DDoS: Ubiquitous Threat
A recent industry study showed that some 75% of IT decision makers have suffered at least one DDoS in the past 12 months, and 31% reported service disruption as a result of these attacks. As more and more commercial and governmental organizations are discovering the hard way, DDoS is a threat that cannot be ignored.
The secret of DDoS “success”? Many DDoS attacks succeed not due to the skill or resources at the command of the attackers, but because of lack of preparation on the defender’s side. Security managers, adept at handling threats like intrusion, web application exploitations, and worms – may not yet be fully aware that dealing with DDoS requires a dedicated, and unique toolbox.
“@film_girl I’m taking godaddy down bacause well i’d like to test how the cyber security is safe and for more reasons that i can not talk now”
– Tweeted by @AnonymousOwn3r – September 10, 2012, 09:57PM
The resulting DDoS attack took down GoDaddy, along with an untold number of websites, for several hours. @AnonymousOwn3r later clarified that he was operating single-handedly.
DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.
Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.
DDoS prevention/detection techniques
First, it should be clarified that there is no such thing as “DDoS Prevention,” because you can’t prevent the attack itself. What you can prevent, and prevent quite effectively, is damage caused by a DDoS attack.
The first step to preventing DDoS damage is to identify that you’re under attack. This may sound trivial, but sophisticated DDoS attacks actually mimic standard web application traffic – which makes them “look,” at least at the outset, like regular traffic. Yes, eventually you’ll get the feeling that something is wrong, but by then it might be too late.
The more advanced DDoS Prevention tools can effectively detect malicious traffic, differentiating it from legitimate traffic, and alerting security staff of an ongoing attack, before the damage is done. This is done leveraging a combination of anomaly detection and application-level controls. Some of the red flags these advanced tools look for are:
- Identifying excessive requests from a single user session or source, since attacking bots almost always request web pages faster and more often than real users. After detecting such suspicious behavior, the next step is to identify the visitor by a combination of signature and challenge based tests which, if accurate, will provide accurate information about the visitor and its motives.
- Watching for known attack types or application attack signatures, since many DDoS attacks still rely on simple techniques like not completing TCP handshakes, fragmented packets, or spoofing.
- Distinguishing malicious requests by attributes and aftermath. Malicious requests often do not conform to standard HTTP protocols – like the Slowloris DDoS, which includes redundant HTTP headers. Other DDoS clients request web pages that don’t exist, purposefully slow web server response time, or generate web server errors.
Multi-layered DDoS defense
The best practice for preventing DDoS damage is to have a multi-layered defense system in place. This system would ideally include both identification (see above) and absorption capabilities.
The DDoS prevention solution you choose needs to scale massively to absorb DDoS traffic, especially since average DDoS attacks are getter both larger and more amplified. For example, sending 100byte spoofed DNS request to an open DNS or open “public” SNMP server results in 20 times the amount of traffic being thrown at your website.
A DDoS prevention tool needs to be able to absorb arbitrary – yet massive – amounts of traffic. Service providers do this by building large 20 gigabyte data centers and distributing traffic among them, when possible. Appliance vendors deal with it by stacking and cloudifying their appliances. An Arbor network, for example, connects dozens of Arbor devices at various ISP clouds to mitigate attacks close to the source. Find the path to absorption that works best, and is most cost-effective, for your needs.
Cloud-based DDoS protection service from Imperva
If your site is under attack, or even under threat of attack, Imperva cloud-based DDoS Protection Service offers rapid roll-out, outstanding price-performance, and require no hardware or software installation.
Imperva protects against all types of DDoS attacks, including:
- Volume Based Attacks
Imperva ’s global scrubbing center network scales on demand to absorb multi-gigabyte DDoS attacks. This is often known as DDoS deflation.
- Protocol Attacks
Imperva mitigates protocol attacks by blocking “bad” traffic before it reaches your site. Imperva does this by differentiating between malicious or automated clients and legitimate website visitors (human or bot).
- Application Layer Attacks
Imperva constantly monitors the behavior of your site visitors, blocks known bad bots, and challenges unrecognized visitor with JS test, cookie challenge, or even CAPTCHAs.
Imperva extensive DDoS threat knowledge base is constantly updated to keep track of new and emerging attack methods. Incapsula identifies new threats as they emerge – identifying malicious users and remedying attacks in real-time.
DDoS protection services from Imperva are implemented outside your network. This means that only filtered traffic reaches your hosts – protecting your investment in hardware, software, and network infrastructure, while simultaneously ensuring the continuity of your business.