DDoS attackers have multiple motivations and options of attack tools and services.
When it comes to cybersecurity, and specifically Distributed Denial of Services (DDoS) attacks, the question is not if, but when, your organization will be a target. With “bad actors” constantly improving attack methods, the risks of experiencing negative impact to your business including increased costs, lost revenue due to service downtime, or a hit to your reputation are greater than ever.
To accurately determine your organization’s risk of a DDoS attack, and to be ready to stop or mitigate the impact, you need to be aware of the latest trends in DDoS attacks and the best practices in defense.
You can always improve your security, and that starts with questioning your current assumptions.
“We are confident we have cybersecurity risk under control. Haven’t had an attack in a long while.”
NETSCOUT Security Expert:
Have you considered DDoS attacks? They are serious attacks that impact availability. DDoS attacks are by name, an attempt to deny a service; that can be any number of services, denied for any purpose.
According to our latest NETSCOUT Threat Intelligence Report, there were over 6 million attacks in the 1H of 2022 which put us on pace to experience over 12 million attacks this year globally.
This brings the new monthly normal to over 1 million attacks per month!
The combination of multiple motivations and plethora of cheap DDoS attack tools and services means the odds of your organization becoming the target of a DDoS attack are increasing.
“DDoS attacks are obvious to detect and we know how to respond.”
NETSCOUT Security Expert:
We hear that a lot. The modern-day DDoS attack is more complex than you think. There are basically three main types of DDoS attacks.
The first is Volumetric. This is commonly what most people think of as a DDoS attack. These attacks are designed to flood internet facing circuits with illegitimate traffic and as you said are obvious to detect. A volumetric attack can be as large as 1 Tbps, but the fact is that the vast number of DDoS attacks are under 1 Gbps in size and last for only a few minutes.
The two other types of DDoS attacks are State Exhaustion and
Application Layer. Each uses a different set of attack vectors and has a different objective in mind.
“What is a state exhaustion attack and why should I be concerned?”
NETSCOUT Security Expert:
State Exhaustion attacks are designed to fill state tables in stateful devices such as your firewall, VPN concentrator, or load balancer with illegitimate TCP connections. When these state tables fill, legitimate connections cease and the services behind
these devices are no longer available.
“What is an application layer attack and why should I be concerned?”
NETSCOUT Security Expert:
Application Layer attacks are much smaller sized, very hard to detect, and designed to slowly exhaust resources in application servers. Examples include HTTP GET/PUT floods, partial requests, slow reads or excessive payload attacks. When these application layer resources are exhausted, the application stops.
“And you’re saying these different attack types can be used against me simultaneously?
NETSCOUT Security Expert:
Yes absolutely. Remember those cheap readily available DDoS attack tools? They can easily launch a complex multi-vector DDoS attack with a simple click of a button.
And sometimes a DDoS attack can even be a distraction while other types of cyber attacks are occurring.
“Good thing we are safe–we have our ISP and firewalls for DDoS protection.”
NETSCOUT Security Expert:
Unfortunately, that’s not enough protection. Your ISP will be required to stop the large volumetric attack that is big enough to saturate your internet circuit. But
your ISP will struggle to detect and stop smaller, shortlived volumetric attacks, state exhaustion, and especially application layer attacks before the damage is done.
These type of attacks need an on-premise, stateless, DDoS attack protection solution. This on-premise protection is deployed just inside your internet router and in front of your stateful firewall or other stateful devices such as VPN concentrator or load balancer.
“Our cloud-based DDoS solution will protect us.”
NETSCOUT Security Expert:
Like ISP DDoS protection, cloud DDoS protection is designed to detect illegitimate traffic targeting Internet facing circuits prior to getting to your network.
Unfortunately, attackers today execute reconnaissance on your network so they can adjust vectors to evade these cloud solutions. The new vectors will be smaller and mimic legitimate traffic making them difficult to mitigate.
“Why is the firewall not enough?”
NETSCOUT Security Expert:
State exhaustion attacks fill finite sized, state tables in stateful devices with illegitimate connections causing it to stop legitimate connections – thus denying service.
There are multiple reasons you should not rely on just firewalls:
• Firewalls do offer rudimentary DDoS attack protection such as basic SYN, UDP, ICMP flood protection. But even this limited protection impacts the performance of more important functionality such as throughput of layer-7 inspection, SSL decryption and VPN termination.
• Since a firewall relies upon inspection of bi-direction connections, it cannot work in an asymmetric-routing scenario where only incoming DDoS attack packets are seen.
• A firewall will not provide you detailed the visibility into dropped DDoS attack traffic.
• A firewall will have no way to intelligently communicate with a cloud-based scrubber solution for mitigation of large DDoS attacks.
"So, how can NETSCOUT help me?"
NETSCOUT Security Expert:
NETSCOUT Omnis AED is a stateless device that acts as first and last line of defense against DDoS attacks.
NETSCOUT helps customers all over the world defend themselves and mitigate the risk from DDoS attacks.