All organizations with an Internet presence should worry about Distributed Denial-of-Service (DDoS) attacks – some more than others. It is a fact of life that the Internet brings all sorts of benefits to organisations but also a huge amount of risks. DDoS attack protection should be at the top of the list of any company with business-critical applications accessible on the Internet.
According to Symantec, attackers can now rent Distributed Denial-of-Service (DDoS) attack services for as little as $5. The largest DDoS attack can reach more than 300 Gbps in traffic volume with the rising cost to businesses globally climbing to hundreds of millions every year. Gartner forecasts that DDoS will continue to be a major issue for e-commerce infrastructures in the near as well as long term future. Planning ahead and re-assessing your current DDoS posture is a must.
Many products claim to give organizations the ultimate protection against DDoS. Some vendors are good at mitigating certain types of DDoS, other vendors provide a truly complete cloud and on-premises solution to keep your digital infrastructure and apps safe 24/7.
It can be a stressful experience when under a DDoS, where network devices are failing under strain. Best to plan before the attack instead of patching things during an ongoing assault. By planning ahead and putting in place a defence in depth design and resilient digital infrastructure, organizations can be confident that they will deal with the most sophisticated DDoS attacks.
DDoS Defence in Depth Architecture
Having designed and implemented several network and security systems to defend against the most sophisticated DDoS assaults, I strongly recommend a defence in depth approach using a multi-tier protection.
Tier 1 — DDoS Network Defence Layer
The first-tier focus is at the network layer only. The primary protection target is at L3 and L4 of the OSI. No need to dive deep into the packet inspection, this layer should deal with the detection of known botnets IPs, bad IP sources, bad IP reputation, known bad geolocation, and reputation-based filtering using threat intelligence. The type of attacks stopped at this layer will include SYN floods, TCPfloods, ICMP floods, etc. Since your DDoS protection equipment is designed to look at packets at L3 and L4, the detection, throttling, and dropping of connections is done at greater speed with little or no negative impact on the ‘clean’ application traffic.
Tier 2—DDoS Application Defence Layer
The second tier focuses exclusively on DDoS attacks at the upper layers of the OSI including L5, L6, and L7. The goal is to deploy application aware checks with context and application logic intelligence. SSL offload is required to inspect encrypted content and stop L7 DDoS application related attacks. Relying on a deep understanding of the application traffic and business transactions logic is crucial in order to protect your web applications. CPU intensive transactions requiring deep packet inspection will be carried out at these layers to maximum efficiency of your second line of protection.
A resilient and robust DDoS system can be achieved with defence in depth principles. These principles apply not only to DDoS protection alone, but also to other cyber-attacks vectors. Understanding the nature of the DDoS attack is crucial to provide a long-term, effective, and resilient solution. Separating network level and application level transactions is a known, tested, and effective approach to protect against DDoS attacks.
This article was originally published on the iCyber-Security Blog.