We know they’re a huge problem — any organization can be targeted by the wrath of a massive DDoS attack, from government websites to individual’s blogs. But as attacks have become bigger, more frequent and more widespread, it seems that they’re increasingly being regarded as an unstoppable force majeure, like a hurricane or earthquake, which simply has to be survived.
It’s not difficult to understand why we’ve found ourselves in this situation. Neustar’s annual Worldwide DDoS Attacks & Cyber Insights Research Report (PDF) states that the average size of a DDoS attack has doubled to 50Gbps, and the number of DDoS attacks worldwide has increased by 15 percent over the past 12 months, across all sectors. Additionally, 84 percent of the more than 1,000 organizations polled in the report said that they had been targeted by an attack in the past 12 months, with 45 percent experiencing more than five attacks in that time.
Further, the report found that DDoS is increasingly being used as a smokescreen — 42 percent of respondents said that the DDoS attacks they experienced were accompanied by malware and 27 percent were accompanied by either ransomware or extortion by threatening further DDoS attacks. It’s no surprise that the average loss of revenue experienced by organizations hit with a DDoS attack was $2.5 million.
These are sobering statistics. Organizations need to step up their game, face reality and take ownership of their networks – NOW. We can’t just grin and bear it.
It Should Always be for Keeps
Understanding how well (or not) websites and networks deal with the unexpected spikes in inbound traffic is the first step in dealing with DDoS attacks. Traditionally, load balancing strategies help smooth the peaks and troughs in traffic by spreading traffic volumes, in turn, mitigating the impact of DDoS attempts. However, even effective load-balancing strategies cannot prevent large-scale DDoS attacks from bringing applications to a grinding halt. So what then?
The only way to know if a network can handle that level of traffic or not is via stress-tests of devices, applications, and data centers. Moreover, the process helps to understand exactly how to respond to realistic DDoS conditions. The key is to choose a testing solution that uses a broad range of realistic attack flows — especially emulation of DDoS exploits at a similar scale to the real-world attacks we are currently seeing. As these attacks continue to increase in volume and frequency, it is essential to formulate plans that can mitigate the impact of DDoS attacks while making the infrastructure more resilient.
Make Sure to Read the Scouting Report
Another effective method is preventing malicious traffic from reaching networks in the first place by intelligently pre-filtering traffic. This approach dramatically reduces the strength and impact of an attack, while also improving the efficiency of firewalls and related security solutions – making it easier for them to identify threats while reducing false positive alerts.
This can be done using a specialized gateway that continually monitors and proactively filters malicious IP addresses that are used in DDoS attacks. The gateway is fed with real-time, constantly updated threat and application intelligence feeds on known bad IP addresses. When traffic from these malicious addresses is received by the gateway, it is automatically filtered out at network line speeds – it never touches the network.
This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests. Research shows that the command and control centers used to direct DDoS attacks are overwhelmingly located in a handful of countries globally. If your organization does not conduct business in one of these countries, why not block all traffic originating there, and slash your exposure to botnet attacks in a single step?
Find the Cheats
The additional benefit of using threat intelligence gateways to filter IP traffic is that they can also identify existing bot infections that are already on a network. It is estimated that over 80 percent of organizations globally are infected with bots that are stealthily sending sensitive data to criminals, are being leveraged for DDoS attacks, or both. The gateway can inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically. This disables the bot by quarantining it permanently.
Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks, and stopping data leaks and network exploitation by any existing bot infections.