DDoS, which stands for Distributed Denial of Service, is considered to be one of the most crucial threats to systems and organizations. A DDoS attack can be defined as a malicious attempt to make an online system or service unavailable for its users. This is done by suspending the services of the application’s hosting server on a temporary basis.
As per Verisign Distributed Denial of Service Trends Report, DDoS activity picked up the pace by 85% in each of the last two years with 32% of those attacks in 2015 targeting software-as-service, IT services, and cloud computing companies.
DDoS mitigation techniques can effectively help your business in combating the attacks.
Let’s consider real-life scenarios to understand a DDoS attack in simpler terms
DDoS is most common at Infrastructure Layer (Layer 3 Network, Layer 4 Transport), and Application Layer (Layer 5 Presentation, Layer 7 Application) of the OSI model.
Before we discuss the DDoS mitigation techniques, you need to understand the identification of web attacks
Identification of attacks is very essential and the first step of DDOS mitigation. After all, you can’t afford to block legitimate traffic to your website.
You probably would have thought of IPtables connlimit or similar methods to handle the attacks. All these come with certain drawbacks and are not complete solutions. Also, even if you’re going to use something as simple as that, you will have to identify the legitimate traffic. In this case, you could do so by navigating through your website from a specific IP and then watching the HTTP access log to see how many connections are made from your IP to the webserver. This might give you a rough estimate of how many connections in a given timeframe can be considered legitimate or so. Now, let’s discuss some DDoS mitigation techniques out there that can be used to mitigate such attacks.
Let’s say your internal website (or database or any such resource) which is not open to the public is down due to DDoS attack. What’s the catch? No employee would possibly attack their own company asset. Hence, the possible chances are that few of the employees’ systems are compromised and are being used as bots. So, the employees must be educated on how not to be exploited.
They should be aware of basic security measures such as
Reducing the surface that can be attacked limits the options for attackers. This is one of the methods.
A Content Delivery Network (CDN) distributes your content and boosts performance by minimizing the distance between your resources and end-users. It stores the cached version of your content in multiple locations and this eventually mitigates DDoS attack by avoiding a single point of failure, when the attacker is trying to focus on a single target. Popular CDNs include Akamai CDN, Cloudflare, AWS CloudFront, etc.
As the name suggests, blackhole routing (similar to /dev/null in Linux) without any filtering routes both legitimate and malicious traffic to a null route or black hole where it’s going to be dropped from the network. Based on the pattern, if you could identify the attacker, then you could filter those packets and route them to the black hole.
Limiting the number of requests a server will accept over a certain time window from an IP is a way of mitigating denial of service attacks, similar to that of IPtables connlimit. However, in the case of DDoS, rate-limiting alone wouldn’t be sufficient. Nevertheless, it’s useful for DDoS protection.
A Web Application Firewall (WAF) is a tool that can assist in mitigating the Layer 7 DDoS attack. You can place a WAF in between the internet and origin server and WAF can act as a reverse proxy protecting the server from exposure by making the clients pass through them before reaching the server. Using WAF, you can quickly implement custom rules in response to an attack and in turn, mitigate them, so that the traffic is dropped before even reaching your server, thus taking an offload from the server. Depending upon where you implement WAF, it can be implemented in one of the three ways
In this method, you scatter the DDoS traffic across a cluster of nodes so that it’s handled like any other legitimate traffic. For example, consider you have implemented auto-scaling of your web resources when the incoming connection requests are beyond a certain number.
Now, this autoscaling will ensure new web servers are being spawned to handle the connection requests. You can set up alerts so that you’re notified when more than a certain number of instances are spawned. By doing so, you will know that there’s some issue with it and you can further implement the mitigation techniques to block those traffic and bring the server back to its normal functioning. This totally depends on
Now that you’re aware of some of the techniques to mitigate DDoS, let’s look at the stages of DDoS mitigation that help in the implementation of the techniques.
Summing up, there is no single solution to mitigate DDoS completely. There are multiple things you’ve to consider while implementing the mitigation techniques. A combination of above-listed techniques with appropriate tuning will do the work for you, and you should always be prepared to identify the DDoS attacks and further tune your current implementation of DDoS mitigation. When the attacker invests so much in planning DDoS attacks, you too should analyze the attack patterns, take that learning, and further strengthen your DDoS protection techniques.