DDoS Mitigation Techniques

DDoS, which stands for Distributed Denial of Service, is considered to be one of the most crucial threats to systems and organizations. A DDoS attack can be defined as a malicious attempt to make an online system or service unavailable for its users. This is done by suspending the services of the application’s hosting server on a temporary basis.

As per Verisign Distributed Denial of Service Trends Report, DDoS activity picked up the pace by 85% in each of the last two years with 32% of those attacks in 2015 targeting software-as-service, IT services, and cloud computing companies.

DDoS mitigation techniques can effectively help your business in combating the attacks.

What is a DDoS attack?

Let’s consider real-life scenarios to understand a DDoS attack in simpler terms

Scenario 1

• An organization has a website that can handle 1000 requests per second.
• The website is only configured to handle 1000 requests based on the expected traffic.
• In this case, if an attacker uses his host with an internet connection to spawn multiple connection requests (> 1000) to the website, then that would exhaust the total requests the organizations’ web server is capable of handling (1000, in this case).
• As a result, the website will now be not accessible by genuine users
• This scenario is referred to as a DoS (Denial of Service) attack.

Scenario 2

• Mr. X is running a cluster of web servers that are capable of handling several thousand requests per second
• Now, a DoS attack would put only a bit of load on your web servers, but it’s not enough to take the website down
• If the same attacker gains control of a network of online machines by infecting them with some malware and forms a botnet. Using the botnet, he can simultaneously spawn thousands of requests from each bot in the botnet
• This scenario is called a Distributed Denial of Service attack.

DDoS is most common at Infrastructure Layer (Layer 3 Network, Layer 4 Transport), and Application Layer (Layer 5 Presentation, Layer 7 Application) of the OSI model.

8 DDoS Mitigation Techniques:

Before we discuss the DDoS mitigation techniques, you need to understand the identification of web attacks

1. How would you classify legitimate traffic vs DDoS attacks?

Identification of attacks is very essential and the first step of DDOS mitigation. After all, you can’t afford to block legitimate traffic to your website.

You probably would have thought of IPtables connlimit or similar methods to handle the attacks. All these come with certain drawbacks and are not complete solutions. Also, even if you’re going to use something as simple as that, you will have to identify the legitimate traffic. In this case, you could do so by navigating through your website from a specific IP and then watching the HTTP access log to see how many connections are made from your IP to the webserver. This might give you a rough estimate of how many connections in a given timeframe can be considered legitimate or so. Now, let’s discuss some DDoS mitigation techniques out there that can be used to mitigate such attacks.

2. Avoid becoming a bot:

Let’s say your internal website (or database or any such resource) which is not open to the public is down due to DDoS attack. What’s the catch? No employee would possibly attack their own company asset. Hence, the possible chances are that few of the employees’ systems are compromised and are being used as bots. So, the employees must be educated on how not to be exploited.

They should be aware of basic security measures such as

• Using a strong password
• Configuring local firewall and managing the same
• Not open random attachments
• Always use antivirus to scan anything before opening
• Apply timely security patches and keep the machine up to date
• If they doubt that they could be compromised, then install some network monitor like glassware to monitor the traffic
• But what if they’ve become a bot?. Then the machine needs to be isolated, detached from the network and cleaned up before it is reconnected to the network

3. Reducing Attack Surface:

Reducing the surface that can be attacked limits the options for attackers. This is one of the methods.

• You will have to separate and distribute assets in a network so that it’s harder to be targeted. For example, you can have your web servers in the public subnet, but the underlying database servers should be in a private subnet. Also, you can restrict access to database servers from your web servers and not from other hosts.
• Using Firewalls and Network Access Control Lists to allow only necessary traffic, to necessary ports from necessary hosts. In the case of web servers, you basically allow traffic from anywhere to port 80 of your webserver. And in such cases, you further take other protective measures like the ones we’ve listed here.
• Even for sites that are accessible over the internet, you can reduce the surface area by restricting traffic to countries where your users are located

4. CDNs:

A Content Delivery Network (CDN) distributes your content and boosts performance by minimizing the distance between your resources and end-users. It stores the cached version of your content in multiple locations and this eventually mitigates DDoS attack by avoiding a single point of failure, when the attacker is trying to focus on a single target. Popular CDNs include Akamai CDN, Cloudflare, AWS CloudFront, etc.

5. Black Hole Routing:

As the name suggests, blackhole routing (similar to /dev/null in Linux) without any filtering routes both legitimate and malicious traffic to a null route or black hole where it’s going to be dropped from the network. Based on the pattern, if you could identify the attacker, then you could filter those packets and route them to the black hole.

 

6. Rate Limiting:

Limiting the number of requests a server will accept over a certain time window from an IP is a way of mitigating denial of service attacks, similar to that of IPtables connlimit. However, in the case of DDoS, rate-limiting alone wouldn’t be sufficient. Nevertheless, it’s useful for DDoS protection.

7. WAF:

A Web Application Firewall (WAF) is a tool that can assist in mitigating the Layer 7 DDoS attack. You can place a WAF in between the internet and origin server and WAF can act as a reverse proxy protecting the server from exposure by making the clients pass through them before reaching the server. Using WAF, you can quickly implement custom rules in response to an attack and in turn, mitigate them, so that the traffic is dropped before even reaching your server, thus taking an offload from the server. Depending upon where you implement WAF, it can be implemented in one of the three ways

• Network-based WAF
• Host-based WAF
• Cloud-based WAF

8. Scale:

In this method, you scatter the DDoS traffic across a cluster of nodes so that it’s handled like any other legitimate traffic. For example, consider you have implemented auto-scaling of your web resources when the incoming connection requests are beyond a certain number.

Now, this autoscaling will ensure new web servers are being spawned to handle the connection requests. You can set up alerts so that you’re notified when more than a certain number of instances are spawned. By doing so, you will know that there’s some issue with it and you can further implement the mitigation techniques to block those traffic and bring the server back to its normal functioning. This totally depends on

• the size of the attack
• the efficiency of the network (Transit capacity)
• compute resources (Server capacity)

Now that you’re aware of some of the techniques to mitigate DDoS, let’s look at the stages of DDoS mitigation that help in the implementation of the techniques.

Stages of DDoS mitigation:

1. Detection: The first step to mitigating the attack is to detect if there’s an attack. Here’s where you will have to identify the legitimate traffic and malicious traffic. In the event of mitigating DDoS, you shouldn’t accidentally drop potential customer traffic which would be disastrous.
2. Response: Once you’ve detected the attack, you will have to find a way to respond to those attacks. For example, you will have to work on dropping that malicious DDoS traffic before it reaches your server so that it doesn’t throttle and exhaust your server. Here’s where you will filter the traffic so that only legitimate traffic reaches the server.
3. Routing: By intelligent routing, you can break the remaining traffic (after filtering the malicious packets) into manageable chunks that can be handled by your cluster resources to which it’s being routed.
4. Adaption: The most important stage in DDoS mitigation where you will look for patterns of DDoS attacks and use those analyses to further strengthen your mitigation techniques. For example, blocking an IP that’s repeatedly found to be offending.

Conclusion:

Summing up, there is no single solution to mitigate DDoS completely. There are multiple things you’ve to consider while implementing the mitigation techniques. A combination of above-listed techniques with appropriate tuning will do the work for you, and you should always be prepared to identify the DDoS attacks and further tune your current implementation of DDoS mitigation. When the attacker invests so much in planning DDoS attacks, you too should analyze the attack patterns, take that learning, and further strengthen your DDoS protection techniques.