|

Approaches To Detect & Mitigate DDoS Attacks

Ready To Tackle Today’sDDoS Threats?

White paper

CONNECT WITH US:

Haltdos.com

Approaches To Detect & Mitigate DDoS Attacks | White Paper

ABOUT THIS WHITE PAPERThis white paper is written to help organizations understand thecurrent threat landscape, review their current security infrastructureand assess the need and the kind of DDoS mitigation solution toguarantee the availability of their online services. The white paperexplains why traditional network security solutions such as firewalls,Intrusion Prevention Systems (IPS) and Web Application Firewalls(WAF) cannot stop DDoS attacks and how HaltDos solutions can helpmitigate the risk from DDoS attacks. It then reviews and compares thethree main approaches for deploying dedicated DDoS solutions.

Connect with us on facebook, twitter, linkedIn or through email(info@haltdos.com) to know more about how HaltDos can protectyour infrastructure.

Approaches To Detect & Mitigate DDoS Attacks | White Paper

Overview

DDoS or Distributed Denial of Service is a type ofcyber attack targeting availability of service to itslegitimate users. They are some of the oldestInternet threats and still continue to be one ofthe most impactful around the world. Asprotections against DDoS evolved, so have theattackers. As a consequence, DDoS attacks havebecome sophisticated and often involve acombination of multiple simultaneous attacksmaking them difficult to detect.

What is a DDoS attack? Common DDoS attack TypesVolumetric Attack : With the volumetric attack, ahacker sends so much traffic to the server todestabilize its network bandwidth or to crash it.This does damage in two ways: First, legitimatetraffic can't reach your site, and the company losescustomers, potentially damaging your brandforever. Second, it costs your company thousandsin revenue.

Protocol Attack :This type of attack consumes actualserver resources and those intermediatecommunication systems , such as firewalls & loadbalancers. Here the requests are generated by fakeIP addresses so that the server gets busy answeringthose bogus requests there by diminishing theircapability to respond to legitimate users.

Application Layer Attack : Application layer attacksuse far more sophisticated mechanisms to attackyour network and services. Rather than simplyflooding a network with traffic or sessions, theseattack types target specific applications andservices to slowly exhaust resources atthe application level (layer 7).

Anti-competitive business practicesExtortion HacktivismSecurity FeintsPolitical motivation Social or religious beliefsJust for fun

DDoS attacks are generally launched for :

Why Do People PerformDDoS Attacks?

Approaches To Detect & Mitigate DDoS Attacks | White Paper

(In Q1-2016)

Current Threat Landscape

The attacks have evolved from relatively simple flooding attacksto sophisticated and complex events. Any organization withexposure to the Internet is vulnerable to a cyber-attack. Alongwith traditional high volume attacks that leverage massiveamounts of traffic to overwhelm a data center, businesses nowface targeted low-bandwidth attacks on data-heavy applicationsthat go undetected by traditional DDoS mitigation solutions. Thedisruption caused by a DDoS attack can have an enormousimpact, regardless of the size of the company or institution thathas been breached. Because the new wave of sophisticatedDDoS cannot be detected and mitigated by traditional methods,enterprises need a new, more effective DDoS detection andmitigation strategy that ensures continuous availability of theircritical business resources.

21,851Total number

of DDoS attacks

289 GbpsLargest volume

of DDoS attack

55%Increase in attacks

as compared toQ1-2015

74Countries

were targeted

DDoS attacks have not been around with any significance for verylong over the history of IT. But in little more than a decade, theyhave become a worldwide threat that shows no sign of abating, oreven diminishing, anytime soon. In fact, the problem of DoS/DDoSattacks is increasing rather than declining, both in incidence and invirility. With a growing trend of 200% year over year in frequency,costing $150 - $250 in the underground market to buy a week longDDOS attack platform, these attacks can cause real damages tofinancial systems and enterprises. It is estimated that banks can loseup to $400,000 per hour and enterprises about $5000 - $19,999 perhour.

Approaches To Detect & Mitigate DDoS Attacks | White Paper

Figure 1: DDoS attacks in each sector (Q4-2015 vs Q1-2016 )

Limitations of Traditional Security Controls

Many believe that the traditional security tools such as firewalls and Intrusion Prevention Systems (IPS) canhelp them deal with the DDoS threat. However, more and more organizations are realizing that DDoSthreats should receive higher priority in their security planning and requires a specialized solution.

Why can’t firewall and IPS handle DDoS attacks? The simple answer is that they were not designed to do so.As stateful devices, firewalls and IPS track all connections for inspection and store them in a connectiontable. Every packet is matched against the connection table to verify that it was transmitted over anestablished, legitimate connection. The typical connection table can store tens of thousands of activeconnections, which is sufficient for normal network activity. However, a DDoS attack may include thousandsof packets per second.Moreover, Firewalls and IPS only examine individual sessions. DDoS attacks such as HTTP floods arecomposed of millions of legitimate sessions. Each session on its own is legitimate and it cannot be markedas a threat by firewalls and IPS.

RISING DDOS

ATTACKS ARE

Approaches To Detect & Mitigate DDoS Attacks | White Paper

Figure 2 : Network elements bottleneck during a DDoS attack

It is estimated thatalmost one out of threetimes firewalls and IPSfail to perform andsuffer downtime duringa DDoS attack.

Myths and Realities About DDoS AttacksMany organizations think that they are safe from DDoS attacks either with protections in their currentfirewall, switches, and other network elements or mistakenly think their ISPs are able to provide 100%protection against DDoS attacks.The following are a few common myths and truths about DDoS attacks :

The reality is that if you make transactions, collect information, have enough customers or have acompetition in the marketplace, then you are at risk to face a DDoS attack.

Myth-1 : I am not at risk; a DDoS attack would never happen to me.

Myth-2 : My ISP or hosting provider will take care of DDoS attacks, so I don’t have to worry.The ISPs can assist in arresting a high-volume packet flood to your network, however data centers needadditional layer-7 protections to fight against highly targeted DDoS attacks.

Myth-3 : DDoS Attacks Come from Masterminds or Kids.The truth is that there are many types of cyber criminals out there. There’s the “Hacktivist,” who pushes apolitical agenda, the “Harasser” who bullies online users, and the “Extortionist” who threatens sites withransom notes. And, alarmingly, many attacks come from employees and contract workers with direct accessto the site.

Myth-4 : My routers and switches protect me from DDoS attacks..Even though your networking hardware may have Access Control Lists (ACLs) that can block DDoS threats,the attackers can adapt quickly. The average hacker can easily study your ACLs within minutes with a littledetermination.

Approaches To Detect & Mitigate DDoS Attacks | White Paper

Choosing DDoS Mitigation SolutionsWith the rise of DDoS attacks, enterprises andorganizations that want to guarantee theconfidentiality, integrity, availability of services shouldconsider a dedicated DDoS detection & mitigationsolution which can protect against the today’semerging DDoS attack threats. There are threeapproaches to DDoS attack detection & mitigationsolutions: on-premise, cloud and hybrid.

An on-premise DDoS mitigation solution is adedicated hardware device which is deployed as aperimeter security device to protect the entire datacenter of an organization. It can efficiently detect andmitigate high-volume of DDoS attacks.

On-Premise

Protect against sophisticated application layerattacksCan be fine tunedGive early indication of volumetric attacksImmediate and automatic protectionMinimum response timePredictable cost

Pros:

Cons:

Can protect against volumetric attack up toavailable bandwidthMay require regular updatesManagement of additional appliance

Cloud

Many Internet Service Providers (ISPs) and ManagedSecurity Service Providers (MSSPs) are offering cloudbased DDoS mitigation services that can be activatedwithout any additional hardware, software or otherintegration requirements. These type of mitigationservices blocks the volumetric attacks from everreaching to your organization, as attacks aredetected and mitigated before they reach to yourorganization's network elements. Though, theseservices are not simply designed to handle complextype of application layer attacks.

Pros:

Cons:

Easy Deployment Protection from volumetric attacks

Inability to protect against sophisticatedapplication layer attacksCompliance and regulatory concerns in using acloud based solution for many organizationsRegular signature updatesManagement of additional applianceCost may vary

Approaches To Detect & Mitigate DDoS Attacks | White Paper

TIPS TO Protect

your network

against DDoS

Attacks

Call Your ISP or Hosting provider forassistance.

Know all the signs of DDoS attack. Not alldisruptions to service are the result of a DDoS.

Understand the type and volume oftraffic coming to your network.

Consider hiring a DDoS mitigation serviceif the attack is severe.

Hybrid

Hybrid DDoS Mitigation combines on-premise and cloud mitigation into an integrated and comprehensiveDDoS protection. This unique architecture provides full protection from multi-vector DDoS attacks directedat any layer – network layer (volumetric flood attacks), server (low and slow attack tools), or application layer(SSL attacks, GET or POST attacks). Hybrid solution detects and mitigates the attack immediately using on-premise hardware ddos mitigation device, unless the attacks are targeting internet pipe of theorganization. In the case of a Internet pipe saturation threat, the hybrid DDoS mitigation solution initializethe cloud mitigation and the traffic is diverted to the cloud, where it is scrubbed before sent back to theorganization.

Approaches To Detect & Mitigate DDoS Attacks | White Paper

HaltDos - A Better ApproachUnlike other solutions that use ASIC processors, HaltDos is100% software-based network appliance. It relies on Intel’sDPDK platform to accelerate packet processing and throughput.This gives it the following advantages over other solutions:

Internet is evolving and so are the landscapes of attack vector. Withincreasing proliferation of IoT devices, we are witnessing a plethora ofnew protocols (such as MQTT and CoAP) frequently being used incommunication. ASIC based solutions have limitations in that theyare programmed to handle pre-defined set of protocols and requirehardware upgradation to process new protocols. Being 100%software, HaltDos can stay updated with evolving technology withoutrequiring hardware upgradation.

Hardware based DDoS mitigation solutions have limitedconfigurability in deciding how to handle incoming packets. HaltDosprovides you a framework over which you can customize how theappliance processes packets unlike ever before giving you completecontrol over network traffic.

Configurability

Ruling the Dynamics

HaltDos has challenged the notion that software is slower thanhardware. While industry standard in latency introduced byDDoS appliance is around 200 microseconds, HaltDos provides <60 micro seconds latency making it 3x faster than traditionalhardware-based solutions.

Performance

Ensures continuity of businesswith automated bypass mode.

Low TCO withzero management.

Protects againstevolving DDoS attacks.

Future proofsolution that is 100%customizable &adaptable to futuretechnologies.

Adaptive learningproviding accuratedetection, minimumcollateral and effectiveattack detection.

Multi-layered andmulti-vector protection.

Turn-key applianceworks right out of thebox.

KEYBENEFITS

Ensures continuity ofbusiness with automatedbypass mode.

Low TCO with zeromanagement.

Solution that fitsyour business.

Approaches To Detect & Mitigate DDoS Attacks | White Paper

HaltDos DDoS Mitigation ApplianceHaltDos DDoS attack mitigation appliance is a

dedicated, specially designed device to detect andmitigate DDoS attacks. The device is usually deployed as

the first device in the organization’s network, evenbefore the access router. Such a device provides

protection to the entire data center and especially toonline services.

Multi-layered and multi-vector protection.

HaltDos DDoS mitigation Appliance provides protection from :

SNMP FloodNTP FloodSYN FloodACK FloodPSH+ACK Flood

Zombie Connection FloodIP Fragmentation FloodHTTP GET FloodHTTP POST FloodSlowloris

TCP FloodUDP FloodICMP FloodDNS FloodDNS Query Flood

R.U.D.Y.Apache KillerSSL based AttacksZero DayMany more..

360° Security Always Learning Real-TimeMetrics Customizable Audit &

Notifications

DDoS attacks are on the rise for almost any organization, large or small. The potential threats andvolumes are increasing as more devices including mobile handsets join the Internet. If you have aweb property, the likelihood of getting attacked has never been higher. The evolving nature of DDoSattack technologies requires organizations to make shifts that need greater foresight and moreproactive defenses for network and application-level services. ISP DDoS protections aren’t enoughagainst the latest attacks requiring an additional level of DDoS security in your data center to defendagainst layer 7 threats. There are many different types of DDoS defense solutions on the markettoday. You should choose one that can defend against basic attack types and advanced layer 7DDoS threats.

Conclusion

Copyright© 2016 Halt Dos.com Pvt. Ltd. All rights reserved. HaltDos® and certain other marks are registered trademarks of HaltDos.com Pvt. Ltd., and other HaltDos names herein may also be registered and/or common law trademarks of HaltDos. All otherproduct or company names may be trademarks of their respective owners. Performance and other metrics contained herein wereattained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables,different network environments, and other conditions may affect performance results. Nothing herein represents any bindingcommitment by HaltDos, and HaltDos disclaims all warranties, whether express or implied, except to the extent HaltDos enters abinding written contract, signed by Halt Dos’s General Counsel, with a purchaser that expressly warrants that the identified productwill perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metricsexpressly identified in such binding written contract shall be binding on HaltDos. For absolute clarity, any such warranty will belimited to performance in the same ideal conditions as in HaltDos’s internal lab tests. HaltDos disclaims in full any covenants,representations, and guarantees pursuant hereto, whether express or implied. HaltDos reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

E-mail : info@haltdos.com