The world continues to ramp up its technological footprint, which in turn creates more ways to access the Internet of Things (IoT) from home and work.
More technology inevitably leads to more technological threats looking to take advantage of holes in network infrastructure.
“Globally, there was a 776% growth in attacks between 100 Gbps and 400 Gbps Y/Y from 2018 to 2019, and the total number of DDoS attacks will double from 7.9 million in 2018 to 15.4 million by 2023,” according to Cisco’s Annual Internet Report (2018-2023).
For a bad actor with a vengeful motive, a DDoS attack can be very attractive because it is very inexpensive.
It’s as simple as searching Reddit for instructions to access the Dark Web, use Bitcoin to spend $5.00-$20.00 on a DDoS attack with a 4-hour to 8-hour duration. This type of attack can easily take a cable modem offline.
Despite the low barrier of entry, a DDoS attack of this size lacks scale, and it will not be strong enough to take down a larger target, like a service provider or operator.
As a business leader, you’re probably wondering how you can mitigate this situation from happening at your company.
As a solution provider, preparing and protecting companies from cyber threats is something CCI Systems does every week.
We regularly perform network assessments to find weaknesses and areas where networks could be exploited. Plus, we can assist in any mitigation technique.
Understanding what a DDoS attack is, how mitigate it, and how to protect against it are all pieces of knowledge you will want to have as a service provider.
What Is a DDoS Attack?
A distributed denial of service (DDoS) attack is a flood of malicious internet traffic aimed at a specific website, service, server or IoT device to take it offline. This attack is the equivalent of a clogged drain where nothing can get through the blockage.
There are two main types of attacks:
A volumetric-based attack is the most common, essentially pushing more volume down your pipes than the network can handle. Think small devices sending small amounts of data, but those devices are sending hundreds of thousands.
Say you’re an avid gamer, you love playing online, and you livestream on Twitch. One night, another user gets upset and wants revenge after a loss. They quickly launch a volumetric attack at your router to kick you off stream.
This attack knocks out your internet feed until your provider takes measures to block the traffic and restore service.
An application-based attack is meant to target specific service-based applications, oftentimes servers. The bad actor may attack the DNS server with too many requests (or queries) to make it unreachable and affect the service.
The goal is to take out a very specific service, not a link or network.
Either attack can be detrimental to a network, so it’s important to understand why you should prepare to defend against both.
Why Would You Want to Avoid a DDoS Attack?
Internet usage and connectivity are affected by either type of DDoS attack, whether you’re a consumer streaming Netflix at home or a service provider serving thousands of end users with internet connected devices.
The business implications can become serious if a service provider is hosting services.
When attacked, the end users will not be able to get online if they’re forced to shut down their server. If they do not have to fully shut down the service, in any event, the internet usage will be severely degraded.
Consider the implications of a 10-gigabyte attack, which although it is uncommon, an attack of this size going into a small city or municipality could take out an entire town.
An attack of this magnitude can have a huge financial impact on a company.
The fallout consists of a failed customer experience. The loss of reputation from the end users posting negative reviews on Google, Facebook, Reddit, or Twitter can happen at a rapid pace.
Abruptly going offline can have a big impact on income and customer satisfaction.
Protecting your reputation and customer experience as a service provider should be the #1 priority.
For service providers, it is easiest to mitigate a DDoS attack with a phased approach. Mitigation can be as simple as identify, react, and scrub.
1. Attack Identification
The first way to mitigate a DDoS attack is knowing what your traffic is.
Buying a service or software that monitors and does automated configuration and DDoS mitigation without scrubbing the network is going to be the cheapest route. However, this is not always the most efficient.
Monitoring software catches the majority of attacks, but your employees or technicians will be required to sit and monitor the monitoring software.
Do you know what is on your network? Can you identify patterns or characteristics your technicians deem as normal? What is the typical volume on a Tuesday evening?
Determining and documenting volumes will help mitigate an attack before it takes down your network or before an end user even knows anything has happened.
By monitoring these trends, if there is an unusual push of traffic, it will be easy to identify and mitigate. Having full visibility of your network and what’s on your network will keep it safe and less prone to attacks exploiting vulnerabilities.
Simply, you need to analyze the traffic to know your network is being attacked.
2. Remote Triggered Black Hole (RTBH)
When using a remote triggered black hole, any traffic coming into an attacked device from outside the network will be dropped.
This isn’t to say everything on the inside of the network is going to be offline, but everything on the outside of the network will be cut off.
This black hole is called a “null route” on the router syntax. The technician will be routing to null-zero. Null-zero is a logical interface on the device(s) that goes nowhere.
One way to implement a RTBH is with BGP Flowspec. This allows a technician to deploy filtering functionality quickly over a large number of BGP (border gateway protocol) peer routers.
Companies frequently use this software solution manually because of the impact created across the network, if you are not selective.
Identifying what is being affected and knowing what those devices or network components are will be important to some companies, dependent their business models and service to their end users.
3. Scrubbing Services
If your company is offering a service utilizing scrubbing, it's called a clean pipe service. The scrubbing ensures the bad traffic goes away, and the good traffic is still there.
To keep your end users happy, the services will still be available, the host being attacked will remain online, until you hit a certain volume threshold. If the threshold is reached, you throw the flag and fall back to the remotely triggered black hole.
In the case of a failure, the primary purpose becomes protecting the network. It's not about the host anymore, and you wait for the attack to subside.
Let’s say a fast-food restaurant is waylaid with a volumetric DDoS attack over lunch.
The restaurant uses a third-party credit card processing service for online orders, and they do have DDoS detection software in place without a scrubber.
The attack creates a flood of credit card purchases but blocking this attack with the software causes the network to be shut down temporarily.
This protects the rest of the network from corruption, but it also inhibits the function of your restaurant during its busiest time of day.
Scrubbing Your Network Will Pay Off
The payout between scrubbing and not scrubbing and understanding the inherent risks involved will be crucial in the decision-making process.
Bigger companies will have contracts where they do not have the option of network outages or attacks that compromise their reliability or take them offline.
These larger organizations tend to be more proactive in their approach, rather than reacting to attack after attack and deciding reactivity may not be the best solution.
By getting a piece of software in place to trigger the automation, the customer will be better protected from a DDoS attack without having to purchase a scrubber or high-end solution.
Keeping your network up and running, as well as keeping your customers happy can make all the difference.
Define the Path of DDoS Mitigation
After finding a solution to fit your company’s initiatives against DDoS attacks, it will be time to decide what the plan is, i.e., where to go or who to go with.
Some companies want to go the route of running an open-source tool that determines the bandwidth is spiking. A technician receives a text alert (or notification) and they manually shut down the attack.
A manual override can work well for many companies, but each company is different, and networks vary.
If your company needs scrubbing services, a great fit may be Arbor DDoS.
If protecting your network is the primary goal, Kentik has an outstanding traffic analysis platform.
Whatever you choose, teaming up with a solution provider, like CCI Systems, can be a great place to start.
CCI can temporarily point cloud-based applications toward a customer’s network, so they can get a view of what the software looks like with their traffic. CCI also offers options where messages can be automatically sent upstream to block the traffic during an attack, like BGP Flowspec.