Six ‘Lessons Learned’ For Mitigating DDoS Attacks
The world of DDoS is dynamic and evolving. So, when considering the most important features that a DDoS Mitigation should have, it’s always worth examining them in light of recent trends and applying some lessons learned.
That, however, can be a rather time-consuming assignment. But worry not. We’ve done the hard work for you. Here’s a list of our top six ‘lessons learned’ you’ll want to apply if you want to ensure that any mention of the term ‘DDoS’ doesn’t keep you awake at night.
Get Always-on Scalable Mitigation
The biggest and baddest attack, Memcached, came as a surprise with a record breaking attack in terms of throughput. Reports claim that it surpassed 1 Tbps by using a new, previously unused attack vector: vulnerable Memcached servers exposed to the Internet.
If there’s one thing this teaches us, it’s to always expect the unexpected. In other words, prepare for the worst with an always-on scalable mitigation solution that can handle big Tera attacks at any moment.
Protect Yourself Against Today’s and Tomorrow’s Threats
Protecting against unknown threats is way more important than known threats.
Here’s why. During February 2018, the Memcached attack hit its first targets: around 50,000 unsecured Memcached installations on the Internet that were used as DDoS reflectors. Given the element of surprise, the potential to launch a damaging attack was high. Soon after, however, the quantity of exposed servers dropped significantly. Today there are just 3,500 Memcached installations, and so the amplification factor and risk of a damaging attack are much lower.
The lesson learned: Unknown threats have greater potential to be much more harmful. Make sure that your DDoS Mitigation solution uses technologies such as NBAD and machine learning, as they can detect and block previously unseen attacks.
Get Fast Mitigation
Remember Mirai, the famous digital Godzilla? Mirai increased the frequency of massive attacks because it could easily propagate to compromised IoT devices. Even more importantly, it introduced a new attack technique known as pulse wave attacks which produced massive spikes to the target and lasted only a few minutes. These attacks challenged traditional scrubbing center solutions that divert traffic, and often take 10 to 15 minutes to mitigate and attack. By the time the scrubbing center detected an attack, it was already over.
Lesson learned: With subscribers expecting the best QoE and minimal disruption, any DDoS mitigation needs to react in seconds rather than minutes. The faster the better.
Contain Outbound Attacks
The Mirai botnet also intensified an old problem that needs addressing: outbound attacks originating from within the network. With the botnet propagating so quickly, it infected many devices. So much so that when commanded to launch a DDoS attack, they not only threatened the target victim but also the source network infrastructure where the compromised IoT reside. Consequently, it generated enough congestion to jeopardize users’ QoE and also resulted in getting into DNS IP blacklists.
Lesson learned: To avoid such large-scale damage, a DDoS Mitigation solution should be able to protect the network from both internal and external threats.
Catch Even the Smallest Attacks
Why should anyone care about small attacks, after all their impact is insignificant, right?
In fact, the majority of attacks are small. And many simultaneous small attacks add up to a lot of used bandwidth. This is what drives an operator to make unnecessary upgrades to infrastructure. While a single small attack of say 200 Mbps may not be felt in the operator network, it may disrupt an Enterprise network.
If you are an enterprise or a CSP providing a managed anti-DDoS service to enterprise customers, small attacks are very important to detect and mitigate.
Lesson learned: Solutions which rely on NetFlow sampling usually deliver a 1:10,000 sampling ratio and therefore cannot detect attacks below 1Gbps. Inline devices, however, inspect 100% of network traffic and are far more likely to detect and mitigate even the smallest attacks.
Go Real Deep
During May 2018, a new hacker’s evasion technique was published. It enabled reflective amplified floods to bypass traditional DDoS mitigation techniques. The randomized nature of attack traffic made it extremely challenging to filter. This technique used DNS floods leveraging a uPnP exploit.
Lesson learned: Even if you have a solution that can handle any threat, known and previously unknown, you still need a solution that can inspect the traffic deep enough into the payload (DPI) to be able to form a distinctive pattern in spite of the randomization employed to the TCP/IP packet header.
There are a lot of DDoS Mitigation solutions out there. Many of which apply some of the ‘lessons learned’ mentioned above. But you’ll be heard pressed to find one that applies them all. Unless of course, you turn to Allot.