DDoS attack prevention and protection explained

July 14, 2020  |  Ericka Chickowski

This blog was written by a third party author.

Why DDoS prevention is paramount

Distributed denial of Service (DDoS) attacks stand as some of the most disruptive and costly cyberattacks that organizations face on a regular basis. Cyber criminals use DDoS attacks to make websites and other online services unavailable for legitimate use.

They do this by coordinating a flood of malicious traffic to overwhelm the victim's IT infrastructure by eating up bandwidth, tripping up protocol processes, and consuming server resources to cause malfunction. Not only do attackers use DDoS as a way to take down vital systems businesses depend upon, but also as a diversion to hide other fraud or data theft. 

Some security experts and analysts report that:

Negative DDOS impact

The disruption of DDoS attacks can threaten business resilience on many fronts:

  • Customer experience: Customers cannot connect with company resources online via web site, mobile app, or email
  • Revenue streams: Downtime on retail sites or apps prevents purchases from going through
  • Employee productivity: Employees are unable to access email, VoIP, or online resources to get their work done
  • Brand reputation: The inability to absorb or repel DDoS attacks can garner bad press and make the world think less of your business

DDoS Defense Service

Cloud-based monitoring of volumetric DDoS attacks to help prevent malicious traffic from entering your network.

Learn more

Key vulnerabilities for DDoS attacks

The typical DDoS attack tends to prey upon weaknesses in the way systems are designed to communicate rather than outright vulnerabilities in software code.

For example, most volumetric DDoS attacks send an influx of traffic from all over the world to a specific target with the goal of completely saturating bandwidth available on that system's network. In this case the exploited vulnerability is a lack of infrastructure resilience to absorb the flood of traffic.

SYN flood attack

In other instances, DDoS attackers seek out weaknesses in how protocols work or how they're configured in order to prompt system time outs and crashes. The classic example here is the SYN flood attack, which overwhelms servers with half-open TCP protocol connections. The attacker does this by initiating a whole bunch of connection requests without completing the TCP three-way handshake, thereby filling up system resources with half-open connections so there's no room to fully open legitimate TCP connections.  The vulnerability being exploited in this case is in the way the server has been configured to handle half-open connection requests.

Cybercriminals can also take advantage of chinks in the communication armor at the application layer to carry out DDoS attacks. For example, with HTTP flood attacks, criminals take advantage of the inherent trust a web server may have in every request coming from a client browser. Without some means of detecting traffic is malicious, a web server exhausts itself by trying to fulfill concentrated and voluminous requests for database calls or random information that come from attackers' botnets.

Exploring your DDoS defense options

As with any other type of cybersecurity defense, DDoS defense requires a layered approach. A sound DDoS mitigation strategy includes robust architectures, careful monitoring, targeted security controls, and well-planned incident response.

Some of the key options for battling DDoS attempts include:

Resilience and redundancy

The foundation of any DDoS defense is a robust architecture engineered for resilience and redundancy. This means beefing up bandwidth capabilities, segmenting networks and data centers, configuring apps and protocols for greater resiliency, and establishing mirroring for failover when things go wrong.

Monitoring and traffic analysis

Defending proactively against DDoS requires organizations to keep their guard up with 24/7 monitoring to track all bot activity on the network, identify unknown bots, and quickly locate potential attacks early in order to respond before DDoS traffic overwhelms resources.

Scrubbing and filtering

Even the most resilient infrastructure is no match to absorb the most intense DDoS assaults of today without added layers of DDoS mitigation to help divert and deflect the malicious traffic. DDoS mitigation mechanisms should be able to move quickly based on monitoring and traffic analysis to perform packet scrubbing and filter out malicious from impacting targeted systems.

Planning and stress testing

Organizations should have a DDoS response plan ready, with playbooks developed for numerous DDoS attack scenarios to speed up response and dampen the impact. Organizations should also consider regular stress-testing to ensure the effectiveness of DDoS defenses.

On premises vs cloud solutions

On-premises solutions for fighting DDoS attacks tend to rely on a combination of DDoS mitigation hardware devices, firewalls, and unified threat management appliances. While some organizations are attracted to the perception of internal control afforded by keeping these devices on-premises, they give up the advantage of responsiveness, affordability, and scalability in return.

On-premises DDoS defenses require internal teams to create lots of tweaks to firewall deny rules and appliance tuning. What's more, DDoS mitigation appliances equipped with advanced traffic filtering are costly and, further, on-premises devices are bounded by on-premises network connectivity in how much traffic they can deflect or absorb.

Cloud DDoS solutions, on the other hand, are able to neutralize even the most intense floods of DDoS traffic before they pass through on-premises systems, filtering out malicious packets in the cloud. These affordable solutions can be fully managed or triggered as an on-call reactive service that's triggered through automated or manual intervention.

FAQ

Where does malicious DDoS traffic come from?

Cybercriminals typically employ remote controlled networks of compromised machines called botnets. Sometimes referred to as bots or as zombies, these compromised machines can be laptops, desktops, servers, or even IoT devices. Attackers coordinate these machines to create distributed sources of attack traffic to overwhelm an organization infrastructure.

Why should DDoS attacks worry cybersecurity professionals?

DDoS attacks can wreak havoc on the availability of profitable online resources and can also serve as a diversionary tactic to carry out other illicit activities elsewhere on the network.

How much does DDoS cost annually?

Some sources calculate that the average company victim loses $218,339 per DDoS attack, with US organizations losing an aggregate of $10B per year from these attacks.

Share this with others

Tags: