DDoS Protection: 8 Simple Tactics
Update 12/05/2022: You could call it “DDOS diplomacy.” The event in question occurred in November, when a Russia-linked threat actor temporarily shut down the European Parliament’s website with a distributed denial of service (DDoS) attack. The incident occurred soon after EU lawmakers passed a resolution labeling Russia as a state sponsor of terrorism, knocking the website offline for approximately two hours.
The attack has been attributed to a suspected state-sponsored threat actor called Killnet. Purportedly under the Kremlin’s direction, such threat actors have been known to use DDoS attacks to express Russia’s displeasure with a variety of foreign powers. The attacks can bring a targets’ online presence to its knees for hours, an effective yet vastly more benign form of aggression compared to outright military conflict — with the added benefit of official deniability.
This recent attack against the EU is also consistent with past Killnet activity. This group, among others, is known to target companies and government agencies that support Ukraine. In October, the group briefly took down New York’s LaGuardia, Los Angeles International, and several other American airports’ websites. In March, it shut down a U.S. airport’s website in retaliation for U.S. material support for Ukraine, according to a federal cybersecurity advisory.
These malicious activities add to the burdens carried by CISOs in the public and private sectors, who must be prepared to contend with adversarial fallout from actions taken by their organizations, such as expressing public support for Ukraine. These geopolitically motivated actions could include retaliatory DDoS attacks. To help you prepare, we offer eight strategies enclosed in our previously published article below.
Imagine if you couldn’t access your bank account, or if your doctor couldn’t get to your medical records. What if you discovered that you couldn’t stop the progress of a threat campaign because network resources had been exhausted?
These are extreme examples of the damage a distributed denial of service (DDoS) attack can cause. Large scale attacks can result in reduced capability or complete loss of critical services, reputational damage, loss of productivity, and extensive remediation costs.
There’s more. While attacks have gotten shorter, they’ve become more frequent. As mentioned in a previous blog, frequent short attacks can do more harm than their longer less frequent counterparts. Internet reliability can depend on fractions of a second, and greater attack frequency means more work for network administrators and security practitioners.
DDoS may not be the most sophisticated threat on the block, but it’s no pushover.
Table of Contents
- DoS and DDoS
- How Does a DDoS Attack Work?
- Attacker Motivations
- The Three Most Common Types of DDoS Attacks
- How do I Know if I’m Under DDoS Attack?
- 8 Ways to Stop DDoS Attacks
DoS and DDoS
Denial-of-service (DoS) attacks target a specific application or website with the goal of exhausting the system resources, and this renders the target unreachable or inaccessible to legitimate users. A DoS attack becomes a DDoS attack when the fake traffic originates from multiple unique IP addresses or machines. This often involves thousands of infected devices attacking in tandem.
How Does a DDoS Attack Work?
First, the attackers gain control of multiple computers and other Internet of Things (IoT) devices, and install a type of malware called a bot. The bot converts the machines to the threat actor’s cause. Collectively, the compromised machines form a network called a botnet. The actor directs the botnet to overwhelm the intended target’s system with more connection requests than it can handle, and so that system becomes unresponsive or inaccessible to legitimate users.
As mentioned, a wide variety of internet-connected devices may make up a botnet, including IoT devices. According to the Cybersecurity and Information Security Agency (CISA), IoT devices often use default passwords and lack regular security updates, making them vulnerable to compromise and exploitation. Because the infection of IoT devices often goes unnoticed by users, an attacker could easily assemble a vast number of devices into a formidable botnet.
For example, the Fodcha DDoS botnet has over 60,000 active nodes, 40 command-and-control (C2) domains and can generate over 1 terabyte per second (Tbps). In just a single day, this one malware targeted 1,396 devices. Prominent targets of this botnet included healthcare organizations and law enforcement agencies.
The more traffic a DDoS attack produces the harder it is for an organization to effectively respond to and recover from the attack. The increase in traffic also makes it harder to attribute the attack because it makes the true source of the attack tougher to identify.
DDoS Attack Motivations
DDoS attack motives include ideology, marketplace competition, cyber vandalism, extortion, cyberwarfare and smokescreens. Let’s briefly unpack each of these motives.
Hacktivists, like the Killnet group, use DDoS attacks to target organizations – governments, politicians, companies, etc. – that they disagree with ideologically. Hacktivists, generally speaking, may not be the most technically savvy and they often rely on off-the-shelf tools. However, they can still have an impact on your operations. The notorious Anonymous collective attacks or one-off hacktivist attacks related to the pandemic are examples.
When the DDoS attack motive is a battle for business, they are often executed by professional threat actors. The purpose of the DDoS attack in this case is to disrupt a competitor’s website, for example, which can encourage their customers to switch to the perpetrator's business while also causing financial and reputational damage.
According to one report, following a successful DDoS attack, small businesses could end up paying more than $100,000 to recover; larger companies may incur costs of up to $2 million per incident.
Cyber vandals are individuals or groups that execute cyberattacks without any obvious rational criminal, political, or ideological motive. This group also uses off-the-shelf tools – the Low Orbit Ion Cannon for example – in addition to DDoS-for-hire services.
In this case, cybercriminals use DDoS attacks — or the threat of one — to extort money from their intended targets.
Advanced persistent threats and nation-state-linked threat actors typically launch this type of DDoS attack. They often target a country’s critical infrastructure including financial, healthcare, transportation, and communication services.
Sophisticated threat actors sometimes use DDoS attacks to distract security and IT teams or weaken security systems. This helps them to artificially create vulnerabilities for a potentially larger attack campaign such as network infiltration, data theft, and malware infection.
The Three Most Common Types of DDoS Attacks
1. Application-Layer Attacks
The goal of an application-layer attack, or HTTP flood, is to exhaust network resources and create a denial-of-service situation. Attackers target the server layer where web pages are generated and delivered in response to HTTP requests. Then they flood the server with numerous requests, overloading it, which results in denial-of-service.
2. Protocol Attacks
Protocol attacks, or state-exhaustion attacks, cause denial-of-service by overconsuming server or network resources. For example, the attacker sends many initial connection requests. Then, the target computer waits for the final step in the TCP handshake. But the connection is never finalized, and the target’s resources are exhausted.
3. Volumetric Attacks
In a volumetric attack, the attacker creates network congestion by consuming the available bandwidth between devices and the internet. Then large amounts of data are sent to the victim using a botnet. This kind of attack is also called DNS amplification or reflection amplification attack. According to CISA, the actors use a third-party server (the “reflector”) as an intermediary that hosts and responds to the given spoofed source IP address.
How do I Know if I’m Under DDoS Attack?
One of the biggest issues that defenders face with DDoS attacks is the separation of fake connection requests from legitimate ones. Advanced telemetry tools - like those in CylanceGUARD® from BlackBerry for example - can help spot signs of a DDoS attack. While specific signs exist, they vary based on the type of attack. However, here are some general signs to look for:
- Unusually slow network performance in opening files or accessing websites.
- Unavailability or inaccessibility of websites.
- Irregular amounts of traffic from a single IP address or IP range.
- Sluggish application performance.
- High processor and memory utilization.
- An abnormal surge in requests to a single page or endpoint.
- Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural.
- An abnormal amount of traffic from users who share a single behavioral profile. For example: device type, geolocation, or web browser version.
Eight Ways to Stop DDoS Attacks
1. Improve Cyber Resiliency With an Advanced ZTNA Solution
According to Verizon’s 2022 BDIR, DDoS was the most prevalent form of attack. When zero trust network access (ZTNA) is embraced, it can be effective mitigation against these cataclysmic attacks. A cloud native ZTNA solution that incorporates strong endpoint protection capabilities – like CylanceGATEWAY™ – can provide a trifecta of protection, detection and prevention against DDoS attacks.
Network Protection: A proper ZTNA solution to mitigate DDoS attacks protects the network as it doesn’t require any ports to be opened as it proxies traffic to enterprise network, so organizations are fundamentally protected from DDoS.
Threat Detection: The ZTNA solution utilizes intrusion detection systems to detect malicious traffic based on patterns of network flows at three independent layers: Domain Name System (DNS), Internet Control Message Protocol (ICMP), and Transport Layer Security (TLS). In addition, network traffic is continuously evaluated, and risk factors calculated over multiple vectors. Advanced solutions combine machine learning, IP reputation, and risk scoring, to create a dynamic blacklist of internet destinations to be, and are actively, blocked.
Prevention: Malicious intrusion attempt such as SQL Injection, spoofing the Address Resolution Protocol (ARP), Man-In-The-Middle (MiTM), and malicious Wi-Fi hotspots are all indicative of DDoS attacks. In addition to being an identity aware, multi-layer tunnel with continuous authentication and authorization, a proper ZTNA solution to DDoS also facilitates the implementation of segmented network access control, which together prevents ARP spoofing. ARP spoofing is a common segue to MiTM and so is also prevented. Lastly, layer-3 communication should be fully encrypted which decreases the possibility of a successful tunneled malicious intrusion attempt such as SQL Injection, malicious Wi-Fi hotspots etc.
Learn more about CylanceGATEWAY; CylanceGATEWAY documentation
2. Blackhole Routing
While sometimes considered redundant if you use an advanced ZTNA solution, depending on budget constraints an alternative to consider is blackhole routing. With this tactic, network traffic is funneled into a “blackhole,” and is lost. The drawback of this method is that without proper restriction criteria, both legitimate and illegitimate traffic is dropped from the network. This effectively makes the DDoS attack successful as the network is now inaccessible.
3. Social Media Intelligence
Monitor social media, particularly Twitter, for threats, conversations, and boasts that may indicate that you have been targeted.
Here is a free resource you may find useful: Twitter-built v2 tools and libraries
4. Rate Limiting
Limit the number of requests a server will accept over a certain time window. This alone is typically insufficient to defend against more complex attacks but is a good component to have in a multipronged mitigation strategy.
5. Web Application Firewall (WAF)
Ensure that you understand your critical assets and services. Prioritize based on mission criticality and need for availability, and make sure that the WAF covers these critical elements.
A WAF can assist an organization’s efforts to mitigate application-layer attacks. A simplified way to think of a WAF is like a bouncer. It stands between internet users and the organization’s servers and polices requests for entrance.
In addition, organizations can create rules for their WAF which filter incoming requests. These rules can then be adapted to counter observed patterns of suspicious activity carried out by a DDoS.
6. Penetration Testing
Consider using a third-party penetration or pen testing service to simulate an attack against your IT infrastructure using real-world scenarios so you can be prepared for the real thing.
Regularly practicing your organization’s DDoS response plan with all internal and external stakeholders, will help identify gaps and issues, ensure all participants understand their roles and responsibilities during the DDoS attack, and build confidence in the DDoS response plan.
Learn more about BlackBerry® Penetration Testing Service.
7. Anycast Network Diffusion Method
Anycast is a network routing method that spreads incoming requests across various servers. The idea is that in the event of a DDoS attack, the added traffic is distributed and absorbed by the network. The effectiveness of this approach depends on the size of the DDoS attack and the size and competency of the network.
8. Subscribe to a DDoS Protection Service
A joint guide by CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), recommends organizations enroll in a dedicated DDoS protect service. While many Internet service providers (ISPs) have DDoS protections, they may be insufficient to withstand large-scale or advanced DDoS attacks. A DDoS protection service, such as AWS Shield, can monitor traffic, confirm an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network. CylanceGATEWAY incorporates AWS Shield as an additional layer of protection.
It’s also recommended that organizations speak with a managed service provider (MSP) about specific managed services that guard against DDoS attacks. MSPs offering different technologies on the “edge” can assist with a customization of edge defenses.
Edge defense services can reduce downtime caused by DDoS attacks. Edge defense, detect, and mitigation services reduce the risk of malicious traffic reaching its target, and greatly increase the chances of legitimate users reaching your websites/web applications.