How Blocking and Controlling Traffic Can Stop DDos Attacks

Enterprises can prevent the vast majority of DDoS attacks by blocking IP address spoofing and controlling inbound traffic.

ns idg two simple ways to 1200x800
NETSCOUT

You only need to consider that more than 4.4 million distributed denial-of-service (DDoS) attacks occurred in the second half of 2021, to know with certainty that such attacks are always happening. It’s not a matter of if a company will be impacted by a DDoS attack, it’s a matter of when.

But enterprises don’t have to cower and wait for the inevitable to occur. In fact, enterprises and service providers can block 90% of DDoS attacks with two simple steps: blocking IP address spoofing and controlling inbound traffic.

Blocking spoofed traffic

IP address spoofing occurs when a device forges its source address for the purpose of impersonating another device. This is a preferred move by attackers when launching reflection/amplification attacks. Spoofing the source IP address forces an unwilling service to send its replies to the victim under attack.

But there’s no practical reason to allow spoofed traffic on the internet. If a network operator blocks this type of activity, it has zero impact on legitimate traffic.

In fact, if all network operators (enterprises, service providers, and so forth) universally blocked IP address spoofing, it would render attackers incapable of launching spoofed DDoS attacks. Doing so would, in turn, block all reflection/amplification DDoS attacks. Indeed, attackers are constantly looking for vulnerable devices inside corporate networks to launch spoofed DDoS attacks. 

Blocking IP address spoofing is easy to do at the internet edge of the network by implementing a simple access control list (ACL). This requires negligible resources, and it ensures that only legitimate traffic is allowed to reach a company network.

Likewise, internet service providers (ISPs) should implement ACLs at the subscriber edges. Doing so ensures that only inbound traffic originating from subnets is allocated to respective customers. It’s also possible to implement controls such as this at the edges between local and regional ISPs, whereby the regional ISP can control the traffic that originates from local ISPs.

Controlling traffic toward services

Enterprises use the internet primarily for two purposes: accessing services/information and providing services/information to others. But regardless of the company’s scope or scale, no organization provides all services to every user.

As such, traffic should be limited in terms of what can be accessed. Strict access controls can be easily configured according to the type of services deployed. Doing so effectively blocks the majority of DDoS attacks with minimal effort. Think about multivector attacks, for example: when the majority of attack vectors are blocked, such attacks aren’t possible. 
 
These strategies have proven effective for many enterprises around the world. For example, a large service provider was hit with a massive reflected DDoS attack in 2021. The attack was mitigated by predeployed ACL filters without any additional input from IT or security.
 
We discuss more about how network operators can successfully thwart cyberattacks by blocking spoofed IP addresses and controlling access to services in our 2H 2021 Threat Report. Read it to better understand how to fully block or dramatically reduce the impact of DDoS attacks by using these strategies.

Access the full interactive 2H 2021 Threat Report to learn more about how attackers are changing strategies to bring down VoIP providers.

Copyright © 2022 IDG Communications, Inc.