What is DDoS Mitigation?

A Distributed-Denial-of-Service (DDoS) attack is one of the most pernicious threats in the cyber threat landscape. Governments, multinational corporations, and private networks have all succumbed to the DDoS attack. There are countless ways that the attacks can be carried out. Worst of all, these attacks do not necessarily require expert ability as a hacker to pull off.

The goal of any organization, no matter its size, should be to curtail the threat of these attacks. Just how can this be accomplished?

DDoS mitigation strategies.

To understand DDoS mitigation, one must first understand the DDoS attack and its variants. Put simply; a DDoS attack seeks to disable a network by overloading it with traffic. This can take many forms, from malformed packets flooding a UDP protocol, to sending partial HTTP requests until legitimate traffic is no longer accessible.

What makes DDoS mitigation so difficult nowadays is the attack’s complexity. There was a time in the past that DDoS attacks only targeted upper layers of the Open Systems Interconnection (OSI) model. Such layers included the transport and network segments. Now, however, DDoS attacks have evolved so that they can target lower levels (especially the application layer). This gives SysAdmins and cybersecurity blue teams (defense-oriented experts) much more to consider in their DDoS mitigation strategies.

There are four basic components to any good DDoS mitigation strategy. These components are Detection, Reaction, Routing, and Adapting. Let us go into each of these mitigation strategies in more depth.

Detection

The first stage of the mitigation strategy seeks to discern which traffic is legitimate, and conversely, what traffic is malicious. One cannot have a situation in which innocuous users are being blocked from a website by accident.

This can be avoided by keeping a steady log of blacklisted IP addresses. While this can still harm innocent users, such as those that utilize proxy IPs or TOR for safety, it is still a decent first step. Blocking IP addresses is simple enough, but it is only one part of the detection strategy.

Next, in detecting a DDoS attack, your organization must know that typical traffic flow daily. Also, it helps to have a metric on high traffic days, so there is a baseline measurement. This will help to distinguish from abnormally high influx of traffic versus past experience with “legitimately” high traffic.

Reaction

If your detection is solid, the reaction to an in-progress DDoS attack should be automatic. This will most likely require a third party service that specializes in DDoS prevention. Manual configuring of DDoS reactions is not recommended anymore. The reason for this is that cybercriminals have gotten wise to many of the techniques.

In a strong DDoS defense, the reaction step will immediately start blocking malicious traffic. It will realize that the high traffic flow is being created by zombie devices on a botnet. This filtering should begin to weaken the attack. The response depends on the provider’s capabilities. Ideally, the protection service will use a combination of techniques in its methodology. In addition to the previously mentioned IP blacklisting, there should be the ability to inspect packets, as well as engage in rate-limiting.

Routing

Routing takes on the remaining traffic that could not be handled in the automatic reaction stage. The goal is to break up the traffic and keep it away from the servers being targeted. There are two primary routing strategies.

The first of these is DNS routing. This is truly only effective with DDoS attacks that target the application layer of the OSI model. What this means is that, even if you mask your true IP address, the attack is still going to be successful. DNS Routing forces the malicious traffic to be re-routed to your “always-on” DDoS protection service. It will take on the load of the attack, thus allowing only legitimate traffic to access the server. This is done by changing the CNAME and A record. The A record points to a specific IP address, whereas the CNAME creates an alias for the same IP address.

The second routing strategy is called Border Gateway Protocol routing. This a manual configuration that forces all malicious traffic, which is targeting the network layer, to your mitigation provider. It will force the DDoS traffic to be eliminated, at least, for the most part. As mentioned before, a manual configuration has its issues. It is slower, and as a result, it may allow malicious traffic to reach the target server.

Adapting

This is more or less a post-mortem analysis of a DDoS attack. It is the part of the mitigation strategy that seeks to learn what was done both correctly and incorrectly. This means analyzing the source of the attack, seeing what was allowed through, trying to ascertain how quickly defenses deployed, and most importantly, how to prevent this attack with 100 percent effectiveness in the future.

DDoS mitigation is complicated. As attacks continue to evolve, cybersecurity will, unfortunately, always be one step behind. One cannot fight an enemy; they do not yet understand. Only after a new attack vector surfaces can defenses be built. Still, implementing strong DDoS mitigation techniques can save your organization a great deal of potential lost time and money.