Anti-DDoS systems have become a crucial part of any cybersecurity strategy.
According to the 2022 Data Breach Investigations Report, DDoS attacks account for 40% of all security incidents. Attacks are used for a variety of malicious purposes, including:
- Covering up more targeted cyberattacks.
- Extorting target organisations with ransom demands in exchange for stopping an attack.
- Disruption and cyber vandalism for ideological, personal, or political reasons.
DDoS attacks target every industry. While most organisations experience 10 or fewer attacks each year—most of which last less than four hours—some organisations experience more than a thousand attacks yearly. Typically, these are organisations that stand to lose the most from disruption, e.g., ecommerce and financial services institutions.
Having an anti-DDoS strategy is crucial regardless of which camp your organisation falls into. This article will look at three ways you can mitigate DDoS attacks.
Detection: The Key to Your Anti-DDoS Strategy
The first component of any anti-DDoS strategy is rapid detection.
Even brief exposure to a large volumetric attack can have serious consequences, particularly for organisations that rely on Internet-connected systems for their business model. Today, many DDoS attacks use sophisticated techniques to avoid detection, including cycling vectors throughout an attack to evade protective systems. To combat this, rapid and reliable DDoS detection is essential.
The detection system your organisation uses should be able to identify a broad range of attack types, including:
- UDP, TCP, and ICMP flooding attacks.
- TCP protocol attacks such as SYN, SYN-ACK, and FIN floods.
- IP Protocol attacks that use fragmented packets.
- Reflection and amplification attacks through NTP, SNMP, SSDP, DNS, GRE, Chargen, etc.
- Multi-vector attacks that employ a combination of techniques to evade mitigations.
Ideally, your organisation should have a system that can detect attacks within seconds and apply the appropriate mitigation measures.
#1: Blackhole Automation
A BGP BlackHole is an affordable anti-DDoS routing technique that can effectively mitigate large volumetric attacks.
When an attack is detected, an organisation can use the Border Gateway Protocol (BGP) to broadcast rules to all routers within their network to begin routing traffic to attacked IP addresses to a null0 interface—a virtual interface that doesn’t forward or receive network traffic. This results in the traffic being dropped from the network without sending a response to the sender. These rules can also be pushed to upstream service providers via BGP, helping to disrupt attacks closer to their source. This typically requires obtaining a blackholing service from your ISP—sometimes for a cost, but often free of change—and has the significant advantage of blocking traffic before it reaches your network.
While undoubtedly effective, blackholing routes all traffic to affected IPs to a null0 interface. As a result, while a blackhole is in place, it’s likely that legitimate traffic will also be dropped, affecting the user and customer experience. However, since only traffic sent to targeted IPs is dropped, there is usually only a partial degradation of service during an attack.
Once an attack has ended, blackhole rule removal instructions can be broadcast to all routers and upstream providers via BGP. This can be done manually by a network engineer or automatically by a powerful DDoS detection solution.
#2: FlowSpec Mitigation
Another BGP-based protection, FlowSpec is an effective technique that filters out volumetric DDoS attacks at the routing stage based on predefined rules.
FlowSpec rules allow network engineers to specify mitigation actions when traffic flows match defined criteria, e.g., due to their source, destination, L4 parameters, and packet data. Common actions can include dropping traffic, redirecting traffic to a VRF (Virtual Route Forwarding) for further analysis, and limiting traffic to a defined rate.
A network engineer can create rules to filter traffic manually or use a powerful DDoS detection solution to generate and maintain rules automatically. FlowSpec is ideal for filtering out most volumetric attacks, including TCP floods, DNS amplification and reflection attacks, GRE floods, and SSDP, SNMP, and Memcached amplification attacks.
Unlike BGP BlackHole Mitigation, which blocks all traffic to attacked IPs, FlowSpec mitigation aims to catch only malicious traffic and stop it at the routing stage. Since these techniques are active at different stages of the DDoS attack chain, they can easily be used together for extra protection. For example, an organisation can use FlowSpec to capture and filter traffic until its network capacity is maxed out and then switch to BGP blackholing.
#3: Blocklist-Based Filtering
Blocklist filtering is a routing-level anti-DDoS technique that blocks traffic originating from specified senders. This approach can be highly effective for mitigating DDoS activity from sources known to be malicious. It can also disrupt other threats, such as malware, e.g., by blocking communications with external C2 infrastructure.
Blocklists—also known as blacklists or denylists—are produced in two primary ways:
- Developed in-house based on known or previously encountered threats.
- Purchased from external intelligence providers.
Since maintaining a current blocklist is resource-intensive and requires a broad view of the DDoS landscape, most organisations prefer to purchase them from external providers in the form of threat feeds. However, this comes with its challenges.
Typically, providers specialise in specific types of threat content, for example, hosts known to be associated with malicious activity, hosts with adult content, or hosts with pirated content. Different providers also deliver threat content in varying formats, making it difficult for an organisation to maintain a master blocklist (including removing defunct threats) that is up to date.
To address this, organisations can use a filtering tool to ingest various threat feeds and update the master blocklist with new and defunct threats in real-time. While this approach will never be a complete solution to DDoS, it will help to mitigate known threats and lessen the need for more robust techniques such as Blackholing.
Protect Your Organisation with FastNetMon
FastNetMon fully supports all three anti-DDoS mitigations described above.
At FastNetMon, we believe speed and accuracy of detection are essential to combat the threat of DDoS attacks. As one of the fastest DDoS detection tools on the market, our solution can uncover even complex multi-vector attacks in seconds and apply the appropriate mitigation strategies.
To protect against the most advanced attacks, FastNetMon can be configured to automatically switch between mitigations throughout an attack to match changes in attack volume and vectors.
Integrating seamlessly with all your network hardware, mitigation controls, and analytics, FastNetMon adapts to your network—you can even write custom detections and deploy them instantly across your network.
Want to keep your network safe? Try FastNetMon FREE for one month.