- A DDoS attack involves the use of multiple connected online devices, collectively called a botnet, that overwhelms a target website with fake traffic. It doesn’t attempt to breach the security perimeter and instead, focuses on making websites and servers unavailable to authorized and legitimate users.
- DDoS mitigation is the process of successfully protecting a target server or network against a DDoS attack, whereby the target victim can mitigate the incoming threat using specially designed network appliances or cloud-based protection services.
- DDoS mitigation encompasses four crucial phases: absorption to shield against downtime, testing to identify and verify attack patterns, prevention to block malicious traffic, and retaliation to effectively manage and reduce false positives, ultimately safeguarding against disruptive cyber threats.
DDoS attacks, also known as distributed denial-of-service attacks, are a form of cyber assault aimed at particular applications or websites. In 2023, application layer attacks have surged by 165%, with the technology sector being the primary target among all industries. Therefore, it is imperative to implement a robust DDoS mitigation strategy to ensure consistent uptime and resilience.
Also read: 4 key things to know about DDoS attacks
Process of DDoS attack
DDoS attack, distributed denial-of-service attack, is the attacker taking advantage of the vulnerabilities of existing machines and systems on the Internet, to capture a large number of networked hosts to make it an agent of the attacker.
When the number of controlled attack proxy machines reaches the attacker’s satisfaction, the attacker can issue strike commands at any time through the attack master.
The attack master controller is very stealthy to locate due to its very flexible location and the short time it takes to issue the command. Once the command to attack is transmitted to the attack manipulator, the master can shut down or disconnect from the network to avoid tracking, and the attack manipulator releases the command to each attack agent.
After the attack agent machine receives the attack command, it begins to send many service request packets to the target host. These packets are camouflaged so that the attacker cannot identify their source, and the services requested by these packets tend to consume larger system resources, such as CPU or network bandwidth.
If hundreds or even thousands of attack proxies attack a target at the same time, it can lead to the exhaustion of the target host’s network and system resources, thus stopping the service. Sometimes, this can even lead to a system crash.
This can also block network devices such as firewalls and routers on the target network, further aggravating network congestion. As a result, the target host is unable to provide any service at all to normal users. The protocols used by the attackers are some very common protocols and services. This makes it difficult for system administrators to distinguish between malicious requests and normal connection requests, thus making it impossible to effectively separate attack packets and make defence more difficult.
Also read: ChatGPT went down due to DDoS attack, not its popularity
Concept of DDoS mitigation
DDoS mitigation is the practice of protecting a server or network from a DDoS attack by successfully blocking and absorbing malicious spikes in network traffic and application usage. A cloud-based protection service or special network equipment is used to mitigate the incoming threat. Doing so does not impede the legitimate traffic flow.
DDoS mitigation counteracts the business risks that are a result of DDoS attacks against an organization. These mitigation techniques are designed specifically to prioritize the preservation of the availability of resources that attackers aim to disrupt.
DDoS mitigation also aims at expediting the response time to DDoS attacks as most times, the attacks are more of a diversionary tactic that attempts to distract from other more serious attacks elsewhere on the network.
Why need DDoS mitigation?
The basic logic of network composition leads to an advantage in denial of service tactics by online disruptors, who can achieve relevant attack operations by taking your business offline for minutes, hours or weeks.
According to Kaspersky, an internationally renowned antivirus software, DDoS attacks cost businesses more than $2 million on average.
4 phases of DDoS mitigation work
DDoS mitigation works by identifying and blocking the source of the attack traffic, for example, using firewall rules or rate limiting. In addition, DDoS protection solutions absorb and filter attack traffic before it reaches the protected network or website.
These solutions typically use traffic shaping, filtering and redirecting traffic to a clean-up centre where attack traffic is analysed and filtered.
1. Absorption
The first step in defending against a DDoS attack is to absorb the attack, which protects the system from downtime. Knowing how many requests and concurrent IPs the application is getting per minute and performing multiple tests is critical.
Typically, cloud-based DDoS protection solutions are better because they have auto-scaling capabilities. Local service solutions are outmatched by on-premise solutions due to the number of servers.
2. Testing
The next step is to detect if it is a valid DDoS attack and the solution can tell:
How many requests are at the URI (uniform resource identifier) level?
Number of requests from IPs?
How many requests are at the session/host level?
How many requests are in the entire domain?
3. Prevention
The third step is to prevent the attack from being delivered to the application. The DDoS protection solution identifies the attack vectors and blocks requests made using those attack vectors. Then the solution detects various multi-vector attacks.
Artificial intelligence plays an important role in DDoS attack prevention. Ideally, the mitigation solution should be able to use past data and predict live behaviour.
At any point in time, the solution should be able to suggest and apply “rate limits” in as much detail as possible. These include URI, session/host, IP and domain rate limits.
4. Retaliation
Retaliation is a big part of the “managed services” or DDoS protection services offered by WAF (web application firewall) vendors. While AI can suggest rate limits and even apply “blocking rules,” having a DDoS mitigation solution in place will go a long way toward reducing false positives. After all, fundamentally, DDoS attacks look like legitimate requests.