It’s not difficult to understand why this situation has arisen. Neustar’s annual ‘Worldwide DDoS Attacks & Cyber Insights Research Report’ states that the average size of a DDoS attack has doubled to 50Gbps, and the number of DDoS attacks worldwide has increased by 15% over the past 12 months, across all sectors. 84% of the more than 1000 organizations polled in the report said that they had been targeted by an attack in the past 12 months, and 45% had experienced more than five attacks in that time.
Further, the report found that DDoS is increasingly being used as a smokescreen for other types of attack. 42% of respondents said that the DDoS attacks they experienced were accompanies by malware (10% up on the previous year), and 27% were accompanied by either ransomware or extortion by threatening further DDoS attacks, up from 15% in 2016. As such, it’s no surprise that was the average loss of revenue experienced by an organization hit with a DDoS attack was $2.5 million.
Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks.
Testing times
The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks. Load balancing strategies can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even effective load-balancing strategies can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt.
So it’s important to stress-test your devices, applications, networks and data centers to understand exactly how they respond to realistic DDoS conditions. The key is to choose a testing solution that uses a broad range of realistic attack flows – especially emulation of DDoS exploits at a similar scale to the real-world attacks we are currently seeing. As these are increasing in volume and frequency all the time, it’s essential that the test simulations match real-world DDoS types and volumes, so that you can formulate plans to mitigate their impact and make your infrastructure more resilient.
The second strategy relates to the actual security tools an organization uses such as firewalls, which focus on identifying and blocking malicious traffic. These are extremely effective in doing this, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high capacity firewalls. Throw enough malicious traffic at them, and the deluge will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well.
Intelligent IP filtering
However, there is a third strategy: preventing malicious traffic generated by the botnets which are the source of DDoS attacks from reaching your networks in the first place, by intelligently pre-filtering the traffic. This approach dramatically reduces the strength and impact of an attack, while also improving the efficiency of your firewalls and related security solutions – making it easier for them to identify threats and reducing false positive alerts.
This can be done using a specialized gateway that continually monitors and proactively filters malicious IP addresses that are used in DDoS attacks. The gateway is fed with real-time, constantly-updated threat and application intelligence feeds on known bad IP addresses. When traffic from these malicious addresses is received by the gateway, it is automatically filtered out at network line speeds – so that it never touches your networks.
This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests. Research shows that the command and control centers which are used to direct DDoS attacks are overwhelmingly located in a handful of countries globally. If your organization does not conduct business in one of these countries, why not block all traffic originating there, and slash your exposure to botnet attacks in a single step?
Finding leaks
There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify existing bot infections which are already on your network. It is estimated that over 80% of organizations globally are infected with bots, which are stealthily sending sensitive data to criminals, and can also be harnessed to launch DDoS attacks on other networks. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically. This disables the bot by quarantining it permanently.
Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks, and stopping data leaks and network exploitation by any existing bot infections. But this approach has other benefits as well. Your existing security infrastructure, and your IT teams, will function more efficiently as a result of the reduced processing overhead on existing infrastructure, and be better able to quickly identify and respond to attacks.
It's time to stop being in denial about the DDoS threat, and to start strengthening our lines of defense against them.