DDoS (Distributed Denial of Service)
DDoS is an attempt to exhaust the resources available to a network, application, or service so that genuine users cannot gain access.
Beginning in 2010, and driven in no small part by the rise of Hacktivism, we’ve seen a renaissance in DDoS attacks that has led to innovation in the areas of tools, targets and techniques. Today, the definition of a DDoS attack continues to grow more complicated. Cyber criminals utilize a combination of very high volume attacks, along with more subtle and difficult to detect infiltrations that target applications as well as existing network security infrastructure such as firewalls and IPS.
What are the Different Types of DDoS Attacks?
Distributed Denial of Service attacks vary significantly, and there are thousands of different ways an attack can be carried out (attack vectors), but an attack vector will generally fall into one of three broad categories:
Volumetric attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.
TCP State-Exhaustion Attacks
TCP State-Exhaustion attacks attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves. Even high capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.
Application Layer Attacks
Application Layer attacks target some aspect of an application or service at Layer-7. These are the deadliest kind of attacks as they can be very effective with as few as one attacking machine generating a low traffic rate (this makes these attacks very difficult to pro-actively detect and mitigate). Application layer attacks have come to prevalence over the past three or four years and simple application layer flood attacks (HTTP GET flood etc.) have been some of the most common denial of service attacks seen in the wild.
Today’s sophisticated attackers are blending volumetric, state exhaustion and application-layer attacks against infrastructure devices all in a single, sustained attack. These cyber attacks are popular because they difficult to defend against and often highly effective.
The problem doesn’t end there. According to Frost & Sullivan, DDoS attacks are “increasingly being utilized as a diversionary tactic for targeted persistent attacks.” Attackers are using DDoS tools to distract the network and security teams while simultaneously trying to inject advanced persistent threats such as malware into the network, with the goal of stealing IP and/or critical customer or financial information.
DDoS Attack Glossary
Why are DDoS attacks so dangerous?
DDoS represents a significant threat to business continuity. As organizations have grown more dependent on the Internet and web-based applications and services, availability has become as essential as electricity.
DDoS is not only a threat to retailers, financial services and gaming companies with an obvious need for availability. DDoS attacks also target the mission critical business applications that your organization relies on to manage daily operations, such as email, salesforce automation, CRM and many others. Additionally, other industries, such as manufacturing, pharma and healthcare, have internal web properties that the supply chain and other business partners rely on for daily business operations. All of these are targets for today’s sophisticated cyber attackers.
What are the consequences of a successful DDoS attack?
When a public facing website or application is unavailable, that can lead to angry customers, lost revenue and brand damage. When business critical applications become unavailable, operations and productivity grind to a halt. Internal websites that partners rely on means supply chain and production disruption.
A successful DDoS campaign also means that your organization has invited more attacks. You can expect attacks to continue until more robust DDoS defenses are deployed.
What are your DDoS Protection Options?
Given the high profile nature of DDoS attacks, and their potentially devastating consequences, many security vendors have suddenly started offering DDoS protection solutions. With so much riding on your decision, it is critical to understand the strengths, and weaknesses, of your options.
Existing Infrastructure Solutions
(Firewalls, Intrusion Detection/Protection Systems, Application Delivery Controllers / Load Balancers)
IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks—”network availability.” What’s more, IPS devices and firewalls are stateful, inline solutions, which means they are vulnerable to DDoS attacks and often become the targets themselves.
Similar to IDS/IPS and firewalls, ADCs and load balancers have no broader network traffic visibility nor integrated threat intelligence and they are also stateful devices vulnerable state-exhausting attacks. The increase in state-exhausting volumetric threats and blended application-level attacks, makes ADC’s and load balancers a limited and partial solution for customers requiring best-of‐breed DDoS protection.
Content Delivery Networks (CDN)
The truth is a CDN addresses the symptoms of a DDoS attack but simply absorbing these large volumes of data. It lets all the information in and through. All are welcome. There are three caveats here. The first is that there must be bandwidth available to absorb this high-volume traffic, and some of these volumetric-based attacks are exceeding 300 Gbps, and there is a price for all the capacity capability. Second, there are ways around the CDN. Not every webpage or asset will utilize the CDN. Third, a CDN cannot protect from an Application-based attack. So let the CDN do what it was intended to.
Web Application Firewall (WAF)
A WAF is a stateful pack processing device designed to stop web-based application attacks and therefore does not stop all DDoS attack types such as TCP-state exhaustion attacks. Any sort of reflection or amplification flooding attack using numerous sources would overwhelm a WAF rendering the entire solution useless. The bottom line is that these two technologies are complementary in their use to protect organizations from attack, but a WAF will not protect from the extensive vectors of DDoS attacks.
What is NETSCOUT’s Approach to DDoS Protection?
NETSCOUT's Arbor DDoS solution has been protecting the world’s largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.
Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.
- Arbor Cloud (Tightly integrated, multi-layer DDoS protection)
- Arbor Edge Defense (On-Premises)
- Arbor SP/Threat Mitigation System (High Capacity On-Premise Solution for Large Organizations)
NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Cyber Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.