DDoS defence: the need for speed

Fast detection and automated responses are your best friends in a DDoS attack.

In DDoS defence, speed is critical. Massive ‘fast flood’ attacks can materialise in an instant and ramp up to hundreds of gigabits in a matter of seconds. Applications can appear to be working fine and then suddenly become unavailable for no immediately apparent reason. By the time you even realise you’re under attack, significant collateral damage may well have already taken place.

DDoS attacks often strike multiple targets simultaneously, from bandwidth to applications to existing infrastructure, including network firewalls, web application firewalls (WAFs) and intrusion prevention systems (IPS).

The fact is that attacks are becoming increasingly multilayered, employing a combination of attack methodologies and diversionary tactics to overwhelm defences. The ability to defend your business and maintain the availability of your services is directly dependent on how fast you can respond to these multipronged threats.

Three key determinants of speed

So how can you trim precious seconds off your response time and put the odds in your favour? The answer is that you need to focus on the three key determinants of speed.

Detection

Speed of DDoS attack detection is the first and most fundamental capability required to initiate swift mitigation. The choice of solution here matters a great deal to your risk profile. Do you check the box and go with a newly added feature to your firewall, or do you opt for purpose-built DDoS protection? What are the differences and why does it matter?

IPS devices, firewalls and other security products are essential elements of a layered-defence strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, firewalls act as policy enforcer to prevent unauthorised access to data.

While such security products effectively address network integrity and confidentiality, they fail to address a fundamental concern regarding DDoS attacks — network availability.

The limitations of firewalls and IPS devices reveal the key benefits of an Intelligent DDoS Mitigation Solution (IDMS):

• An IDMS is ‘stateless’; in other words, it does not track the state of all connections. A stateful device, such as a firewall or IPS, is vulnerable to DDoS and will only add to the problem.
• An IDMS solution does not depend on signatures created after the attack has been unleashed on the targets; rather, it supports multiple attack countermeasures. This enables out-of-the-box protection against most attack types.
• The IDMS solution supports various deployment configurations; most importantly, it allows for out-of-band deployments when needed. This flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.
• To truly address ‘distributed’ DoS attacks, an IDMS is a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will actually miss major attacks.

Automation

Automation is the Holy Grail of security these days. It helps with the staffing challenges and can be critical to speed of response. The good news is that it’s possible with the right IDMS to detect attacks and initiate mitigation automatically, often before security operators are aware of the attack. IDMS solutions can incorporate dozens of built-in, automated countermeasures, each designed to target specific types of attacks.

In a hybrid DDoS defence deployment, which combines on-premise with cloud-based mitigation protection, a signal can be sent from an IDMS to activate cloud-based countermeasures instantly and automatically when attack volume reaches a specified threshold. This is especially important as attacks become not only larger in size, but also increasingly multilayered in their approach.

Response

Successfully dealing with DDoS attacks starts with having the right technology in place; however, that is not the end of the story. At some point, even with multiple aspects of DDoS defence being automated — from pre-installed countermeasures to the connection with cloud-based mitigation — humans must play a key role in the response and overall defence.

Security teams need to be prepared to recognise and respond to threats without hesitation. Preparation is the key to develop the ‘organisational reflexes’ to speed up incident response when an organisation is under the immediate pressure of an attack.

So, to summarise:

• Do you have a DDoS incident response plan?
• Do you know how to escalate this across the organisation, with network, applications and services teams who may be impacted by an attack?
• Do you have a communications strategy to ensure that you are compliant with the new mandatory data breach notification law if customer data has been stolen or exposed during an attack?

It has been proven to me, time and time again, that practice is essential to quick and effective incident response handling. Ignoring the critical human aspect of DDoS defence can be just as catastrophic to your business as choosing the wrong solution.

Pictured: Tim Murphy, ANZ Country Manager, NETSCOUT Arbor.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.