The impact of DDoS attacks on the enterprise [Q&A]
With the UK and US being amongst the top four most targeted nations for network DDoS attacks during the first half of 2021, this is clearly a problem that hasn't gone away amid all the pandemic-related news.
We spoke to David Elmaleh, senior product manager, Edge Services at Imperva. to discuss the impact DDoS attacks can have and why it's essential for organizations to monitor for anomalies relating to unexplained traffic spikes.
BN: What level of potential damage can a DDoS attack entail?
DE: Unlike other kinds of cyberattacks, distributed denial of service (DDoS) assaults don’t attempt to breach your security perimeter. Rather, a DDoS attack aims to make your website and servers unavailable to legitimate users. A successful attack is a highly noticeable event impacting an entire online user base. DDoS attacks can create downtime which leads to revenue loss, erodes consumer trust and can damage the brand’s long-term reputation. DDoS attacks are a popular weapon of choice for hacktivists, cyber vandals, extortionists and anyone else looking to cause disruption.
Imperva Research Labs found an ongoing trend of short, sharp, persistent attacks during the first half of 2021. These typically overwhelm hybrid cloud and on-premises solutions, causing maximum damage before backup cloud mitigation can start. They can also act as a distraction tactic and part of a wider multi-vector attack.
BN: What are the symptoms of a DDoS attack?
DE: DDoS attacks can come in short traffic bursts, repeated and varying assaults (i.e. multi-vector attacks), or low-and-slow approaches which can be less visible to the organization or end-user. Whichever form the attack takes, the impact on a website or business can last for days, weeks and even months.
We found that the median duration of a DDoS attack in the first half of 2021 was 6.1 minutes. These shorter attacks often remain under the radar because organizations using unsophisticated DDoS mitigation technology configure detection thresholds that ignore lower levels of activity. Yet, short and sharp attacks can still cause damage. In the first half of 2021, over a third of application layer DDoS attacks lasted more than 12 hours, while a separate third of attacks lasted less than 15 minutes. For this reason, DDoS attacks can be unpredictable and an extremely destructive threat for any organization with an online presence.
Symptoms of a DDoS attack include: slowness, unresponsive assets, unavailability or total outage leading to business downtime -- depending on the scale of the attack and the targeted assets (e.g. websites, DNS, entire network infrastructure, VPNs, routers etc.).
BN: What sort of monitoring/alerting do you recommend to detect DDoS attacks?
DE: It's critical to look for abnormalities, including unexplained traffic spikes, traffic types and visits from suspect IP addresses and geolocations. All of these could be signs of attackers performing 'dry runs' to test your defenses before committing to a full-fledged attack. Recognizing these proactively will help you prepare your defenses before the situation becomes more grim.
If you're running a commercial website or online application (e.g. SaaS applications, online banking, e-commerce), 24x7, always-on monitoring and protection is needed. If you’re in need of always-on DDoS protection for web applications, use DNS redirection to reroute all website traffic (HTTP/HTTPS) through the DDoS protection provider’s network (usually integrated with a content delivery network). The advantage to this approach is that a CDN can offer on-call scalability to absorb volumetric attacks, while minimizing latency and accelerating content delivery.
Medium to large-sized businesses may be more interested in protecting their infrastructure -- including email servers, FTP servers and back office platforms. This type of business may opt for an 'on-demand' solution, based on their operational and time-to-mitigation requirements.
When it comes to DDoS mitigation, the rule of thumb is: 'moments to go down, hours to recover'. When defending against these types of attacks, every second counts. That's why your DDoS protection solution should move quickly to mitigate downtime, ensure business continuity and have no performance impact.
BN: What's considered a safe threshold to identify DDoS activity as opposed to normal traffic or false positives?
DE: Volumetric and protocol DDoS attacks are usually high-traffic events, commonly measured in gigabits per second (Gbps) or packets per second (Pps). The largest network layer assaults can exceed hundreds of Gbps; however, 20 to 40 Gbps are enough to completely shut down most network infrastructures.
Applicative DDoS attacks show lower traffic volumes and won’t be identified accurately by a traffic threshold rule. In both cases (Layer 3/4 or Layer 7), a layered mitigation approach should be applied, combined with advanced traffic classification techniques and machine learning to ensure optimal accuracy and no false positives/negatives. This will ensure optimal availability and operation for critical business assets.
BN: How can companies prevent or reduce the risk of DDoS attacks?
DE: To truly protect against DDoS attacks, companies should use a dedicated, always-on mitigation solution. Traditional intrusion detection systems (IDS) and intrusion prevention systems (IPS) are not effective. Solutions can be deployed on-premises, but are more commonly provided as-a-service by third-party providers due to the operational ease and protection they offer against very large attacks.
Outside of that, there are a few preventive measures a company can take:
- Monitor for traffic abnormalities
- Keep an eye on social media (particularly Twitter) and public waste bins (e.g. Pastebin.com) for threats, conversations and boasts that may hint at an incoming attack.
- Consider using third-party DDoS testing (i.e. pen testing) to simulate an attack against your IT infrastructure so you can be prepared if and when an attack strikes. When you do this, test against a wide variety of attacks, not just those you're familiar with.
- Create a response plan and a rapid response team -- a designated group of people whose job is to minimize the impact of an assault. When you plan, put in place procedures for your customer support and communication teams, not just for the IT team.
BN: How can companies reduce the impact of active DDoS attacks if they occur?
DE: Given the speed at which a DDoS attack comes on, preparation is essential. It's why creating a response plan and a rapid response team is a fundamental priority as it will help streamline response efforts and minimize the impact of the attack.
If a company doesn't have always-on DDoS protection in place, they'll need emergency onboarding with a DDoS protection provider when the attack strikes. In these cases, the speed at which the provider is brought on -- along with the vendor's mitigation efficiency -- will be critical for resolving an active DDoS attack before it causes too much damage.
The mitigation process is typically defined in four stages:
- Detection: identify traffic flow deviations that may signal the buildup of a DDoS assault.
- Diversion: traffic is rerouted away from the target via DNS (Domain Name System) or BGP (Border Gateway Protocol) routing, and a decision is made whether to filter it or discard it altogether.
- Filtering: DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls and search engine bots) and malicious visitors.
- Analysis: system logs and analytics are used to help gather information about the attack, both to identify the offender(s) and to improve future resilience.
BN: Are some geographical regions more likely to be associated with DDoS attacks?
DE: As monitored by Imperva Research Labs, Taiwan, the US, UK and Germany were the most targeted nations for network DDoS attacks in the first half of 2021 accounting for 86 percent of the total monitored attacks. When it comes to application layer DDoS attacks (Layer 7), the US is by far the most targeted country, accounting for 60 percent of the total monitored attacks. Brazil, the UK and Australia are also targeted frequently by these types of DDoS threats.
BN: How should companies defend against systems being compromised by malicious actors then used for DDoS attacks?
DE: When a group of connected devices becomes infected by malware, such as Mirai, and controlled by a malicious actor for the purpose of executing an attack, it's known as a DDoS botnet or 'zombie devices'. In this particular case, the attacks are externally distributed and large scale, which requires a global DDoS Protection solution to match the distribution and capacity requirements for protecting the company efficiently.
For situations where a company gets infiltrated and their assets become controlled by a remote command and control center to participate in DDoS attacks, the recommended approach is to apply security policies with continuous outgoing traffic analysis to prevent communication with command and control centers or traffic bursts to identified targets.
BN: What sort of penalties might companies unknowingly involved in DDoS attacks suffer?
DE: When a company is unknowingly involved in a DDoS attack -- because its systems were infiltrated and become controlled by a malicious actor -- there is greater potential that their assets will be categorized as malicious traffic, which could impair their IP reputation.
Additionally, these victims might see bandwidth costs grow because their computing systems are being weaponized to enable a volumetric attack.
BN: What about companies or individuals knowingly involved?