DDoS attacks threat
DDoS attacks are a type of attack where an attacker attempts to make a computer or network resource unavailable to its intended users. This is usually done by flooding the target with traffic from multiple computers, or by sending malicious requests that overload the system.
Botnets are often used to launch DDoS attacks, as they can generate a large amount of traffic. However, DDoS attacks can also be launched without using botnets. For example, an attacker could use a single computer to send malicious requests to a vulnerable server.
DDoS attacks can be difficult to defend against, as they can come from anywhere in the world and can be hard to trace. However, there are some things that you can do to protect yourself, such as keeping your software up-to-date, using a firewall and most importantly - having a resilient architecture.
Application layer micro floods
Online businesses are migrating to public clouds, therefore the attackers are changing their approach and techniques. We are observing DDoS attacks on a huge scale - Microsoft has reported an attack of 3.47Tbps scale.
Yet, the attacks that are huge in volume are not the ones that are the most deadly. The most concerning is the trend of application-level attacks and micro floods. Radware has reported an almost 80% increase in attacks smaller than 1Gbps. These slower attacks can go undetected, are hard to mitigate and can consume a lot of resources such as bandwidth, CPU and memory usage, allowing an attacker to stealthily cause denial-of-service.
Not volumetric in nature, such attacks can often be launched with only a single machine; additionally, because these attacks occur on the application layer, a TCP handshake is already established, successfully making the malicious traffic look like normal traffic traveling over a legitimate connection.
Application layer DDoS attacks are more complex than lower layer attacks because they contain valid components like TCP connections, IPs, and requests. They are hidden under the protection of TLS encryption. Most WAFs are good at identifying L7 attacks, but they can't catch everything.
Nowadays, the most popular application DDoS attack vectors are Slow HTTP GET and Slow HTTP POST requests. The goal of these attacks is to use up all of the application's resources by opening many connections. The attacker would send an incomplete HTTP request.
The remaining parts are sent in long intervals, to make sure that the connection does not time out and that the server keeps the thread open. It is hard to spot while monitoring the traffic, as it is very similar to the behavior of users with slow Internet connection. The difference though, is in fact that the attacker scripts the requests and repeats them multiple times. This situation causes a denial of service for legitimate users, as the connection table in the server's memory is full, busy handling the illegitimate slow requests.
Build infrastructure that is DDoS resilient
DDoS attacks are on the rise, and they can be very costly for businesses. In a recent study, it was found that DDoS attacks cost businesses an average of $2.5 million per incident. So, how can we build infrastructure that is DDoS resilient?
There are a few things businesses can do to make their infrastructure more DDoS resilient:
Disperse your assets
Make sure that your architecture is decentralized. This includes dispersing assets, locating servers in different data centers, and having diverse paths. It is also advised to separate monitoring, data storage, and app logic to their own dedicated machines.
Utilize load balancers
Best practice is to use load balancers in front of application servers. That will increase availability and limit attack effectiveness.
Use multiple layers of security
In addition to using a DDoS mitigation service, it is important to use multiple layers of security to protect your infrastructure from DDoS attacks. This includes using firewalls, intrusion detection/prevention systems, and anti-virus software.
Harden your systems
Take note of your application server settings such as the connection timeout, maximum memory pool, available CPU time, possible HTTP parameters length etc. Consider installing additional security plugins if applicable.
Stay up to date
Make sure you keep your systems up to date with the latest security patches. Many DDoS attacks take advantage of known vulnerabilities in systems and applications.
Analyze your app bottlenecks
Application functions that require multiple memory or computing resources should be limited and protected. Make sure that a user cannot make multiple function calls. Consider using CAPTCHA or other challenges on your website.
Make sure that you have a disaster recovery plan.
A disaster recovery plan is an important part of any business. Without a plan in place, your business could be crippled in the event of an attack or other emergency. The plan should include steps to take, as well as contact information for employees and vendors on your escalation path.
Cloud Infrastructure Design
Public cloud providers such as Azure and AWS put a great emphasis on availability and resiliency. The publicly available documentation shows multiple design examples for reference. You can utilize these examples to ensure resiliency agains web application DDoS attacks. Make sure that you remember about implementing limits, so that the resources do not scale over your budget.
AWS reference architecture:
The great benefit of the above architecture is the fact that it uses AWS CloudFront - CloudFront offers a feature of automatic application layer DDoS mitigation. When an attack event is detected, there is an automatic implementation of mitigation rules in the associated AWS WAF instances.
Additionally, the design recommends having Elastic Load Balancing in front of your EC2 instances. This will guarantee that your web application is available to legitimate users, even when the application is under heavy load.
Read more: AWS Documentation
Azure reference architecture
Azure recommends to have their Application Gateway WAF deployed in front of the resources and configure the apps to accept only traffic from the Application Gateway IP address. Read more: Azure Documentation.
Market DDoS protection solutions
There are a number of commercial DDoS protection solutions on the market. These solutions vary in terms of features, pricing, and performance. Some of the more popular DDoS protection solutions include Akamai, CloudFlare, and Arbor Networks.
You can tailor your DDoS protection to your needs and in order to help you do so, there are reports published by companies such as Forrester Research and Gartner, that analyze and compare the available solutions. You can find the latest "Forrester Wave" under the following link: DDoS Mitigation Solutions Q1 2021.
Building infrastructure that is DDoS resilient can be difficult, but it is important for businesses to take steps to protect themselves from these types of attacks. By using a DDoS mitigation service, using a cloud-based infrastructure, and using multiple layers of security, businesses can make their infrastructure much more resilient to DDoS attacks.