The best way to stop DDoS attacks

For the fastest response, you can't beat in-path deployment of a high-performance DDoS mitigation device that is able to detect and mitigate immediately

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Experiencing a distributed denial-of-service (DDoS) attack is like having your home flood. Without warning, attackers can upend your enterprise. Every moment counts, but unfortunately by the time some DDoS solutions identify and report the attack, the damage is already done. You need a faster, more immediate means of threat detection to prevent severe damage.

When a DDoS attack hits your network, a long time can pass before the security/network staff fully realizes it is actually a DDoS attack that is affecting the services, and not a failing server or application. Even more time may pass before the actual mitigation of the threat starts to take effect.

Volumetric attacks, though devastating, take a while before users and internal service monitoring systems notice their effects. Application layer attacks are much harder to detect, as they tend to fly under the detection radar because of their low-volume profile.

When mitigation starts too late, the damage may already be done: the firewall state table may be overwhelmed, causing reboots, or worse, it locks up, making the DDoS attack effective from the attacker's perspective. The service is no longer available to legitimate users.

Deployment Methods and Detection

A variety of methods allow security teams to gain insight into what's going on in a network. One of the more popular approaches is flow sampling as virtually all routers support some form of Flow technology, such as NetFlow, IPFIX, or sFlow. In this process, the router samples packets and exports a datagram containing information about that packet. This is commonly available technology, scales well, and is quite adequate to indicate trends in network traffic.

For in-depth security analysis purposes, however, relying on samples is a serious concession; you miss a large piece of information as you only receive one packet out of a thousand, or worse. A flow analytics device has to evaluate the behavior of a traffic stream over a longer time period to be sure something is wrong, and to avoid false positives.

Common DDoS protection deployments use a flow analytics device, which reacts to the discovered incident by redirecting the victim's traffic to a mitigation device and telling it what action to take. This method scales well for gathering traffic to be analyzed, and the reactive model only redirects potentially bad traffic, which allows for some bandwidth oversubscription. But this is risky business as the mean time to mitigate can run into minutes.

For the most insightful detection and fastest mitigation, you can't beat in-path deployment of a high-performance DDoS mitigation device that is able to detect and mitigate immediately. In-path deployment allows for continuous processing of all incoming traffic (asymmetric) and possibly also the outgoing traffic (symmetric). This means the mitigation device can take immediate action, providing sub-second mitigation times. Care should be taken that the mitigation solution is able to scale with the uplink capacity, and the real-world performance during multi-vector attacks.

As an alternative to in-path detection and sampling, mirrored data packets provide the full detail for analysis, while not necessarily in the path of traffic. This allows for fast detection of anomalies in traffic, which may have entered from other entry points in the network. While setting up a scalable mirroring solution in a large network can be a challenge, it can also be an excellent method for a centralized analysis and mitigation center.

Watch your performance metrics

Bandwidth is an important metric for most people. When shopping for home Internet connection, people most often compare the bandwidth metric. While it is important, as with many things, the devil is in the details. Networking devices ultimately process network packets, which typically vary in size. Small packets use less bandwidth, while large packets amount to larger bandwidths. The main limitation of the networking node is set by the amount of packets a device can process within a second. By sending many small packets at a high rate, an attacker can stress out the infrastructure quite quickly especially traditional security infrastructure such as firewalls, or Intrusion Detection Systems. These systems are also more vulnerable to stateless, high-rate assaults such as many flooding attacks, due to their stateful security approach.

Verizon's 2014 Data Breach Investigations Report notes that the mean packet-per-second (pps) attack rate is on the rise, increasing 4.5 times compared to 2013. If we carefully extrapolate these numbers, we can expect 37 Mpps in 2014 and 175 Mpps in 2015. These are the mean values to show the trend, but we have seen many higher pps rates. While the mean value demonstrate the trend, to properly prepare your network, you should focus on worst-case values.

Assure your Scalability

As DDoS attacks, and especially volumetric attacks, enter the network with extreme packet-per-second rates, you need a mitigation solution with adequate packet processing power

Scaling the analytics infrastructure is also an important consideration. Flow technology scales rather well, but at a massive cost: it compromises granularity and time-to-mitigate.

If your vendor provides performance numbers that match your network size, be aware that the real-world performance may be lower. The current trend is that attacks use multiple attack vectors; multiple attacks methods are launched simultaneously. Datasheet performance figures provide a good indicator to match the product to your needs, but it is advisable to test your prospect mitigation solution, and validate it through a series of tests to see how it holds up against a set of attack scenarios in your environment.

The multi-vector attack trend illustrates the importance of validating performance. Running a basic attack such as a SYN flood puts a base stress level onto the CPUs - unless, of course, the attack is mitigated in hardware. Making the system simultaneously fight a more complex application-layer attack such as an HTTP GET flood attack could push a system over its limit.

Periodic validation of your network's security performance is critical to ensure that your security solutions will hold up during various simultaneous attacks, and to ensure that your network investments are up to the task in a growing, secured network.

Network flooding does indeed have a lot in common with a home flooding. The sooner you know it is happening, the sooner you can take action. Just make sure your sandbags are up to the task!

A10 Networks is a leader in application delivery networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.


Join the CSO newsletter!

Error: Please check your email address.

Tags network securityddossecurity

More about A10 NetworksindeedIntrusionVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Rene Paap, product marketing manager, A10 Networks

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts