F5.5G Leap-forward Development of Broadband in Africa The Africa Broadband Forum 2024 (BBAF 2024) was successfully held in Cape Town, South Africa recently, under…
DDoS attacks: 5 strategies for defending your network
DoS attacks have evolved in strategy and tactics to become a resounding threat to businesses anywhere. Hackers design Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks to elude detection and it only takes a weak link or configuration to incapacitate a network, costing businesses thousands or even millions of dollars in lost revenue and productivity.
Respondents to a recent survey conducted by Incapusla report that on average a DoS attack that lasts 24 hours cost their company $500,000. This type of Internet security problem ranks among the most difficult cyber security problems to defend against, and represents a critical challenge to companies that depend on the Internet for their day-to-day operations.
Conventional network devices and standard perimeter technologies like firewalls and intrusion detection systems have their place in an IT security strategy, but often prove inadequate when it comes to defending against aggressive DoS assaults.
General types of DDoS attacks
Cyber criminals, “hacktivists”, cyber terrorists, and nation-state attacks have become sophisticated over the years. These attackers use a variety of evasion techniques designed to avoid detection and mitigation, including SSL-based attacks and “low-and-slow” attack techniques. DoS attack campaigns target every level of the infrastructure, including firewalls, servers, applications, network architecture and hardware. Most attacks fall under three categories:
- Volume-based DoS attacks — Also called a “volumetric” attack, volume-based DoS attacks represent the most common type of threats. The hacker floods the website or network with a high volume of packets or connections, which overwhelms the network equipment, servers or bandwidth resources. In the past, criminals would recruit volunteers to launch these attacks. Today, the most common technique uses “botnet,” the hacker commandeers a gang of “zombies” – Internet-compromised machines and sends span emails or performs other criminal acts.
- Application DoS attacks — This type of attack can target many different applications, but tend to target HTTP the most. Requiring fewer network connections to achieve its objective, application-focused DDoS attacks aim to exhaust web servers and services. Simply launching numerous HTTP POSTS or HTTP GETs could exhaust an application or web server. These attack also target application like DNS and Voice over IP (VoIP).
- Low-rate DoS (LDoS) attacks — This malicious code seeks out weaknesses and design flaws in your network.
Malicious programs like Slowloris allow the hacker to take down a web server with minimal bandwidth requirements and without the need to launch numerous attacks simultaneously. Here are some methods that have proven effective in combating DoS attacks.
1. Bandwidth oversubscription
One of the most common measures employed to alleviate DoS attacks may also be one of the most expensive. Bandwidth oversubscription may be one of the most effective ways to account for attacks that can be 10x or 100x greater than standard traffic levels. You should frequently review this component of your plan because as bandwidth becomes cheaper you should increase your capacity to build your buffer.
2. Internal system reinforcement
This method may be something as straightforward as implementation of additional layers of firewall protection or re-configuration of both the operating system and applications. For example, you can ensure that you have the correct number of nodes on your Linux server to configure the appropriate number of Apache worker threads, which makes it more difficult for a malicious attack to bring down your server.
3. Monitor network traffic
The most effective way to detect when a system comes under DoS attack is by monitoring applications and network traffic. Numerous threat detection tools have the ability to monitor netflow data from routers and other data sources to determine your traffic baseline. Monitoring traffic lets you determine poor application performance occurs due to attacks or it has its basis in service provider outages. You will also be able to identify legitimate traffic from attacks. Your security administrator should review the following information:
- Traffic levels
- Application performance
- Anomalous behavior
- Protocol violations
- Web server error codes
Typical monitoring tools employ BGP or other mechanisms that filter out noise and pass the clean traffic further into the network. These tools provide instant visibility into DoS attacks and can detect volumetric attacks and more subtle attacks such as Slowloris.
4. Upstream blackholing
Companies depend mostly on traffic of the TCP format as oppose to UDP traffic. Implement a solution that deflects UDP traffic by use router backholding to reroute traffic away from the intended target.
5. Third party provider
Many companies employ third-party service provides to provide the assistance when traffic becomes overwhelming. Through the implementation of a DNS-based redirect service or a BGP-based service, the contractor will provide the necessary protection if the network suffers a sustained attack. CDN providers also fit this bill because they can help organizations stay online during a DoS attack.
Employ proactive DoS attack security
These are just a few of the security solutions that can help you transform your DoS attack protection to a proactive component of your security infrastructure. Consult with an IT security service provider to find out how you can incorporate multiple layers and the latest security devices for optimal risk management and compliance.