There are several trends evident in the latest DDoS Threat Intelligence Report from NETSCOUT. These include adaptive distributed denial-of-service (DDoS), direct-path TCP-based DDoS, proliferation of botnets, sociopolitical fallout, and collateral damage. The thing these trends all have in common is that they are designed to evade common DDoS defense measures and cause maximum harm to targets and others in their proximity. DDoS always attempts to disrupt, destabilize, and deny availability and often succeeds. The only thing that can prevent its success is a well-designed network with intelligent DDoS mitigation systems (IDMSs). For many organizations, common myths can lead to poor choices and overconfidence when it comes to properly architecting a solution.
Common DDoS Myth #1
Many organizations are convinced that DDoS is either impossible to stop or simply isn’t going to target them. This is like the notion that natural disasters either don’t exist in your location or can’t be mitigated. Stop to consider a variety of these, such as flooding, wildfires, and windstorms. In many places across the globe, these events are now happening more frequently in areas that previously were relatively safe. The global climate is extremely complicated, and we know things change over time. This is also true of the internet.
Yet, even when things change, in the face of such enormity, it’s easy to think there’s nothing you can do to protect your assets. This simply isn’t true. In the places where disasters are common, communities take a more aggressive approach to building more resilient structures and learn from past events how to improve defenses for the future. In areas rarely affected, we can still learn from others who’ve already experienced events and take their design cues for improving our own posture.
In the same way, the best practices for DDoS defense are well understood and can be implemented by any organization with the foresight to do so.
Common DDoS Myth #2
Firewalls are an essential part of any security stack. They play a critical role as a traffic cop on the network, stopping unwanted traffic based on predetermined information such as source and destination, port, and protocol. But although firewalls can stop much unknown and unwanted traffic, they cannot easily detect malicious traffic traversing trusted protocols and ports such as HTTP/S, DNS, or IMAP. Furthermore, web application firewalls (WAFs) are commonly deployed to stop application-layer DDoS, but they don’t even inspect traffic that isn’t web-based and, therefore, can’t see the majority of DDoS attack traffic.
Firewalls (including WAFs) also typically provide a proxy service for TCP-based applications. This proxy provides a valuable layer of obfuscation, exposing only the public IP address of the firewall and translating it to private IP addresses inside the perimeter. However, this proxy comes at the cost of maintaining TCP state tables. These tables are a resource that can be easily overwhelmed by a DDoS state exhaustion attack.
Ultimately, while firewalls can mitigate some types of DDoS, they are also often vulnerable targets that contribute to the network outage or failure. As such, they need to be protected by a stateless, purpose-built DDoS solution.
Common DDoS Myth #3
Content delivery networks (CDNs) are designed to massively distribute (mostly web) content, placing it as close to the end user as possible to improve performance, reliability, latency, and so forth. By nature of their architecture, they are well suited to absorb large surges in traffic. In fact, part of the design is intended to weather these surges, whether benign (such as vendor patch or OS upgrade distributions) or malicious (such as DDoS attack traffic).
Indeed, CDNs can be quite effective at mitigating DDoS when resources within their infrastructure are the target. Unfortunately, they provide only part of the solution. Although many DDoS attacks target web resources and applications, the majority do not. This means that an organization relying on CDN-based DDoS protection is still vulnerable to most DDoS vectors. In fact, this same vulnerability is shared with WAFs. Ironically, many CDN-based DDoS solutions are paired with cloud-based or inline WAFs for “enhanced” DDoS protection. Although WAF + CDN is almost certainly an improvement, the combination is still blind to the majority of DDoS traffic.
Certainly, CDNs can effectively mitigate DDoS traversing their infrastructure. However, the applications and services not delivered via the CDN remain vulnerable and need to be protected by a stateless, purpose-built DDoS solution.
Current Best Practice for DDoS Mitigation
The broadly accepted best practice for DDoS mitigation is a layered, defense-in-depth approach such as that shown in the accompanying figure. This involves combining cloud-based or upstream protections from volumetric DDoS traffic floods with inline, on-premises, and/or in-cloud intelligent DDoS mitigation systems that are stateless and purpose-built to defend against all DDoS vectors targeting any protocol or application. Another layer of protection can be provided by a real-time feed of highly curated DDoS threat intelligence. This final layer ensures the solution is always ready for the latest evolving threat vectors and enables an automated response to instantly react to DDoS threats.
To learn more about current DDoS attack trends and defenses, check out the latest NETSCOUT DDoS Threat Intelligence Report. You can also find additional information about NETSCOUT DDoS solutions for service providers and enterprises on our website.