This Industry Perspective was written by Xuhua Bao, Hai Hong and Zhihua Cao of NSFOCUS.
Part two of this series concludes our discussion on the serious nature of DDoS attacks and the misconceptions that could leave networks vulnerable to attack. Part one of this serious was published last week.
DDoS attacks are on the rise and so too are efforts to defeat them. Analysts forecast the global DDoS prevention marketto grow at a rate of 19.6 percent from 2013-2018. This market increase suggests that DDoS attacks are more than just irritating. People in the know understand that these attacks not only cause disruption but can cause damage and tarnish reputations as well.
However, many still don’t understand how these attacks operate, and this ignorance can cost them. In the discussion following, we outline several erroneous beliefs about DDoS attacks that data centers, ISPs and enterprises should become familiar with.
Error #6: Chaos is the Only Goal of DDoS Attacks
People can’t quite figure out hackers. They seem to be computer whiz kids who act like bulls in a china shop for no apparent reason. DDoS attacks take some technical skill and directly result in the destruction of network service availability. This doesn’t seem to benefit hackers, suggesting that popular opinion holds true.
Well, things aren’t always as they seem. Hackers, like all humans, do things for a reason, and the reason is most often profit. The current generation of hackers are much more sensitive to benefit calculations than average people. They use destructive power in exchange for profit, they use destructive deterrents to avoid losses to themselves and they use destruction as leverage to shift the playing field to their advantage. Destruction is only one part of DDoS attack motivation; the true goal is almost always profit of some sort.
Error #7: You Can Mitigate DDoS Attacks with Firewalls and IDS/IPS
It’s a nice idea, but firewalls were not designed with DDoS attack mitigation in mind.
With traditional firewalls, defense is carried out through intense inspection and vigilance to detect attacks. The greater the intensity of the inspection, the higher the computing costs. Massive levels of DDoS attack traffic will significantly reduce a firewall’s performance and make it unable to effectively complete packet forwarding tasks. At the same time, traditional firewalls are generally deployed at network inlet locations. Although, in a sense, they serve to protect internal network resources, they themselves also commonly become DDoS attack targets.
Because they are the tools with the broadest range of applications, people assume that intrusion detection and defense systems can act as effective DDoS attack mitigators. However, when faced with a DDoS attack, these systems generally cannot satisfy user needs. Intrusion detection and defense systems generally perform rule-based application layer attack detection. These devices were initially designed to detect application layer attacks based on certain attack characteristics. However, the majority of current DDoS attacks use attack traffic consisting of legal packets. Thus, the intrusion detection and defense systems cannot effectively detect DDoS attack traffic based on its characteristics. At the same time, intrusion detection and defense systems experience the same performance issues as firewalls.
Error #8: You Can Mitigate DDoS Attacks by Optimizing the System and Increasing Bandwidth
Increasing the number of Transmission Control Protocol (TCP) connection tables and reducing the timeout for establishing TCP connections is one example of adjusting the core parameters of the system under attack. System optimization of this type can mitigate small-scale DDoS attacks to a certain extent. However, when hackers increase DDoS attack scale and traffic volume exponentially, the effect of system optimization is negligible.
Purchasing redundant hardware and adding servers with better performance is included in the retreat strategy of increasing bandwidth. As long as the resources consumed by a DDoS attack do not exceed the load-bearing capabilities of the current bandwidth, computing and other resources, the attack will be ineffective. However, once the resources consumed by the attack exceed the system’s capabilities, further retreat is needed to make the attack ineffective.
In theory, increasing bandwidth and other such retreat strategies should be able to completely resolve the problems posed by DDoS attacks. However, in reality, these measures do not make economic sense. In fact, the costs hackers incur by increasing the scale of DDoS attacks are minimal. However, the investment required to continually increase bandwidth, server quantity and other infrastructure enhancements to mitigate DDoS attacks cannot increase without limit. Therefore, retreat strategies are not effective DDoS attack mitigation methods.
Error #9: One DDoS Mitigation Device Fits All
Because not all DDoS attacks are the same, not all mitigation services or devices will work. Normally, cloud-based cleaning services mainly use traffic dilution and diversion and are specifically designed for traffic-type DDoS attacks. Local mitigation devices can only handle a relatively small volume of traffic, and it is easier for them to use multiple cleaning techniques in combination. They are suited to defend against system and application resource consumption DDoS attacks. Users should select suitable mitigation solutions based on their own business characteristics and the particular dangers they face.
Know Thy Enemy
DDoS attacks have become so prevalent, disruptive and destructive that detecting and mitigating them has become a multi-billion dollar business. Organizations are doing their best to keep their assets safe, but erroneous beliefs can keep them from doing all they should.
It’s important to understand how DDoS attacks work; they’re not all launched from botnets anymore, they consume more than bandwidth resources, they don’t all move at the same speed, and some are more dangerous than others.
One of the most important errors to overcome is the idea that smaller websites aren’t worth a hacker’s time. Organizations of all sizes and across all industries must be vigilant to rid their ranks of these errors regarding DDoS attacks and create a comprehensive strategy for dealing with them. This will save them headaches as well as possible damage to their reputation.