Best practices for ddos mitigation in the terabit attack era

By Tom Bienkowski, Director, DDoS Product Marketing, NETSCOUT Arbor

IoT botnets changed the DDoS attack landscape, but not necessarily in the way, many people thought they would. The Mirai IoT botnet was, initially and with much success, used to launch a high volume DDoS attack which left large parts of the internet inaccessible.  After the Mirai botnet source code was released in October 2016, attackers innovated and diversified their toolkit. But, rather than focusing exclusively on high volume attacks, they used Mirai and other IoT botnets as a platform for multi-vector attacks, simultaneously targeting bandwidth, applications, and infrastructure. The evolution of Mirai code continues today.

Contrary to what may be percolating in the industry due to the emergence of highly publicized threats of ransomware and crypto jacking, however, DDoS is not dead. In fact, 57 percent of Enterprise respondents to NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report saw their internet bandwidth saturated due to DDoS attacks, an increase of 27 percent on the previous year, and a half (52%) had firewalls or IPS devices fail or contribute to an outage during a DDoS attack. In addition, there was a reported annual increase of 20 percent in multi-vector attacks and a 30 percent increase in application-layer attacks.

DDoS attacks clearly remain a serious concern, with 57 percent of respondents (up from 48 percent last year) citing reputation/brand damage and operational expense as the two main business impacts. 32 percent of respondents also saw an increase in revenue loss as a business impact, up from just 17 percent previously.

What, then, does this mean for defenders?  Given the increasingly complex threat landscape, the choice of DDoS protection has significant implications on the risk profile of the modern enterprise.

Cloud-only protection, for example,  leaves organizations vulnerable to  layer-7  application attacks, as well as stateful attacks targeting firewalls, while CDNs protect web traffic, but not layer-7 applications or stateful infrastructure. The modern threat landscape demands best practice DDoS defense which includes integrated on-premise and cloud-based protection. Only then will organizations be protected from the full spectrum of modern DDoS attacks.

Landscape implications

 While 2018 has ushered in an era of terabit DDoS attacks, the report ’s findings indicate that it will also prove to be a year faced with application-layer attacks. Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, application-layer attacks are more subtle and insidious – and much more difficult to detect and block.

The application-layer attack, sometimes called a Layer 7 attack, targets the top layer of the OSI model, which supports application and end-user processes. In these outbreaks,  attackers pose as legitimate application users, targeting specific resources and services with repeated application requests that gradually increase in volume, eventually exhausting the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack and often fueled by Mirai botnets, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional ISP or cloud-based monitoring solutions. They have a singular goal: take out a website, application or online service. While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data center.

Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, and HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications.

WAF is not enough

But won’t a web application firewall (WAF) provide adequate protection against application-layer attacks? Since applications are the targets, this seems logical on the surface. And WAFs are certainly necessary to filter or block attempts to gain access to servers or data. However, they are vulnerable to state or resource exhaustion. The problem is that what starts as a trickle of legitimate-looking app service requests eventually turns into a flood, and application-level defenses won’t recognize the flood of legitimate requests as an attack at all. Moreover, a typical application-layer attack is often just part of a larger “blended” attack employing multiple attack methods, which may not be targeting the application layer that a WAF is analyzing.

For these reasons, a DDoS perspective is necessary to detect and thwart application-layer attacks, especially because security teams may not even realize they are under attack when the site goes offline. Unsuspecting teams can be left scrambling to restore service on they, diverting IT resources and spending hours or days to fix the problem, translating into millions of dollars of lost business.

Best practice defense against DDoS

Application-layer attacks contradict the perception of DDoS attacks as large-scale threats that overwhelm defenses and incapacitate networks through sheer brute force.  Network guardians need to be on the lookout for these smaller but smarter threats that can work their way through the slightest openings. If you’re using traditional network management tools, signs of a potential application-layer attack may manifest themselves as “503 “Service Unavailable” errors.

To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defense strategy combining cloud-based and on-premise mitigation.  An intelligent on-premise  system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, and early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defenses through cloud signaling. Deploying any widely available on-premise component of a  hybrid  DDoS  defense solution can mitigate the vast majority of application-layer attacks before they can do damage

The best place to deploy application-layer DDoS detection and mitigation measures is  at  the traffic entry point at the  edge  of  the enterprise data center or ISP  infrastructure, ideally outside the firewall as, due to the small scale of these attacks, they are harder to detect and stop once they have worked their way into the data center or network. An edge-based DDoS protection system gives operators the ability to customize detection and mitigation for the specific applications running within the data center.

Some approaches to DDoS mitigation, such as cloud-based solutions, can have a false positive problem – blocking legitimate users while trying to block attacks. Having a dedicated, edge-based DDoS protection system allows protections to be tuned so that they won’t block legitimate application traffic or have an impact on normal users, even during an attack.

In closing, consider that on-premise doesn’t just mean the enterprise network itself.  It ’s also about the migration to “the cloud,” and the need to provide the same kind of on-premise protection for assets hosted in either public or private cloud environments, which have the same application layer vulnerability to DDoS as an on-premise datacenter. Enterprises should make sure that, as they move critical assets to the cloud, they are providing the same level of application protection there and not falling back to relying on WAF or other non-DDoS solutions for their DDoS protection. And as cloud migration continues, consider that most organizations will have a hybrid-cloud environment.  That is, a combination of applications or parts of applications running on-premise and others running in the cloud. In this case,  organizations should strive to have a single DDoS attack protection solution that they can centrally manage and configure to protect on-premise and in-cloud applications.

About the Author

Best practices for ddos mitigation in the terabit attack eraTom Bienkowski is the Director,  DDoS  Product  Marketing,  NETSCOUT Arbor. Tom has worked in the network and security industries for more than 20 years. During this time, he has served as a Network Engineer for large enterprises and has had roles in Sales Engineering /Management, Technical Field Marketing, and Product Management at multiple network management and security vendors. Currently, as Director of DDoS Product Marketing at NETSCOUT Arbor, he focuses on Arbor’s industry-leading DDoS Protection Solutions. Tom can be reached online at @arbornetworks and at our company website


March 30, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...