Combatting the DDoS Traffic Jam

November 28, 2018

cityscape in yellow, ddos

No one likes traffic jams. The roadway clogs up with excessive traffic, preventing people from getting to where they’re going. Distributed denial of service (DDoS) attacks are much the same.

A DDoS attack is a malicious attempt to disrupt normal traffic of a server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. The large volumes of traffic attackers send to your servers overload them, creating a denial-of-service to normal traffic so your stakeholders can’t get the services or capabilities from you that they expect.  

With a traffic jam, the accident or broken-down vehicle causing the delay is eventually cleared away and things go back to normal. That’s not the case with a DDoS attack. If successful, it can knock you offline and put you out of business.

There are different types of DDoS attacks, and a variety of tactics for combatting them. The best mitigation strategy, however, is to use a multi-pronged approach. The following are some of the components to include. 

Rate Limiting

One of the most common tactics for combatting DDoS attacks is rate limiting. It controls the rate of backend requests or login attempts at the edge to limit the damage from application DDoS attacks. Rate limiting looks at application-layer behavior, and determines whether the behavior adheres to recognized, legitimate patterns.

The problem is that rate limiting allows all traffic through unless it’s explicitly known to be malicious. A more effective approach is to learn what constitutes normal user behavior and establish a baseline of legitimate traffic patterns. That way you’re better positioned to block any request that does not conform to this traffic pattern — blocking the obvious malicious traffic as well as the not-so-obvious.

Web Application Firewall

A lot of DDoS attacks attempt to exploit an application vulnerability. A web application firewall (WAF) can be a good deterrent. By deploying a WAF in front of a web application, a shield is placed between the web application and the internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF protects the server from exposure by having clients pass through the WAF before reaching the server.

A WAF operates through a set of rules often called policies, which filter out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for a faster response to varying attack vectors.

WAFs come in three varieties:

  • A network-based WAF is generally hardware-based. Installed locally, it can minimize latency. However, it’s the most expensive of the three options and requires physical equipment.
  • A host-based WAF can be fully integrated into an application’s software. It’s more customizable and less expensive than a network-based WAF. Its disadvantages include the consumption of local server resources, implementation complexity, and maintenance costs.  
  • A cloud-based WAF entails a turnkey installation that’s as simple as a change in DNS to redirect traffic. There’s minimal upfront cost you pay monthly or annually for security “as a service”. Cloud-based WAFs are also consistently updated to protect against the newest threats without any additional work or cost on your end. The downside is that you must count on a third-party for it.

Black Hole Routing

Another option is for network administrators to create a blackhole route and funnel traffic into that route. When blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense.

Cloud Scrubbing

Yet another tactic for combatting DDoS attacks is cloud scrubbing. Cloud-based scrubbing employs separate DDoS traffic-cleaning engines. The solution starts with edge routers that monitor the internet flow to a website to look for anomalies such as an increase in connections or bandwidth usage. Once bursts of attack traffic have been identified, in most cases a human analyst comes on the scene to determine whether intervention is required.

There are three major disadvantages to cloud scrubbing. First, it can be expensive. Companies typically pay a monthly subscription for an on-demand scrubbing service, and then pay additional fees for scrubbing as needed. This makes budgeting for DDoS attacks unpredictable, and potentially expensive depending on the volume of a DDoS attack. Always-on cloud services are an option but tend to be too expensive for most companies’ IT budgets.

Second, human intervention adds latency to the remediation process. Third, traditional scrubbing doesn’t address multi-layer attacks, which are becoming more prevalent.

The Total Solution

While each of the DDoS mitigation tactics have their advantages, the more effective approach is one that combines multiple tactics.

To learn more, watch our free webinar, “Approaches to DDoS Mitigation: How to Choose Between Network-based, Cloud-based and Hybrid Solutions.”  Our own David McClure, product development manager for US Signal’s DDoS Protection service, will discuss various DDoS mitigation tactics and walk you through the decision-making process for choosing a strategy that’s right for your company.

You can also take advantage of these free DDoS resources:

Checklist: DDoS Protection Needs and Wants

DDoS Protection in Five Steps