Over the last decade, DDoS has become one of the most common forms of cyberattack.
And that’s hardly surprising. From a bad actor’s perspective, DDoS attacks are fast, easy, low-cost… and potentially destructive enough to take targets offline for an extended period.
Responding to the growth in attacks, most organisations now have at least some DDoS protection in place. However, there are still plenty of misconceptions about DDoS attacks and the systems needed to protect against them.
In this article, we’ll answer eight common questions about DDoS protection.
Answering 8 Common DDoS Protection Questions
#1: Can my firewall protect against DDoS attacks?
A network firewall can help detect and protect against small scale and low traffic DDoS attacks, but these devices have little value against large scale attacks. There are several reasons for this:
- Firewall devices are light on computational resources and memory, which quickly become overwhelmed by high-magnitude DDoS attacks.
- Firewalls rely on a set of rules to detect malicious activity. These rules are easily circumvented, particularly by attacks that resemble legitimate traffic.
- Not all assets are behind a firewall. For example, websites, web applications, and edge devices can’t be protected by an on-premise firewall. There are alternative forms of protection for these assets—e.g., Web Application Firewalls (WAF)—but these tools are also inappropriate for protecting against DDoS attacks.
In some cases, software firewalls may decrease a network’s resilience against DDoS attacks. Normally, routers and switches use high performance hardware network processors (ASICs) and can process a significant amount of malicious traffic without service degradation. Adding firewalls in front of these high performance traffic processors can create an artificial bottleneck, allowing a smaller scale DDoS attack to disrupt the network.
#2: How do we protect against reflection amplification DDoS attacks?
Reflection and amplification are techniques used to trick legitimate Internet services into sending unwanted responses to a targeted asset.
In a reflection attack, a bad actor spoofs their target’s IP address and sends requests for information to an Internet service. The service sends its responses to the target’s IP address. When this process is conducted at scale—for example, by an entire botnet—the result is a large volumetric DDoS attack.
Amplification attacks take reflection to the next level by requesting large responses from the Internet service that must be split over several packets. This results in huge volumetric attacks that can also be difficult to detect, as the target must reassemble several packets of data per response to understand what it’s being sent.
Reflection amplification attacks are naturally worrying to organisations, particularly since they have been used to conduct some of the largest DDoS attacks ever recorded. However, the countermeasures needed to protect against them are the same as with any other DDoS attack:
- Fast and accurate DDoS detection
- Layered attack mitigation systems
There is no one-size-fits-all approach to mitigation systems—that decision needs to be made based on your organisation’s budget, network topology, and risk tolerance.
Some of the most common and effective DDoS mitigation approaches include BGP blackhole, BGP FlowSpec, blacklist filtering, and DDoS scrubbing centres. However, whatever approach you decide to adopt, you must also ensure you have detection capabilities to quickly uncover malicious activity and apply the appropriate mitigation rules, e.g., diverting traffic through a DDoS scrubbing centre.
#3: Are cloud-based DDoS protection solutions more effective?
A common argument used by cloud-based providers is that today’s large-scale DDoS attacks overwhelm local network resources before they can be detected. So, instead of local detections, these providers suggest routing traffic through a cloud DDoS protection service that filters out malicious traffic before it hits your network.
It is true that cloud services are a valuable layer in protecting against large DDoS attacks. However, not all traffic must be routed through these services all the time—this creates latency and increases costs. Instead, a powerful DDoS detection technology can identify malicious activity in seconds and route all traffic through (for example) a cloud-based scrubbing service for the duration of the attack.
DDoS Scrubbing may be an appropriate option for content providers and web hosts, as they have predominantly outgoing traffic which can be sent directly without proxying it to the scrubbing centre. However, for ISPs which have a high volume of incoming traffic, DDoS scrubbing results in much higher costs, degrades latency, and exposes more traffic to the risk of false positive attacks.
There are many ways for clean traffic to be delivered from a scrubbing centre, but most require Internet connectivity. This provides an additional link in the chain that could also be disrupted by attackers. To prevent this, organisations must have mitigation and detection in place to keep this link operational.
#4: Does digital transformation make us more vulnerable to DDoS attacks?
Yes. Digital transformation initiatives typically result in a huge increase in an organisation’s attack surface. The larger your attack surface grows, the more targets a bad actor has for DDoS attacks.
DDoS protection also becomes more challenging as your attack surface grows, requiring more sophisticated network monitoring and anomaly detection. For more information on building DDoS mitigation into your organisation’s digital transformation strategy, check out this article:
#5: Can our ISP protect us against DDoS attacks?
Many Internet Service Providers (ISPs) offer basic services to help protect customers from DDoS attacks. This makes a lot of sense, as ISPs serve as Internet gateways and—where possible—this allows them to prevent DDoS threats closer to their source.
However, ISPs do not provide the level of DDoS detection and mitigation required to protect an organisation’s business and digital operations. This is for two reasons:
- ISPs can’t risk blocking legitimate traffic, so they must be certain a connection is malicious before blocking it. This means plenty of malicious traffic passes through unfiltered.
- Modern DDoS attacks are often highly sophisticated and change techniques regularly to avoid detection. Employing fine-grained detection across an ISP’s entire traffic profile to identify these attacks is simply not feasible.
So, while it certainly doesn’t hurt to have an ISP that provides some DDoS mitigation capabilities, you shouldn’t rely on them to protect your organisation.
Most networks using the BGP protocol are connected to the Internet via more than one upstream provider for redundancy and to at least a handful of IXP (Internet Exchange Points) to reduce connectivity costs. If one ISP offers DDoS protection but others don’t, you can use a network automation solution to reroute traffic away from IXPs and remaining upstream sources to this ISP.
#6: Can our CDN provider protect us against DDoS attacks?
To a point, yes. CDN providers have everything required to deliver your web assets to a group of servers around the world. This allows website visitors to benefit from faster loading times, as they can communicate with a server close to them instead of one thousands of miles away.
As well as improving customer experience, this approach allows the provider to distribute bandwidth automatically to prevent strain on any individual server or data centre. If your website is the target of a DDoS attack, your CDN will automatically distribute incoming connections across a large number of servers, often distributed across multiple data centres and locations. For small-scale attacks, this may be enough to prevent (or at least minimise) outages.
Global CDN providers such as Fastly offer DDoS protection as part of their CDN product line. For website attacks, it may be sensible to protect your web assets by using services like these that are built with DDoS threats in mind.
However, many DDoS attacks today are far too large to be prevented purely by a CDN provider. Instead, these attacks would simply overwhelm all servers within the group (and even entire data centres), completely denying legitimate users access to your web assets. This highlights the importance of choosing a CDN provider that has itself invested in robust DDoS protection to ensure its infrastructure isn’t compromised by high volume attacks.
#7: What is the difference between DoS and DDoS?
DoS stands for Denial of Service, a category of cyberattacks that includes a wide range of techniques—including DDoS or distributed DoS. A DDoS attack is simply a DoS attack that originates from multiple sources spread across different locations. Typically, this is achieved using a botnet.
When most people hear “denial of service,” they immediately think of DDoS attacks. There’s a good reason for this. Volumetric DDoS attacks are easily the most common form of DoS and typically the most destructive and hardest to recover from. However, non-distributed DoS attacks can still be damaging, and you should have defences in place to protect against them.
Broadly, network DoS attacks fall into three categories:
Volumetric attacks, including UDP floods, ICMP floods, and other spoofed-packet floods. These attacks aim to exhaust the available bandwidth of an attacked asset (usually a website). Attacks are measured in bits per second (Bps).
Protocol attacks, including SYN floods, fragmented packet attacks, and Ping of Death. These attacks consume the resources of servers and network equipment. Attacks are measured in packets per second (pps).
Application layer attacks, including low-and-slow attacks, GET/POST floods, and slow loris attacks. These attacks aim to crash targeted web servers by overloading a web application with seemingly legitimate requests. Attacks are measured in requests per second (rps).
Note that any DoS attack can be delivered from a single attacking device or (to increase attack magnitude) by a distributed group of devices. In practice, most non-application layer attacks are delivered as DDoS attacks, as modern networks and cloud environments can usually absorb non-distributed attacks even without specialised DDoS protections.
#8 What are the most important DDoS countermeasures?
The #1 most important countermeasure for DDoS attacks is fast, accurate detection. While there are many different mitigation tools and strategies, they all rely on detecting attacks quickly and applying the appropriate mitigations.
At FastNetMon, we provide one of the fastest DDoS detection tools in the market, capable of uncovering even complex multi-vector attacks in seconds. FastNetMon integrates seamlessly with all your network hardware, mitigation capabilities, cloud analytics, and more. It also allows you to write your own custom detections and instantly deploy them across your entire network.
Want to keep your network safe? Try FastNetMon FREE for one month.