Best Practices for DDoS Protection
DDoS attacks have been around pretty much as long as the Internet’s been around – and they still pose significant risks today for organizations of all sizes and types. But while the network security team is responsible for DDoS prevention, detection, and remediation, it’s not just a network security problem. Because DDoS can shut down an organization for hours – or even days – business repercussions can be significant.
There are many different kinds of DDoS attacks, but they can all be categorized into the following major groups:
Volumetric or connectionless attacks. This is the most common form of DDoS attack and the goal is to overwhelm a site’s bandwidth. These attacks use botnets – networks of infected systems – to flood the target network with so much traffic that operations are slowed or interrupted completely.
TCP state-exhaustion or protocol attacks. These attacks target Web servers, firewalls, load balancers, and other infrastructure elements to disrupt services by exhausting the number of connections these systems can support.
Application-layer or layer-7 attacks. These attacks exploit specific weaknesses in applications, as opposed to network services.
Zero-day attacks. These attacks target previously unknown vulnerabilities in a system or application for which there is no fix or patch yet available
Irrespective of the business size or location, DDoS attack protection programs are mandatory today. Here are a few best practices that will help you get started.
- Recognize Attack Types
Your ability to identify the attack type before attackers is an integral part of the protection program. There are three common types of attacks that your business may encounter.
Layer 7, Application Layer or HTTP Flooding
This kind of application layer attacks target a application with requests from multiple sources. Such attacks generate high volumes of POST, GET or HTTP requests causing service downtime ranging from hours to weeks. Layer 7 is widely used to bring down ecommerce, banking and startup websites due to the low cost and ease of operation.
An attacker chokes target server or network with open NTP or DNS with request traffic. This traffic on Layer 3 or 4 (Network or Transport) is amplified with payload traffic is massive in comparison to the size of the request, hence overwhelming the service.
Disrupting DNS resolution can also make an application, network or server unavailable.
- Create DDoS Attack Threat Model
To keep up with exponential growth and customer demands, most new-age businesses struggle with web resources inventory. New applications, systems, customer portals, marketing domains, payment gateways and other resources are created and retired frequently. Are your web resources organized?
Create a database of all the web assets that you’d like to be protected from DDoS attacks, like an inventory sheet. It should contain network details, protocols in use, domains, number of applications, their use, last updated version, and so forth.
- Set DDoS Priority Buckets
Are all the web resources equal? What are the assets that you’d want to be protected first?
Begin with defining priorities and criticality of your web resources. For instance, business and data-centric web resources should be under the critical bucket with 24/7 protection against all kinds of DDoS attacks.
Critical: Put all the assets that can compromise business transactions or your reputation. Hacker will have a higher motivation to target these resources first.
High: This bucket should include web assets that can hamper day-to-day business operations.
Normal: Everything else should be included here.
You can create another priority bucket for networks, domains, applications and other services that are no longer in use. Move them out of business operation network as soon as possible.
- Test and Patch Vulnerabilities
Irrespective of the layer of DDoS attack, testing and patching should be a priority across the business. While volumetric attacks can hurt any business, vulnerabilities provide hackers other means to exploit.
Test all the web resources for vulnerabilities daily, or as frequently as possible.
Deploy patches and updates on priority. The lag between availability and deployment in applications, systems and networks often leads to attacks.
Stay updated on zero-day vulnerabilities and their patches.
- Get DDoS Protection Tools
There are many tools available in the market that help you detect and defend critical web resources from DDoS attacks. It is important to understand that these tools fall under any of the distinct categories- Detection and Mitigation.
Detection: Irrespective of the layer of attack, mitigation depends on your ability to detect fake traffic surges before they cause any serious damage. Majority of the DDoS protection tools rely on signatures and source details to warn you. They rely on traffic hitting critical mass, which affects service availability. However, detection alone is not enough and needs manual intervention to look at the data and to apply protection rules.
Automated Mitigation: Can DDoS protection be automated? Many anti-DDoS solutions direct or block fake traffic based on preconfigured rules and policies. While automatic filtering of bad traffic on application or network layer is desirable, attackers have found newer ways of beating these policies, especially on the application layer.
The frequency and strength of attacks on application layer have forced business owners to look beyond network options. The above-mentioned tools would fail to provide through protection against layer 7 attacks.
- Deploy Web Application Firewall
Layer 7 DDoS attacks are more difficult to stop. Traffic from such attacks mimic normal user behaviour and requires application layer expertise for detection and mitigation. In comparison to Layer 3 or Layer 4 DDoS attacks, Layer 7 attacks are more likely to cause financial and reputational damage.
A Web Application Firewall (WAF) or Layer 7 Firewall is the best defence against volumetric attacks. It blocks malicious traffic trying to block vulnerabilities in the application. However, WAF such as AppTrana backs DDoS protection with round-the-clock monitoring from security experts to identify fake traffic surges and to block them without affecting legitimate traffic.
- Monitor Incoming Traffic
Traffic logs provide minute-to-minute updates on communications taking on your application or network. There are gigabytes of data streaming across multiple locations. And monitoring it all at a single location provides an excellent view of anomalies.
Continuous traffic flow monitoring and analysis will help your organization learn from historic attack data and attack patterns. Moreover, centralized monitoring becomes even more critical in the application layer. Your cybersecurity team can flag traffic surges based on anomalies, botnet signatures, and suspicious behavior.