In DDoS defense, speed is critical. Unlike malware which can lie dormant within an organization for months, massive “fast flood” attacks can materialize in an instant and ramp up to hundreds of gigabits in a matter of seconds. Applications can appear to be working fine, and then suddenly become unavailable for no immediately apparent reason. By the time you even realize you’re under attack, significant collateral damage may well have already taken place.
DDoS attacks often strike multiple targets simultaneously, from bandwidth to applications to existing infrastructure, including network firewalls, web application firewalls (WAFs), and intrusion prevention systems (IPS). And attacks are becoming increasingly multi-vectored, employing a combination of attack methodologies and diversionary tactics to overwhelm defenses. The ability to defend your business and maintain availability of your services is directly dependent on how fast you are able to respond to these multi-pronged threats.
Three Key Determinants of Speed
So how can you trim precious seconds off your response time and put the odds in your favor? Focus on the three key determinants of speed:
- Detection
Speed of DDoS attack detection is the first and most fundamental capability required to initiate swift mitigation. The choice of solution here matters a great deal to your risk profile. Do you check the box and go with a newly added feature to your firewall, or do you opt for purpose built DDoS protection? What are the differences and why does it matter?
IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, firewalls act as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks — “network availability.”
The limitations in firewalls and IPS devices reveal the key benefits of an Intelligent DDoS Mitigation Solution (IDMS).
- An IDMS is “stateless,” in other words, it does not track state for all connections. A stateful device, like a firewall or IPS, is vulnerable to DDoS and will only add to the problem.
- An IDMS solution does not depend on signatures created after the attack has been unleashed on the targets; rather, it supports multiple attack countermeasures. This enables about of the box protection against most attack types.
- The IDMS solution supports various deployment configurations; most importantly, it allows for out-of-band deployments when needed. This flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.
- To truly address “distributed” DoS attacks, an IDMS is a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks.
- Intelligent Automation
Automation is the holy grail in security these days. It helps with the staffing challenges and can be critical to speed of response. The good news is that it’s possible with the right IDMS to detect attacks and initiate mitigation automatically, often before security operators are aware of the attack. But being “automatic” and intelligently automated are two different things. IDMS solutions can intelligently incorporate dozens of built-in, automated countermeasures, each designed to target specific types of attacks.
In a hybrid DDoS defense deployment, which combines an on-premise with cloud-based mitigation protection, a more intelligent signal can be sent from an on-premise IDMS to activate cloud-based countermeasures. Here’s an example of what we mean by intelligent automation.
An on-premise IDMS is customized to protect specific applications running in a specific datacenter. This customization includes policies with specific white/black lists, geo-location information etc. These local, customized policies are continuously sent to a cloud-based DDoS protection service — before an attack occurs — in other words during peace time. When an attack larger than the capacity of the on-premise protection occurs, a digital signal is sent to the cloud base DDoS protection. In which case, attack traffic is automatically rerouted to an appropriate cloud-based scrubbing center where previously sent customized protection policies, amongst others, are automatically applied to the attack traffic. This more intelligent method of attack traffic diversion and auto-mitigation using previously sent customized policies is an example of intelligent automation.
- Response
Successfully dealing with DDoS attacks starts with having the right technology solutions in place, however, that is not the end of the story. At some point, even with multiple aspects of DDoS defense being automated, from pre-installed countermeasures to the connection with cloud-based mitigation, humans play a key role in the response and overall defense. Security teams need to be prepared to recognize and respond to threats without hesitation. Preparation is the key to develop the “organizational reflexes” to speed up incident response when under the pressure of an attack.
Three Key DDoS Defense Questions
- Do you have a DDoS incident response plan?
- Do you know how to escalate across the organization, with network, applications and services teams who may be impacted by an attack?
- Do you have a communications plan for regulatory or compliance issues, customers, investors and partners?
NETSCOUT Arbor’s decades of DDoS mitigation experience has proven to us that practice is essential to quick and effective incident response handling. Ignoring the critical human aspect of DDoS defense can be just as catastrophic to your business as choosing the wrong solution.
Intelligently automating the human response as much as possible will further decrease the time to mitigation and thus impact of a DDoS attack.
For more detailed information about NETSCOUT Arbor DDoS Attack Protection products and services, visit https://www.arbornetworks.com/ddos-protection-products.