DDoS is the new spam…. here’s how to mitigate it

Bots can skew your analytics… Is your data lying
Anton Jacobsz, CEO at Networks Unlimited Africa.
What makes a WAF ‘advanced’?
Anton Jacobsz, managing director at Networks Unlimited.

Always-on, always-connected apps can help power and transform your business – but for threat actors, they can also act as gateways to data beyond the protections of your firewalls. With most attacks happening at the application level, protecting the capabilities that drive your business means protecting the apps that make them happen.

This is according to an F5 white paper, ‘DDoS is the new spam: 3 Strategies to turn catastrophe into annoyance’, which points out that distributed denial of service (DDoS) attacks impact on all layers of the application stack, including the network, DNS, TLS/SSL (encryption and decryption), access/identity, and application services. The paper says, ‘As DDoS attacks grow larger, more complex, and more pervasive, it can feel like we face a future of inevitable service outages and anxiety.’

Simon McCullough, major channel account manager at F5, says, “The white paper points out that 10 years ago, spam e-mails with fake offers that clogged up our mailboxes were a major inconvenience, with almost half of spam e-mails making it into our inboxes. Today, we have spam under control with improvements in our defences against unsolicited mails, but DDoS threats have now become the new unsolicited e-mails that we can’t ignore or laugh off, but must take seriously.”

During 2018, notes the white paper, DDoS attackers have targeted political parties or even sovereign governments, disrupted both Bitcoin and traditional financial trading, and made ransom demands for those businesses that cannot defend themselves against massive volumetric attacks that disrupt online operations. DDoS is also used as a diversion to facilitate other attacks, in which, while your network security team is fighting the flood of traffic to keep your company’s services online, the attacker tries to slip past your defences in order to steal valued information such as corporate data and your customers’ personal information.

McCollough says, “As F5 notes, dealing with DDoS is challenging because it is unpredictable, and it is difficult to distinguish legitimate requests from malicious traffic. Networks have multiple areas of vulnerability and today’s increasingly sophisticated attacks are multi-vector, employing a variety of tactics.

“These include: volumetric attacks, which flood a network with the aim of overpowering your upstream links to the internet and making services unavailable for the intended userbase; low-and-slow attacks on application-layer resources, which can be challenging to detect and defeat; resource bottleneck attacks, which overwhelm your network’s decryption capabilities and cause services to become unavailable over the necessary secure channels; business logic attacks, in which bots are used to commit fraud on e-commerce sites, thereby denying service to legitimate customers and driving up costs; and finally combination attacks, which blend different attack vectors that run simultaneously in order to find the weakest link in your infrastructure and then exploit this.”

So how do we defend against DDoS attacks? F5 outlines three main strategies, namely behavioural analysis and learning, cloud scrubbing, and signalling and on-demand hybrid protection.

Behavioural analysis and learning can help to mitigate DDoS attacks

Smart solutions today mean that our systems are analysing traffic behaviour, recognising DDoS attacks and stopping them automatically. By establishing traffic baselines and setting parameters to manage this traffic, controls can be established based on pre-defined conditions. Behaviour analytics and fingerprinting allow you to control any given remote endpoint and assign traffic the appropriate classification.

Cloud scrubbing keeps your business online during an attack

Cloud scrubbing is the process of inspecting and analysing traffic, requests and input data, to ensure that malicious requests are being filtered. At the end of the process, all the clean traffic is shipped back to your network, so that it can service legitimate requests and continue operating normally. Cloud scrubbing generally operates in one of two modes: on-demand and always-on.

The on-demand model involves routing traffic through the scrubbing centre only when you are getting more traffic than you can handle. An always-on cloud scrubbing service handles this for you at all times and can reduce or eliminate your time to remediation. Thus, a cloud-based scrubbing service allows any organisation that delivers content or applications over the internet to keep their business online during an attack, with minimal impact to users.

Signalling and on-demand hybrid protection could be the future of DDoS protection

Signalling integrates on-premises equipment with cloud-scrubbing services, allowing them to communicate with each other in the event of an attack. This technology enables the fast activation of on-demand cloud-based scrubbing, seamlessly re-directing attack traffic through the scrubbing service in order to mitigate large volumetric DDoS attacks. You can trigger a switch to your cloud scrubbing service, or set your system to do it automatically. Implementing the automatic method will require preparation and testing, but if you should become an active target, it could save you significant time and effort.

Anton Jacobsz, managing director at Networks Unlimited, a value-added distributor of F5 in Africa, concludes, “The best lesson for all DDoS protection strategies is to plan and prepare your network security in advance, before the worst happens. Together with F5, we look forward to a time when, thanks to the evolution of signalling and scrubbing technology, DDoS attacks will become less effective and therefore less attractive to would-be attackers – in much the same way that the pesky spam emails of the past are no longer a significant threat source today.”

Staff Writer