DDoS Attacks (Part III) - Winning the DDoS Arms Race(IMG:J.Anderson)
In the two previous weeks, we’ve taken a look at what hacktivists are targeting with DDoS attacks and what companies can do to protect their online presence against these attacks.
Today I’ll address the fact that even by erecting “barricades” to help stem the tide that occurs when a DDoS attack happens, the reality is that it’s far cheaper to generate bogus traffic than it is to identify what’s legitimate. In other words, with most infrastructural fixes, the sheer volume of incoming requests that happen from a DDoS attack will rapidly exceed in-house capacity.
That’s why even when you establish an in-house policy to address to the problem, it’s important to consider third-party options on the market — and why they should be considered for every organization’s defense strategy.
Every organization’s Internet service provider should be considered a resource. But relying on your ISP is a quick fix, and not always the best one.
The problem with most ISPs is that their core business competency is focused on providing backup services and getting data packets from one location to another. Even if they offer DDoS mitigation services, you should be double checking their claims and ask: can they conduct deep-packet inspection? Do they have the specialized DDoS mitigation tools available? Can they mitigate 100-plus gigabit-per-second attacks?
The reason I ask that you double check this is because ISPs understandably have a duty to serve their entire customer base, not just any one customer. If it believes — and there are times when this will be the case — that the attack traffic coming through you affects the stability of the services they provide to their other customers, their only option is to shut you down. This is the “greater good” argument that every ISP will ask of itself, and it’s often valid.
Then there’s the content delivery network, or CDN, option. This is the strategy of having server farms deployed offsite, and it’s particularly popular with content-heavy companies, such as those in media and e-commerce. CDN providers cache static content on their own servers, so that visitors get content from them instead of you. However, just because they offer savings while enhancing core performance, it doesn’t mean they’re the best defense against DDoS attacks.
The problem with the CDN option is that many such attacks are dynamic in nature — they’re designed to identify and target weak points. More specifically, they’re crafted to isolate dynamic content sources, such as login pages and search boxes, which are squarely placed in the origin servers. This bypasses the strength of the CDN option and goes to the heart of the problem.
Finally, there’s the cloud-based DDoS mitigation provider. In a business environment, it offers the best defense against most DDoS attacks.
A dedicated, third-party DDoS mitigation service by nature comes with significant bandwidth capability — not infinite, perhaps, but certainly more than most other options. It should have the right staff, with experience and expertise in this evolving field. It should have sophisticated and diverse DDoS mitigation equipment, since no one piece of hardware can be deployed to handle all attacks. In fact, a good team will use a strategic approach when the attack comes, and deploy the solution that best fits the attack vector. Of course, it must also have deep-packet inspection capabilities.
Going one level deeper, the provider needs to have diversity in its bandwidth sources — that’s the only way to handle attacks that feature hundreds of gigabits of data. It needs to have connectivity from many providers in order to ensure resiliency. (This is why cloud computing is so invaluable in this regard.) And it needs to be fully aware of new attack modes, along with new technologies to deal with them.
That’s why I think the best way to look at DDoS attacks is to see them as a kind of arms race —the best resource is one that’s specifically dedicated to stockpiling weapons, and knowing how to use them judiciously. And in today’s threat environment, that’s vital.
Miguel Ramos is the Senior Product Manager of Neustar, Inc., a provider of real-time information and analysis to the Internet, telecommunications, entertainment, advertising and marketing industries throughout the world.