Denial of Service

A Denial of Service (DoS) attack aims at the availability of a service, website or network. By disrupting or suspending normal data flow, the system is rendered unavailable. Amplifying this tactic, distributed DoS (DDoS) attacks target systems well-orchestrated from different locations at the same time.

According to Link11 DDos attacks increased over 33% in the first six months of 2021 alone [1] and VERIZONs DBIR states that it is the most common pattern in data breaches since 2019 [2]. Even if this threat is likely to increase in the future as cloud servers will become affordable and effective weapons for threat actors, there are several proactive and reactive measures organizations can implement to lower the risk of (D)Dos attacks:

Establish a Baseline and monitor network traffic for unusual Activity

Organizations should monitor network traffic to understand normal traffic patterns and establish a baseline. From this, symptoms (e.g. traffic slow down) of (D)Dos can be identified in an early stage of the attack.

Apply Rate Limits to Servers

Rate limits restrict the number of requests, the bandwidth and packet rate, or the number of concurrent connections a server will handle in a given period of time. These limits can help to stop certain types of malicious bot activity used in (D)Dos attacks. However, it is not a complete solution for dealing with (D)DoS attacks.

Deploy a Web Application Firewall

Web Application Firewalls (WAF) filter traffic based on defined rules. They can protect web applications by controlling input, output, and access to and from the application. WAFs can be deployed as separate appliance or server, as a plug-in, or even be bought as service.

A WAF inspects every data packet to prevent common attacks like Cross Site Scripting or SQL injection known from the OWASP Top 10 [3]. It can also detect and defend against new, unknown attacks by looking for unusual and unknown patterns in data traffic.

Diffuse the attack with an anycast service

Studies show that organizations could make use of third party services to place large, distributed cloud networks between critical, internet facing servers and incoming traffic. This provides additional computing resources that can be used to respond to requests and mitigate an ongoing DDoS attack. [4,5,6]

Recommendation

Check if your organization is well prepared for (D)Dos attacks:

  • Is your network and internet bandwidth able to handle spikes in traffic that may be caused by malicious activity like a (D)DoS attack?
  • Is your critical infrastructure built redundant between different data centers to balance load and distribute traffic?
  • Are your firewalls hardened to withstand certain (D)Dos attacks (e.g. DNS- or Ping-based attacks)?

Need help mitigating the risk of (D)DoS attacks for your organization? Contact us for more information.

Sources

  • [1] Link11 DDoS Report for the First Half of 2021
  • [2] Verizon DBIR
  • [3] OWASP Top Ten
  • [4] Wouter Vries, Ricardo Schmidt, Aiko Pras. Anycast and Its Potential for DDoS Mitigation. 10th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2016, Munich, Germany. pp.147-151, ff10.1007/978-3-319-39814-3_16ff. ffhal-01632736Q
  • [5] G. C. Moura, R. d. O. Schmidt, J. Heidemann, W. B. de Vries, M. Muller, L. Wei, and C. Hesselman, “Anycast vs. ddos: Evaluating the november 2015 root dns event,” in Proceedings of the 2016 Internet Measurement Conference, 2016, pp. 255–270
  • [6] L. M. Bertholdo et al., “TANGLED: A Cooperative Anycast Testbed,” 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2021, pp. 766-771.