Going for effective DDoS mitigation measures.

Besides malware attacks and data breaches that are widely reported on the Internet, another upcoming threat trend is the Distributed Denial of Services (DDoS) attack. They bring down websites and can cause wide spread e-Services outages. Public users are denied access to sites and the use of their services. This effectively causes a serious inconvenience for site users.

For the hosting provider of websites and eServices, the possibility of losing customer confidence and jeopardizing future continuation services are very real. Furthermore, through word of mouth and social blogs, the reputation of a provider may get tainted because of an inability to keep customer's sites available.

The Mirai attack is a good example. Many service providers were affected and a need for immediate recovery of customer sites was required. The attack originated from a pool of compromised routers, switches or similar smart devices and as the onslaught persisted, the hapless provider could not keep up, hence any recovery attempts were nullified.

With Mirai's success, other "copycat" developments soon surfaced. Below is Akamai (one of the DDoS mitigation service providers) Q4 internet security report showing four different botnets which in total generated 10 DDoS attacks exceeding 300 Gbps between July 2014 – December 2016. Seven of these occurred in 2016.

DDoS attacks are real. There is also further sharing in Cisco Midyear Cybersecurity report (2017) on the emergence of a new type of DDoS equivalent, which they termed as Destruction of Service (DEoS). It target to bring down the organisation's "safety net" like those backup data system. Whilst we cannot stop the onslaught of attacks, we can put up a defense to effectively slow them down as compared to simply removing the system offline as these attacks are persistent and target the recovered systems too. 

More recently in 2018, the DDoS attack (on Github) reached a unprecedented 1.35 terabits per second of traffic , surpassing the past 2016 record of 1.2 Tbps (on Dyn). Notably, the attack is significant as it exploited the use of memcached system to launch over a 51,000 times powerful DDoS attacks than their original strength, which could have result in knocking down other major websites and Internet infrastructure too. 

So what can we do about it? 

DDoS attack is very different to a typical virus or malware infection. There is no signature update or general user awareness training that can help with mitigation efforts, so let's take a look at the different types of DDoS attacks, along with any available defensive measures that can be taken.

What are the various DDoS attacks and their weaknesses?

There are two flavors of DDoS attack, namely network and application based. Going back to the Akamai report, there is another observation below which shows the top attacks based on the protocol exploited. Network based attacks dominate. Application based attacks are primarily based on HTTP. 

There are many soft spots in our infrastructure that are exposed to a DDoS attack. The diagram below shows a general sense of internal and external threats. For DDoS attack, it is targeting on weak spots (or low hanging fruits) in the infrastructure. It either exploits poor coding of a website to bring it down, or create surges of traffic that exceed the resources of the server exposed to the internet. The two types of attack will require slightly different "treatment". 

DDoS (Network based) 

Network based attacks have two characteristics:

(a) Launch through legit traffic to "eat" (exhaust) up your resources - Huge traffic is expected to surge exceeding your ISP subscribed network bandwidth. This leads to service wide outages. An example of such attacks include SYN floods, Teardrop attack etc. One example, is the pulse wave of DDoS attacks which does not have ramp-up period — the DDoS traffic peaks almost immediately and drops shortly after. The process is repeated at regular intervals, and the attackers have precise control over their launchpad of botnets.

(b) Launch attack exploiting system or poorly designed infrastructure and non patched systems - Malicious packets with exploit payloads are sent to the target system. They penetrate unhardened systems and exploit protocol based vulnerabilities. For example, buffer overflow vulnerability in poorly maintained open BIND servers will allow these servers to become zombies and controlled to send out DNS attack traffic to other systems.

DDoS (application based)

Web servers or systems exposed to Internet providing application e-Services are vulnerable. 

Most often the firewall will allow these web traffic (HTTP/HTTPS) packets to pass through and content filter appliances may also miss in their inspection if their threat signatures are not updated. Stopping unknown application vulnerabilities is a catch up game: 

(a) Attackers can send legit web packets to slowly create and hold onto sessions with a web server. The requests will just keep piling up till the server's memory resources have been exhausted. An example of such an attack is Slowloris.

(b) Attackers scan for low hanging fruits on the Internet on exposed server ports and services. One example is Remote Desktop Services. A series of brute force attempts using stolen accounts, or the default setup password of an account can easily allow attackers to gain entry with privileged rights. Weak password policies in these servers are often a major contributor to the success of an attack.

Tips to beef up existing defenses

Put more emphasis into being diligent in device hardening and always keeping available security patches up to date. However that's not sufficient to handle surges of DDoS traffic. We cannot catch up by increasing server equipment resources (e.g. more memory, increasing CPU speed, clustering, load balancing etc) alone. We will need to have a collective strategy - push the attack out to the perimeter and keep our internal systems running.

Measure #1 - Strengthen existing perimeter defense

Use of a firewall and increasing your subscribed bandwidth cannot be the panacea. We need to nip it in the bud at its core, with a layered defense laid out in the perimeters. Consider the below strategy.

(a) Protect your downstream (towards your servers) by employing a Web based application firewall (WAF). It is application aware as compared to a traditional network firewall

(b) Protect your upstream (towards internet and public facing services) by subscribing to a reliable DDoS mitigation service (DMS) provider. These come with a content delivery network (CDN) feature for offloading resource utilization.

(c) Reinforce DMS protection with cleanpiping in the event that a DMS service is bypassed (known by the use of online tools like CloudPiercer, and provider has system that is found vulnerable, like "Cloudbleed"). These include rate limiting of traffic surges and traffic scrubbing to allow clean traffic to still get through to your server.  

You do need strong support from your management to secure a committed budget for this continuous protection; these are not cheap, but a worthy subscription in the long run. The long term investment saves you from the huge damage costs of a service outage or unavailability. Try this  DDoS Downtime Calculator. It is is designed to help you assess the risks associated with an attack, offering case-specific information adjusted to the realities of your organization.

Another point to note is in managing multiple DDoS providers which can sometimes get complicated unless you sorted out the procedures and operations protocol. Firm up your processes early, confirm the single point of contact and helpdesk, make sure provider response is based on the severity of an incident. Send your team for training to learn preemptive monitoring, based on the performance of the website and eServices. 

Measure #2 - Reinforce with DDoS defense technology coverage

Besides pushing the "fight" to the perimeter, there is malicious application traffic that may still bypass and hit your on-premise servers to consider. Beef up the on-premise defenses with an aware and capable device. You may consider the use of an application delivery controller (ADC) which not only does load balancing, but also limits the surge of traffic to web applications.

Map out your Defense Map

To sum up on your Anti-DDoS solution, you needed an on premise, anomaly aware capable solution with smartness in:

(a) Automation of the mitigation solution upon detecting an attack, e.g. immediately create a rule to block it and be able to self learn based on heuristics to tune the rule.

(b) Maintain a low probability of false positives, e.g. the ablity to create exception for legitimate traffic and be able to provide a feature like challenge mode (e.g. with CAPTCHA) on the attack attempt. This can deter a botnet attack.

(c) Tap on DMS' wide global point of presence (PoP) to spread the DDoS load which it is mostly termed as Anycast. 

(d) Continuous reviews of performance and conduct stress tests on your online assets. This helps to size up the minimal system resources required. You can have an additional buffer to handle a flood of visitors due to event announcements (like new product launches etc) by your organisation. 

Summary of DDoS protection strategy

In conclusion, to reference a simplistic view of the defense setup that was discussed earlier on, you would have subscribed to managed security services e.g. DDoS Mitigation services, Cleanpipe services, and implemented key network security devices like NIPS and a Web App Firewall.

Below is simple checklist that can come in handy. Assess how different providers and vendors match your baseline and ask how they can value add operationally, including cost savings.

1. Layer 3/Layer 4 attack prevention

• (UDP Fragments; ICMP Floods; SYN Floods; ACK Floods; RESET Floods; and UDP Floods)

2. Deep packet Inspection (L4- L7)

• Protection for HTTP slow client (“drip feed”) DDoS attacks, such as a Slowloris/PyLoris
• Data (information) leakage prevention (outbound)
• Object sensitization and filtering (MS files, PDF, EXE, ELF),

3. Connection protection

• (Rate Limiting, shaping, throttling, etc)

4. Extended Protection

• DNS Protection
• Whitelisting / Blacklisting
• Web Origin Protection
• Router monitoring
• IPv6 Support
• High availability and reliability

5. Real time monitoring & Reporting

• Centralized Control / Dashboard,
• Secure role based admin
• Audits / Logging (details)
• Geo-location aware / reporting

6. Certification

•  FIPS 140-2 Level, CC EAL , PCI-DSS, ICSA Lab, NSS Lab

It's an ongoing process. Not a once-off effort. Learn from others as well, especially those organisation who shared how they managed their DDoS attack. Here is another handy DoS preparation checklist (pdf version) contributed by the community. 

All the best!