, cross-scripting, compromised credential access, remote file inclusion, and other OWASP 10 threats.
Learn how Imperva solutions can help you prevent DDoS attacks.