The key aspects of the overarching online business strategies are websites and web applications. But the advent of technology has also increased the security risks associated with websites and web applications as cybercriminals are equally leveraging the latest technological tools and innovation. Of these, the most common and instantly damaging are DDoS attacks. Even a cursory glance at cybersecurity and web application security literature in the recent past will show you how prevalent and common DDoS attacks have become.

Distributed denial of service (DDoS) attacks are those cyber-attacks that look to make target websites and web applications unavailable to legitimate users by overwhelming them with fake requests and traffic, severely depleting their resources and available bandwidth and cause’s downtimes and crashes. These attacks are often orchestrated with the help of multiple infected systems spread globally and known as the botnet.

The high noticeability of DDoS attacks makes them a very popular choice for extortionists, hacktivists, cybervandals, etc. as well as competitors who want to play dirty or simply cause disrepute to the business. DDoS attacks do not directly breach the application’s security perimeter but are often used as a smokescreen for other attacks and malicious activities.

DDoS: The impact of successful attacks

Downtimes and crashes, by making the applications unavailable to legitimate users, cause hefty financial losses and damage the reputation and clientele of the business. While bigger players may have the resources, infrastructure and clout required to quickly recover from such attacks, but small and medium businesses may not have this luxury and may even be forced to shut down.

Categories of DDoS attacks

It is extremely important to understand the categories of DDoS attacks before trying to understand how to identify and block them.

  • Volumetric attacks: As the name suggests, these attacks flood the targeted applications with voluminous fake requests to deplete and saturate its bandwidth. Examples- UDP flooding, ICMP flooding, etc.
  • Protocol attacks: Known also as state-exhaustion attacks, these attacks use vulnerabilities/ weaknesses/ gaps in layer 3 and layer 4 of the protocol stack to consume and deplete state table capacity/ the server resources itself or those of the intermediate communication equipment (firewalls, load balancers, etc.). Examples- SYN floods, Ping of Death, Smurf Attacks, fragmented packet attacks, etc.
  • Application-layer attacks: These attacks are orchestrated by attackers using vulnerabilities and/or business logic flaws in the application and sending seemingly legitimate requests to crash the application. They could use a smaller number of devices and even be less than 1 Gbps in magnitude, unlike volumetric attacks. Examples- Slowloris, GET/POST Floods, etc.

Identifying and blocking all types of DDoS attacks

As attackers get more sophisticated in their modus operandi, DDoS attacks cannot be strictly categorized within one category; DDoS attacks are becoming increasingly complex, targeting multiple layers (infrastructure, applications, data, etc.) and combining different vectors to better their success rate. So, the best DDoS mitigation solution is one that is comprehensive and provides a multi-layer defense. A single step or linear solution will not necessarily work.

Below are some measures, tips, and techniques to identify and block all types of DDoS attacks.

Early threat detection and traffic profiling using managed, intelligent WAF and web scanning tools

  • It is possible to block or mitigate DDoS attacks if they are detected/ identified much earlier. An intelligent managed Web Application Firewall (WAF) combined with a web application scanner and Global Threat Intelligence Database can be used for both early threat detection and traffic profiling.

The automated scanner scans the web application every day and after major changes. The WAF monitors all traffic and requests. Intelligent WAFs like AppTrana that are equipped with machine learning and Global Threat Intelligence Platform can identify if the request is from a human or a bot and accordingly, challenge or block bots. Solutions like AppTrana immediately notify security experts (scrubbing centers) if there are traffic spikes and send the entire data feed to the scrubbing centers where they are analyzed and attacks blocked. Not just that, AppTrana profiles traffic, stores the insights from such instances and uses it to block future attacks.

Infrastructure-level protection against volumetric and protocol-based attacks

In order to block volumetric and protocol DDoS attacks, there is a need for strong and DDoS-resilient network architecture and infrastructure-level protection. DDoS-resilient network architecture is globally dispersed, creates/ contains redundant resources and is capable of handling extra network traffic when one of the servers is attacked. The network infrastructure must also be up-to-date with the latest patches in place, strong password/ authentication policies, threat management system, etc.

Solutions like AppTrana have such a resilient network architecture and infrastructure level protection against network, layer 3 and layer 4 attacks. In the case of volumetric attacks, as mentioned previously, the traffic is routed to the global network of scrubbing centers where the requests are analyzed by the security experts to identify and isolate malicious requests based on their bot signatures, IPs, etc. and accordingly, apply rules and policies to block attacks.

Always on, instant protection against application-layer (Layer 7) attacks

Protection against network-level attacks is offered as part of hosting and CDN offerings itself by default. It is the application-layer attacks that are more complex to tackle and block but do not get addressed in many DDoS protection solutions that singularly focus on volumetric attacks. An effective way to tackle layer 7 attacks is to employ a managed WAF and security solution that allows custom workflow rules and policy.

Always-on, instant protection against attacks on specific applications by botnets is essential and is, accordingly, included in AppTrana’s plans. The certified security experts continuously finetune the customs rules in real time based on alerts from the web application or insights from analytics and build a strong defense.

In conclusion, a comprehensive, intelligent and managed solution like AppTrana is the best way to identify and block all types of DDoS attacks.