Scale Up Your Defenses Against DDoS Attacks

The January 2016 DDoS attack against the BBC may have set a new record. The group that launched the attack, New World Hacking, claims to have reached a top speed of 602Gbps during the attack. Even if the group is exaggerating, there is no doubt that the size, frequency, and severity of DDoS attacks are on the rise. As the attacks scale up, enterprises need mitigation systems that scale as well.

Take the example of a major European telecoms carrier. Realizing the threat DDoS posed to its own core network and to its customers, it wanted to be proactive in protecting itself. It installed DDoS protection calculated to protect against the most serious attack it had experienced in the past, and added on a significant multiplier. Still, this covered only a fraction of its total bandwidth. For two years, the protection held up, until a series of DDoS attacks occurred that just slightly exceeded the mitigation capacity. The system failed, taking down many customers’ sites, including banks and government sites. It turns out that during those two years, attackers had been testing and poking the telecom’s DDoS mitigation capacity, launching a series of incremental attacks. After the fact, the enterprise expanded its protection capacity to cover its full network bandwidth and augmented it with cloud-based protection even larger than its on-premises capacity.

Other Strategies Powerless Against DDoS

Firewalls and IPS (intrusion prevention systems) don’t provide any significant protection against DDoS attacks. Indeed, these session-based safeguards are often among the first victims of a DDoS attack. Routers, which use ACLs (access control lists) to filter out undesirable traffic, fall short in protecting against more sophisticated DDoS attacks.

Nor can you rely on a CDN (content delivery network) for DDoS protection. When a website is under DDoS attack, your CDN provider will interpret the botnet-generated traffic as regular user sessions. Then, one of two things will happen: Either the CDN will continue to cache these bogus requests, resulting in significantly higher CDN costs, or when traffic volume exceeds your contracted cache capacity, the CDN will just route the attack traffic back to your origin servers. While the second tactic may delay the site’s collapse, neither will stop the DDoS attack.

The question of how to protect against DDoS attacks is further complicated by the multiple environments in which enterprises work today: all cloud-based, a hybrid of cloud and on-premises, or fully on-premises. As the Internet of Things increases the number of devices people use to connect to your enterprise’s site, so does the various avenues for DDoS attacks.  Attacks are now being launched directly from mobile devices, and application-based attacks are on the rise.

The New Generation of DDoS Mitigation Solutions

As DDoS attacks expand in size and sophistication, enterprises must scale up their mitigation strategies and equipment. The latest generation of anti-DDoS solutions incorporate advanced features such as signature learning, behavior analysis, reputation mechanisms, and Big Data analytics. They:

• Protect enterprises from large-scale, fast-speed attacks in excess of several hundred gigabytes per second
• Protect against application-layer attacks
• Detect attacks launched from mobile devices and protect mobile Internet service
• Prevent outbound DDoS from data centers

Enterprises that have deployed this type of new, more comprehensive DDoS mitigation solution are already reaping the benefits. Alibaba Group, for example, credits its stronger DDoS protection with deflecting more than 100 attacks a day, at a maximum traffic rate of 100Gbps.

Conclusion

The DDoS threat is real and so are the consequences. The scale of DDoS attacks can’t be measured just in downtime or dollars. They damage the trust between an enterprise and its customers. They tarnish corporate reputations.

But enterprises can protect themselves. DDoS mitigation is as real—and can be as effective—as the attacks themselves. They can safeguard their networks, their data, and their customers. By going on the defense with a plan, the right technology, and the right partner, enterprises can mitigate the likelihood of a DDoS attack.