7 strategies of dealing with DDoS attacks
DDoS attacks can affect any organization connected to the Internet – regardless of size or bandwidth – and if successful, will result in business losses. So how can you defend your company against this?
In this post, we’ll cover the different approaches companies take to protect themselves from DDoS attacks, and the solutions you can use. If you need an explanation of what a DDoS attack is, you can find it near the end of this post.
Protection provided by your Internet provider
The simplest solution is to order anti-DDoS protection from your Internet connection provider. If your provider doesn’t provide such a service, consider changing it to one that uses a professional, carrier-class anti-DDoS system.
Advantages of protection provided directly by the carrier:
- The operator cares as much as you for the system to work correctly and effectively, because he does not want volumetric attacks to unnecessarily burden his network – you simply play to one goal
- Virtually no delays in the delivery of cleaning traffic, because all activities take place within a single network
- Easy management of services in a single panel: preview of saturation of the link, reports from DDoS attacks, possibility of changing the protection plan
- Convenient billing for services on a single invoice.
The anti-DDoS protection system consists of two mechanisms. The first one monitors and regularly samples the your incoming traffic, checking its quality in the carriers’s backbone network – even before it reaches your link. If an anomaly is detected, a second mechanism comes into action. The traffic is redirected to the so-called scrubbing center located on the operator’s servers, where the suspicious part of the traffic is filtered out. The rest, i.e. the legitimate traffic, is sent to the receiver. In situations of extremely heavy attacks, scrubbing may prove inefficient and it is necessary to “cut out” all incoming traffic (it’s called blackholing) until the attack is over. This is an extreme action because it involves the loss of normal, and therefore desirable IP traffic.
This is the general principle of operation, but as with everything: the system is uneven when it comes to efficiency. So what features ensure high effectiveness? Here are the main ones:
- Instant detection of anomalies/attacks and short time from detection to activation of defense procedure (attack mitigation)
- Automatic response (exclusion of unreliable human factor)
- In-depth, self-learning traffic monitoring algorithms based on a global, rich and continuously updated signature database
- Frequent sampling of traffic to look for deviations from the norm
Among Polish providers of B2B Internet access for example Atman offers such a solution. One of the Atman Anti-DDoS system’s unique features is the additionally extended period of sending traffic through the scrubbing center – up to 15 minutes after the observed end of the attack.
In Atman’s experience and analysis, pulsed attacks are quite common, i.e., a few minutes or so after the attack ends, another wave arrives, followed by another wave. If scrubbing is turned off immediately after an attack expires, its new wave must be detected again, and the entire process have to be repeated – like it’s a completely new attack. Extended active protection after an attack in many cases therefore saves the time required to restart it, allowing the Atman client to operate without undue disruption. An additional advantage of Atman Anti-DDoS is the ability to precisely set scrubbing at the level of a single service instead of the entire IP address.
Your Internet providers’s anti-DDoS protection has virtually no weaknesses: it’s permanent, automatic, adjustable (protection plans), and has no side effects in terms of latency or traffic transfer (and thus data transfer) to an external entity. You don’t have to maintain any additional devices or change anything in your network configuration. In addition, the costs are known and therefore easy to budget for because you pay a fixed subscription unaffected by the number, size or duration of attacks.
Your own solution at the edge of the corporate network
Of course, in theory, you could purchase a similar type of hardware solution and maintain it yourself at the edge of your network. Theoretically, because it is simply an expensive investment. Besides, it is difficult to assess performance parameters of such solution, because volumes and cunningness of DDoS attacks are constantly growing. Quite soon after the system is implemented, it may therefore prove to be inadequate. In that case, it will require constant development to achieve satisfactory efficiency, which means even higher costs for your company.
There are also non-telecom companies that offer anti-DDoS protection as a cloud-based service. In this case, it doesn’t matter who provides your internet connection.
There are two variants of such protection: redirecting traffic when an attack/anomaly occurs, or permanently redirecting all traffic to an external scrubbing center located in the cloud.
In the first case, the redirection of incoming traffic to the cloud is triggered by an anomaly. In the cloud, the service provider filters out the bad traffic and sends the correct traffic back to you. You are billing for the volume of traffic routed, so no attacks/anomalies means no costs, which may seem like an advantage. However, depending on the frequency and volume of attacks, the costs can become overwhelming and are difficult to predict or even generally estimate and budget for.
In the second case, the mechanism is identical, only all incoming traffic is redirected to the cloud before it reaches you. Only there, the service provider checks its quality and possibly filters out suspicious fragments. Only traffic rated as normal and safe comes to you. Sounds great, but note that this increases the constant latency of packets, which may not be acceptable in certain industries or types of business.
Both options share a formal and legal problem. The traffic goes to the cloud, which is made up of servers in data centers scattered around the world, because that’s the service global providers provide. And that means the likelihood of your customers’ data being transferred outside the European Union and possible non-compliance with RODO.
Premeditated rejection of part of the traffic
One way to defend against DDoS attacks is to permanently block all incoming traffic from – in your opinion – suspicious sources. You can have your ISP do this by indicating which countries or regions of the world you do not want to receive traffic from. This solution can be effective, or at least sufficient, as long as you are able to identify where your customers/partners/suppliers are contacting from and where they are not. And also until there are attacks generated in those “good” parts of the globe.
It is also worth remembering that there is a risk that by such mechanical clipping of traffic by geographic criteria you may lose the correct and most desirable traffic, for example an attempt to contact a company with an offer of cooperation or the first contractor from a given region of the world.
A giant Internet connection
What if you simply bought many times more bandwidth than your company needs to run your business? You can hope that in the event of an attack, it will handle the increased traffic without compromising the desired communication. Hope – but not certainty.
First of all, as we mentioned, attack volumes are growing by leaps and bounds and you may encounter an attack larger than your link can accommodate. Besides, not all DDoS attacks rely on flooding a link with masses of fake traffic (volumetric attacks). Some are designed to keep applications busy for hours with unnecessary operations, saturating their memory (application attacks). Such long-lasting “clogging” of key systems can significantly hinder or even prevent daily business operations.
Also think about the cost of such a solution. If your company only needs 1 Gbps, and you buy, let’s say, 30 Gbps, you pay a considerable monthly subscription fee for a lot of unused bandwidth – and you have no guarantee that one day you won’t fall victim to a successful DDoS attack.
"But I already have protection: firewall, IPS, antimalware, etc."
Unfortunately, it doesn’t work that way that if you secure the edge of your network with solutions like firewalls, Intrusion Prevention System or even Security Operation Center, it’s enough. Such security mechanisms are obviously needed and effective, but for completely different types of online threats. Just as, for example, a viral infection cannot be fought with an antibiotic, DDoS attacks require targeted protection.
The "wait-and-see" strategy
There is a perception in some companies that anti-DDoS protection is an unnecessary cost. When an attack occurs, simply wait it out and then resume work as if nothing ever happened. This may seem like a good and low-budget idea for dealing with the problem – but probably only until the first attack.
Imagine the consequences of unavailability of your website or e-commerce, inability to serve customers or manage deliveries, lack of contact with business partners. Lost deals or contracts, orders not fulfilled on time, customers turn to competitors and partners wonder if you can be relied upon.
It is impossible to predict either when the attack will occur or when it will end. And the longer it goes on, the more financial and image damage the company suffers. Passively waiting for a DDoS attack to end is like watching money spill out of your wallet straight into the river. And what if a competitor finds out about this vulnerability in your business and wants to exploit it?
What is a DDoS attack?
DDoS (Distributed Denial of Service) is a distributed but coordinated attack on a network or information system in order to block it. It is usually run by a botnet of hundreds of thousands of infected computers and other IP devices. DDoS is available as a service – you don’t need expertise, just order and pay. And the prices, unfortunately, are quite affordable.
There are two types of DDoS attacks:
- A volumetric attack involves sending unwanted data in bulk to a specified IP address, which has the effect of “clogging” the link and regular Internet traffic cannot get through; The Internet connection is working, but it is not powerful enough to handle the incoming data. In the real world, it could look like real customers can’t enter the store, and no one can leave, because a large group of fake customers spend hours making a fuss and creating an artificial crowd in front of the too-narrow door, de facto blocking it.
- An application attack is the exhaustion of a web application’s IT resources, e.g. computing power or memory, and does not have to be large at all. A properly prepared, individually tailored long-lasting low-volume attack can disrupt operations to the extent that the company cannot function properly and can cause serious business damage (low & slow). Let’s assume that in the aforementioned stationary shop for many days there appear several quasi-customers intrusively asking the shop assistants questions, demanding to show more and more new products, making false complaints or even arguing about something. By absorbing store staff, they prevent or delay service to genuine customers who lose patience and leave to seek out a competitor’s establishment.
In small businesses, there is often a perception that DDoS attacks only target large enterprises. Meanwhile, most attacks are carried out by botnets that do not analyze their targets, but attack in the dark, making it possible for absolutely any business to fall victim to cybercriminals’ actions. Besides, the brutal truth is that a DDoS attack on your company can be ordered by, for example, a competitor who does not respect the rules of fair play.
The third time’s the charm – use our experience
Atman has deployed its third version of the Atman Anti-DDoS system. We analyzed the experience gathered and learned from the shortcomings and inefficiencies of the previous systems. This knowledge helped us define the conditions that a highly effective anti-DDoS protection solution should meet. That’s why we opted for a customized solution combining technologies from world-renowned Radware and Flowmon. Join those who don’t wait for the first attack to learn about the necessity of DDoS protection.