Distributed denial of service (DDoS) attacks have been a significant feature of the cyber threat landscape over the past two decades. The 2021 DDoS Threat Landscape Report reveals that attacks today are constantly evolving in complexity, volume, size, and frequency. The only constant in DDoS attacks is the attackers’ continued focus on the critical infrastructure of target organizations. The number of DDoS attacks per month is increasing – attacks have increased by a factor of four and since 2020, the volume and packets of attacks are also on the rise at two times and three times, respectively.
With more organizations than ever using Transmission Control Protocol (TCP), it’s clear attackers understand that sites with insufficient or no defenses are easy targets. Organizations not using always-on defenses are quite vulnerable to shorter attacks because attackers have the opportunity to create maximum disruption before mitigation can kick in. When attackers take this ‘rinse and repeat’ approach, it’s harder for organizations to mitigate and manage attacks.
In this post, we’ll explain the DDoS attack mitigation process and offer ten competencies your solution provider must offer today to manage the size and complexity of DDoS attacks.
‘DDoS mitigation’ refers to the process of successfully protecting a target from a distributed denial of service (DDoS) attack. A typical mitigation process can be broadly defined by four stages:
Detection—early identification of traffic flow anomalies that may be the “canary in the coal mine” signaling the buildup of a DDoS attack. Organizations can measure their detection effectiveness by how consistently and how early they can recognize an attack. The ultimate goal in this stage is identifying an attack instantly.
Diversion—when an attack is detected, the organization reroutes site traffic away from the target via DNS (Domain Name System) or BGP (Border Gateway Protocol) routing. Then, a decision is made whether to filter the traffic or discard it altogether. DNS routing is always-on, so it can respond to attacks quickly, and is effective against both application-layer and network-layer attacks. BGP routing is either always-on or on-demand.
Filtering—DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls, and search engine bots) and malicious visitors. Responsiveness is a function of your being able to block an attack without interfering with your users’ experience. The aim is for your solution to be completely transparent to site visitors.
Analysis—system logs and analytics can help organizations gather information about the attack, both to identify the offender(s) and to improve future resilience. Logging is a legacy approach, which can provide insights but not in real-time. Logging often requires detailed manual analysis. Advanced security analytics techniques are generally automated and can offer granular visibility into the attack traffic and instant understanding of attack details.
The 10 competencies you need from a DDoS solution
Now that we have established what to do, what factors must you consider when choosing a mitigation provider to do it?
Network capacity—this is a fundamental way to benchmark a DDoS mitigation service. It reflects the overall scalability available to you during an attack For example, a 1 Tbps (terabits per second) network can theoretically block up to the same volume of attack traffic, minus the bandwidth required to maintain its regular operations. Be careful with on-premises DDoS mitigation appliances as they are capped by default—both by the size of an organization’s network pipe and the internal hardware capacity.
Processing capacity— this function is represented by forwarding rates, measured in Mpps (millions of packets per second). Imperva recently thwarted an attack recorded at 155 Mpps, and some attacks can marshal forwarding rates as high as 300 Mpps. An assault exceeding your mitigation provider’s processing power will topple its defenses, which is why you should inquire about such a limitation upfront.
Latency—at some point, legitimate traffic to your website or application will pass through the DDoS provider’s network: If DDoS services are on-demand, traffic switches over to the DDoS provider when an attack occurs. If DDoS services are always on (which has significant advantages), all your traffic will pass through the provider’s servers. The connection between your data center and your DDoS provider must be very performant, or it can result in high latency for your users.
Time to mitigation—most assaults can take down a target in a matter of minutes and the recovery process can take hours. Imperva research is showing a trend toward shorter, higher volume attacks. Preemptive detection using always-on solutions provides an advantage here. Near-instant mitigation protects organizations from the first salvo during any assault. Look for a solution that can respond to an attack in seconds and be sure to test it during a service trial.
Mitigation at the network level—network layer DDoS attacks are volumetric – they rely on very large-scale traffic that can cause bigger damage to your infrastructure. DDoS mitigation providers must separate legitimate traffic from malicious traffic and get rid of malicious packets while allowing legitimate packets to reach their destination.
Application layer mitigation—application layer (OSI layer 7) DDoS attacks are much stealthier than their network layer counterparts, typically mimicking legitimate user traffic to evade security measures. To stop them, your solution should have the ability to profile incoming HTTP/S traffic, distinguishing between DDoS bots and legitimate visitors.
Protection of secondary assets—in a DDoS attack scenario, network infrastructure like web servers, DNS servers, email servers, FTP servers, and back office CRM or ERP platforms might be targeted by a perpetrator. Assess your entire network infrastructure risk and prioritize which components need to be protected. Your DNS service is one of the most common attack targets and your single point of failure, so make sure your solution can protect it.
Protection of individual IPs—historically, cloud-based DDoS protection services were only able to protect entire IP ranges, not individual IP addresses. Today, advanced DDoS services can protect individual IPs, allowing you to register a public IP or domain name, add the DDoS service to your DNS configuration, and enable immediate protection of that specific IP.
Support—Even if your DDoS service is fully automated, which is preferred because it allows fast response to an attack, make sure your provider offers professional support services. When an attack happens, you may need to talk to your provider to understand what is happening and resolve critical issues affecting your legitimate traffic. Ensure your DDoS mitigation service operates a Security Operations Center (SOC) with security specialists available on call 24x7x365 for emergency assistance.
Choose a specialist—security-focused vendors provide more advanced solutions—with experts dedicated to ongoing security research and round-the-clock monitoring of new attack vectors. Generalists, such as ISPs and hosting providers, offer basic mitigation solutions as an “add-on” to their core services, with the aim of upselling them to existing customers. Mitigation services offered by generalists may be adequate for small, simple attacks. But if your online applications are essential to day-to-day business operations, a specialist DDoS protection provider is the best and lowest risk choice for your organization.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.