In less than a decade ago, DDoS was a fairly simple cybersecurity threat to understand: a large number of requests are sent to crash a web server and paralyze a website. This is what we know as a volumetric DDoS attack.
However, over the years, not only the internet has evolved dramatically, but DDoS attacks have also evolved. Now, sophisticated DDoS attacks can target the deepest layer of the OSI model that attacks applications, allowing a much larger scale of attack with more severe potential risks. This is known as Layer 7 or application-level DDoS attack.
With that being said, DDoS mitigation is now more important than ever, and here, we will discuss three common DDoS mitigation techniques. Each has its own advantages and drawbacks, and each might be a better fit for different use cases.
‘Clean Pipe’ is one of the most common DDoS mitigation techniques. In this technique, all incoming traffic must pass through a ‘clean pipe’, also known as ‘scrubbing center’.
In the past, setting up a clean pipe system is very complex, where you need to deploy:
- A BGP (Border Gateway Protocol) router
- Hardware capable to terminate a GRO tunnel
- Internet with routable IP addresses (prefixes)
However, nowadays we can install a bot detection system to our network and the bot can detect every incoming request to your website by analyzing 100% of the incoming requests to the website and applications, and will block traffic that is detected as malicious.
It’s also important to note that the detection system should be able to effectively detect known attacks (via validation and validation like HTTP fingerprinting, custom-rule pattern matching, authentication, and so on), and also brand new, unknown threats (which are identified via behavioural-statistical detection). With cybercriminals becoming more sophisticated than ever, predictive detection is very important.
So, investing in a good DDoS detection and prevention system is arguably the most important technique you can do.
Reducing Your Site’s “Attack Surface”
Simply put, your site’s attack surface is the total amount of resources that are potentially exposed to DDoS attacks. The fewer items you have here, in general, the easier it will be to protect your system and mitigate the incoming attack.
In the past, when everything in our system is physical and tangible, creating a definite barrier to protect this attack surface is much simpler. However, things like software-defined networking, Internet of Things, and cloud storage/computing have blurred the lines and have caused the attack surface to grow exponentially.
The basic principle to remember is that all devices connected to the internet are potential targets of DDoS attacks. Here are some ways we can do to narrow down these attack surfaces:
- Eliminate unnecessary elements: networks that are unnecessarily complex can produce vulnerabilities from the possibility of human errors and other issues. Make sure your system is as simple as possible.
- Scan for vulnerabilities: assess how a DDoS attack could reach the weak spots in your system. You may need to create a real-time model of what could happen with your system.
- Network segmentation: segmenting your networks can help reduce the attack surface since you can add the number of barriers as they travel through the network. Ideally, we should aim to implement individual security measures to a single application or machine.
CDN Dilution Approach
CDN (Content Delivery Network) is a system of a distributed network that delivers web content and pages to a user.
Since the CDN is distributed in nature, then the website is placed on several servers rather than one server, it’s much more difficult to take down. Also, CDN technology features a big bandwidth, and so we can use it effectively to mitigate layer-3/layer-4 (network/transport) volumetric DDoS attacks.
In general, the CDN server works as a reverse proxy for the web application. In this technique, all incoming requests will be handled by the CDN server first, which will detect and filter out malicious traffic. Only legitimate traffic will be sent to the actual server.
CDN dilution is actually one of the most comprehensive DDoS mitigation technique because of several reasons:
- It offers a well-defined protocol
- It is always active 24/7 and pretty fast at detecting malicious traffic
- CDN servers are application context-aware and are pretty good at mitigating layer-7 DDoS attacks
However, a key weakness of CDN dilution is that it can only apply to web applications, and you can’t use it in TCP/UDP application services. If you run TCP/UDP service, you can use the next option we’ll discuss right below.
TCP/UDP Anti-DDOS Proxy
If you use UDP or TCP service on your networks such as web servers, email (SMTP), web-servers, and SSH access, you will always have exposed open ports. This is why TDP/UDP services are vulnerable to volumetric DDoS attacks (layer-3/layer-4) and also other cybersecurity threats like data-thefts.
To tackle this issue, we can use reversed TCP/UDP proxy to mitigate DDoS attacks on TCP/UDP applications. In its basic principle, the anti-DDoS proxy works pretty similar to CDN dilution—as discussed above—:all requests are sent to reverse proxy, and then the proxy will filter out malicious attacks based on an existing profile. However, TCP/UDP proxies are configured per application rather than on a per-domain basis (like the CDN technique).
The TCP/UDP anti-DDoS proxy is always on 24/7 without any lead time, and can effectively mitigate low and slow DDoS attacks. However, a major drawback in this technique is that the source IP has changed and so there’s no way to get the real visitor’s IP (which can be a very significant issue for certain applications).
While DDoS attacks may have risen in frequency and sophistication, there are many different ways to implement DDoS mitigation techniques according to your needs and specific use cases.
DDoS mitigation is now extremely important in today’s cybersecurity environment, and choosing the right method to secure your network from DDoS and other cybersecurity attacks is essential. It’s best to first assess the condition of our network and the available equipment, so we can choose the right technique according to the use case.