Internet-connected devices, services, and applications are now abundant in every industry.
Even traditional industries are going through rapid digital transformation programs, using technology to create or modify business processes, culture, and customer experiences.
While many organisations are deep into digital transformation initiatives, others are only just beginning. No matter where your organisation falls on that spectrum, it’s important to understand that your transformation doesn’t just increase business opportunities… it also increases risk.
Digital Transformation and the Growing Attack Surface
Any device or software asset accessible via the Internet is part of your attack surface. The more Internet-connected software and hardware assets you have, the larger your attack surface.
NIST 800-53 defines attack surface as: “The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from.”
A larger attack surface means more potential points of entry for a bad actor and more things for your organisation to protect. So, as your attack surface grows, so does your cyber risk profile.
Your risk profile also grows the more your organisation relies on Internet-connected assets as the impact of a cyber incident increases. In general, digital transformation initiatives lead to a huge expansion of an organisation’s attack surface—often much larger than they believe.
Why Worry About DDoS Attacks?
DDoS attacks are among the most common—and damaging—cyberattacks. For a bad actor, DDoS attacks are typically an easy and low-cost way to achieve their objectives. While there are many types of DDoS attacks, their motivation broadly falls into three categories:
- Disruption and vandalism
- Extortion (similar to ransomware)
- Distraction while a more targeted attack occurs
If your organisation isn’t high profile due to its size or function, you probably won’t experience many attacks intended purely to disrupt operations. However, if you rely on Internet-connected assets for any of your operations, you are very likely to experience DDoS-based extortion and distraction attacks. A 2022 survey found that 70% of organisations experience between 20-50 DDoS attacks each month—and the number of confirmed DDoS attacks worldwide grows every year.
The business consequences of DDoS attacks can include:
- Downtime of key systems and applications
- Disruption of internal and partner operations
- Consumption of IT time and resources
- Emergency recovery costs
Naturally, the financial impact of attacks attracts most of the attention. Research shows that SMBs spend $120,000 on average to recover from a DDoS attack, while enterprises can expect costs of over $2 million. Across all industries and organisation sizes, the average cost of recovering from a DDoS attack is $218,000 before considering any ransom demands.
Costs could, of course, be much higher. An e-commerce enterprise could face enormous losses from downtime, particularly during peak business times. This makes them highly susceptible to extortion attempts, so these organisations typically have extremely robust DDoS mitigation controls.
Recovery Isn’t a Sustainable Strategy
Organisations that rely on digital assets for critical operations can’t afford to go through cycles of attacks and recovery. The cost of disrupted operations can be huge—just an hour of downtime for a high priority application is estimated to cost $67,651. And while most attacks last less than four hours, some last much longer—days or even weeks.
Without mitigation, even minor DDoS attacks can impact service availability. This creates direct costs due to lost sales or productivity and many indirect costs associated with service recovery. Given that DDoS attacks are almost inevitable in the medium to long term, a pure recovery strategy simply doesn’t make sense.
Instead, organisations should build DDoS mitigation into their digital transformation strategy.
Building DDoS Mitigation Into Your Digital Transformation Strategy
How can you protect your expanding attack surface? Fundamentally, it comes down to four steps.
1. Understand your attack surface
This is hardly a new idea—the globally recognised ITIL framework has recommended thorough cataloguing of digital assets since the 1980s. However, in a rapidly changing digital environment, it’s far from straightforward.
Traditionally, organisations relied on a combination of scanners (particularly vulnerability scanners) and human processes to track digital assets. However, historically this process has been incomplete for many organisations, leaving them unaware of many assets—and consequently, unable to protect them. The huge increase in attack surface size for modern organisations has led to new categories of tools and services to support this process, including Attack Surface Management (ASM) tools.
Regardless of how you do it, building a complete, real-time picture of your attack surface is essential.
2. Understand and monitor network activity
The larger your attack surface grows, the more challenging it is to monitor. However, comprehensive monitoring, logging, and log analysis are essential to understanding what normal traffic looks like in your environment. Without this, there is no easy way to detect anomalies such as those observed during DDoS or other cyberattacks.
This is known as network visibility—being aware of all components within your network and how traffic flows between them. To enable effective network traffic management, your organisation should combine real-time network visibility with comprehensive logs that enable historical point-in-time visibility.
3. Real-time detection
Speed of detection is key to preventing DDoS attacks. Every second that passes before you take action to mitigate an attack results in higher costs, disrupted operations, missed KPIs, and potentially lost sales.
Ideally, your organisation should implement a detection technology that processes network traffic information and detects attacks in real time. Since DDoS techniques evolve very quickly, it should be able to detect a wide range of attack types, including:
- Flood attacks via UDP, TCP, ICMP
- IP Protocol attacks via fragmented packets
- TCP Protocol attacks via SYN, SYN-ACK, and FIN floods
- Amplification attacks via NTP, SNMP, SSDP, DNS, GRE, chargen, and more
- Multi-vector attacks using a combination of techniques
4. Use a layered approach to mitigation
Many organisations rely on their ISP or CDN provider to protect against DDoS attacks. While these companies often provide basic detection and prevention, they are not enough.
DDoS mitigation requires a layered approach to match your organisation’s needs, network architecture, risk tolerance, and budget. Some common controls include:
- BGP Blackhole mitigates DDoS attacks by redirecting traffic for hosts under attack to a null0 interface. This effectively blocks all traffic (including malicious) from or towards hosts under attack, preventing attacks from overloading upstream ISPs and network equipment. The purpose of a BGP Blackhole is not to save a particular service or host but to protect the wider network and avoid large scale network outages. It can be considered as an emergency countermeasure when all softer mitigation approaches have failed.
- FlowSpec DDoS mitigation blocks only malicious traffic while ensuring legitimate traffic remains unaffected. This mitigation method requires the use of BGP Flowspec capable routers. Increasingly, ISPs are offering BGP FlowSpec filtering, allowing customers to rely on the very large network capacity available to upstream ISPs to filter out malicious traffic. This largely eliminates the need for DDoS scrubbing centres and significantly reduces mitigation costs.
- DDoS scrubbing centres reduce the impact of attacks by routing traffic through a cloud-based service to eliminate malicious traffic while allowing legitimate requests to pass through to your network. While effective, these services can create latency and become expensive if they are used as an “always on” security control.
- Blacklist-based filtering blocks traffic that originates from known malicious IP addresses.
The Best of Breed Strategy
Many DDoS protection providers are vertically integrated services that combine some or all of the controls described above. In principle, that’s a good thing. However, these providers typically can’t provide the best available service in each control category—and they also lock customers into their ecosystem, often making it impossible to integrate with other detection and mitigation solutions.
At FastNetMon, we believe in a best-of-breed DDoS mitigation strategy. That means giving network administrators the power to design, configure, monitor, and manage their network operations (including DDoS mitigation) to suit their organisation’s needs, budget, and topology.Ours is among the fastest DDoS detection tools in the market and can uncover even complex multi-vector attacks in seconds. Integrating seamlessly with all network hardware, mitigation controls, cloud analytics, and more, FastNetMon adapts to your network—putting the power back in your hands. If you like, you can even write custom detections and deploy them through the solution.
Want to keep your network safe? Try FastNetMon FREE for one month.