Distributed Denial of Service (DDoS) attacks are so pervasive that they have become “business as usual” for many companies. However, that doesn’t mean the organizations must tolerate the business slowdowns or downtime associated with successful attacks.
The key is to put protections in place to prevent attacks or to mitigate them when they do happen. Numerous tactics for DDoS protection are now available. Download this infographic to learn about 10 of them or read the full write up below.
Educate your internal teams (IT, Security, Web & Marketing) to spot the signs of DDoS or related application attacks. This can help you identify potential threats faster and respond sooner.
In the case of an application attack, the marketing team might notice an abnormal and significant increase in form submissions, or perhaps there’s a significant decline in transactions with a rise in items held in shopping carts. Being able to identify these types of attacks helps you take proper action.
Monitor web traffic and setup alerts for suspicious spikes in traffic, especially smaller spikes that hit specific high-risk pages like a login or admin area.
If you have a properly configured DDoS mitigation solution, you can get alerts from it as well. If not, monitoring your web-facing assets can help you identify malicious attacks, especially harder-to-identify application layer attacks.
Incident Response Plan
DDoS attacks are a persistent threat that businesses must have a plan for. You should have a plan for dealing with a DDoS attack, including an outage due to a persistent attack that lasts for days.
With some education and monitoring, you can now identify DDoS and related attacks. The Incident Response Plan (IRP) will help guide you as you deal with them. Depending on what security measures you have in place, the IRP should outline what steps to take depending on what type of attack you are seeing and how it is impacting your website or application. The recommendations that follow can help you build your IRP.
Use a cloud-based DDoS Mitigation Solution
It is important to protect against volumetric, protocol, and application-layer DDoS attacks with a vendor that covers layer 3, 4, and 7 of the OSI model. Many vendors offer DDoS mitigation that doesn’t adequately cover the application layer (layer 7).
Cloud-based solutions block threats outside of your network and leverage advanced threat intelligence to respond to evolving threats. You could get inline hardware with scrubbing capability but most modern solutions will be cloud-based and require routing traffic through edge servers that filter traffic. These DDoS mitigation solutions are generally application or network solutions. Application solutions use always-on filtering and reroute traffic via DNS and provide obscurity for IP’s you are using. Network solutions often include passive monitoring hardware to detect an attack and Border Gateway Protocol (BGP) to reroute traffic only when under an attack.
Application solutions are generally cheaper while network solutions offer the most complete coverage. Both have their place but we recommend starting with an application solution because it will mitigate almost any DDoS attack you might face and it costs considerably less than a network solution. Network solutions can be added if you are still specifically concerned about a direct, volumetric attack and you haven’t changed your IP addresses.
As network DDoS solution providers evolve, network solutions costs and features are continuing to improve. For example, our partnership with Cloudflare makes both DNS and BGP routing an option for always-on DDoS mitigation.
Web Application Firewall
A good DDoS mitigation solution should include a Web Application Firewall (WAF) that can be used to filter application-level attacks such as credential stuffing or HTTP floods. A WAF uses rules and will filter traffic based on the active rules.
The best WAF solutions are proactively updated to protect against known zero-day threats before a patch is even available and also offer the ability to choose what actions to take when a rule is triggered. The last thing you want is your good traffic and legitimate users to get filtered out by aggressive WAF rules that only allow a block/don’t block option. Look for a WAF that allows you to do more than simply block a request when a rule is triggered.
A strong WAF solution will give you more granular controls that can check if the end user is a bot or a real person. This might be a browser check, where tests are run to determine if the end user is using a browser (many bots do not), or it may present a challenge for the end user to complete to verify they are a real user. It may also simply create a log entry that lets you know that the rule was triggered along with more detail about the user. These granular controls allow you to determine how to best filter traffic while eliminating false-positives. Granular controls create a better user experience and maximize the effectiveness of the WAF.
Separate non-critical systems from critical systems and protected assets from unprotected assets. Separation reduces the risk of collateral damage during an attack.
A common mistake is when servers, such as mail servers, are placed on the same network or servers as their websites and web-facing applications. Also frequently observed is when a customer protects a site but leaves another site vulnerable on the same server or network. When the unprotected site gets hit with a DDoS attack, it takes down the server for both sites or chews up all of the bandwidth for the network. Separate protected, high-value assets from anything that isn’t protected or isn’t as high-value to reduce the risk of collateral damage similar to the way you would air-gap assets to protect against hackers and ransomware.
For DDoS, a cloud-based firewall that offers geo-IP blocking, whitelisting, blacklisting, and more advanced features, such as blocking by ASN, can really help filter out unwanted traffic whether DDoS traffic or other malicious threats.
When it comes to having a firewall, a cloud-based firewall isn’t a replacement for an on-site firewall, whether virtual or physical. The value of a cloud-based firewall is that it sits at the network edge and filters traffic before it reaches the network. PAs an added security layer, proxy traffic through an application DDoS mitigation solution and then using the on-site firewall to whitelist traffic from your internal network and from the proxy servers. That way, you only get traffic from the sources that are filtered through the DDoS mitigation solution or from trusted sources. Everything else is denied.
Rate limiting end users is especially effective for login pages and form submission pages. By creating a limit for how many requests can be made on those pages, you can thwart many application attacks that could cripple your servers or network.
Several attacks that get lumped into the DDoS conversation are application layer attacks that can cause an outage by overwhelming your servers or bandwidth but they are not actually designed to deny service. Rather, the goal is to break in.
An example is a credential stuffing attack, which is when attackers use a bot network to make constant requests on a login page in an effort to guess credentials and access a system. Rate limiting can be configured to mitigate these attacks. The attacks rely on the ability to throw large volumes of requests at a server to guess a password, if you only allow so many requests before requiring a Captcha or make them wait several minutes before they can retry, they won’t be able to effectively attack you.
Layer rate-limiting into a cloud-based solution, when possible. If you identify a credential stuffing attack, we recommend having an Incident Response Plan that would instruct you to filter traffic with a Captcha to block out the malicious bots while still allowing your real customers to gain access to your systems.
Building redundancy into a system to reduce choke points and failure points is smart for dealing with DDoS and other malicious attacks. For example, having two separate internet connections from diverse providers reduces the risk of one failing and your site being offline.
Most companies will opt to have a Disaster Recovery environment that they can fail over to in the event their main production workloads go down. This can be a last resort if you are not able to mitigate an attack with your current solution. US Signal’s DR solutions can have you back up and running in minutes or hours, depending on the configuration and how well you’ve tested it. If you haven’t put other DDoS mitigation techniques in place, you may still be at risk of suffering the same outage. In this case, working with a Cloud Service Provider, like US Signal, when crafting your business continuity and disaster recovery plans can help to formulate a plan that will provide the protection you need for DDoS and other risks that can cause an outage.
For high-traffic sites, having multiple geo-diverse production environments may make sense. In these situations, we leverage a cloud load balancer to deliver traffic to each environment to optimize performance as a part of our DDoS solution. Establishing protection at the network edge allows you to filter traffic outside of your network and the cloud load balancer will perform health checks to make sure the origin servers are up and running while also optimizing routing for optimal performance.
Prevention and mitigation for DDoS and related attacks takes up a lot of time and resources and not everyone has the time or expertise to manage DDoS mitigation. If you’ve looked through this list and wonder where to start, perhaps it’s time to contact a Managed Service Provider like US Signal.
At US Signal we can put a DDoS mitigation solution in place that is designed to fit your unique needs. We can even manage the solution, end-to-end. By using our managed service, you can free up your IT and Info Sec teams to focus on your core business while taking advantage of the knowledge and expertise of our engineers.