DDoS attacks: how to mitigate these persistent threats

Distributed denial of service is a type of DoS attack where multiple compromised systems, which are often joined with a Trojan, are used to target a single system causing an attack.

The DDoS attack itself may be a bit more sinister, according to NSFOCUS IB. A DDoS attack is an attempt to exhaust resources so that you deny access to resources for legitimate users. 

“It has never been easier to launch a sustained attack designed to debilitate, humiliate or steal from any company or organization connected to the Internet. These attacks often threaten the availability of both network and application resources, and result in loss of revenue, loss of customers, damage to brand and theft of vital data,” NSFOCUS Global wrote in a business white paper.

In a question-and-answer session, Dave Martin, director of product marketing at NSFOCUS, IB, explained the different types of DDoS attacks and how to detect and respond to these attacks.

What are some of the most common types of DDoS attacks?

There are actually three styles of attacks that we see often. Application order, volumetric, and hybrid. 

Can you explain the differences in each method?

Application order is less volumetric but still tries to consume resources. Attacker connect to a website and asks for a password. They send data and get a response from the server. Rather than send all data at once, they send a character at a time. As an attacker, you can create hundreds of thousands of connections at a time. They are opening up a secure connection to a website that appears normal but is consuming memory.

Volumetric attempts to overwhelm the target with traffic.

The hybrid attack is often application order and volumetric used in combination. The consequence is loss of revenue, loss of customers, and damage to reputation. These are not even about denial of service. These are smoke screens for exfiltration of data.  Because of the distraction, attackers are able to plant back doors in other areas of the network. 

How can security teams detect these attacks?

Detecting the DDoS attack itself really requires specialized hardware that will send alerts like emails or management tracks. The goal is to get these notifications before resource becomes unavailable. If you don’t have anti DDoS detection, you won’t know until the service goes down. 

How do security teams respond once they identify these attacks?

It takes a while for service providers to identify and clean that traffic. A lot of service providers black hole the traffic so that all of your traffic is offline. 

How can security professionals differentiate when an attack is DDoS?

These attacks are advanced persistent threats. Often the bad actors install a back door and sit on a network making them difficult to detect. 

Why are these attacks so persistent?

These DDoS attacks are very easy to pull off. There are botnets available that criminals can rent for as little as $10 a month, and they require no technical expertise. These can generate a very large attack.  Also, a lot of folks think they can handle these attacks with firewall, but many people are finding that those types of general purpose tools fall over in the face of an attack. People are starting to recognize that existing security equipment is not going to provide adequate protection. A firewall is great, you have to have it, but it’s not a panacea.

How do security teams determine what tools are best in mitigating the risks of these attacks?

They first have to ask, “Is it a good solution that fits in my budget?” Be sure that the technology has been battle tested. While enterprises like major banks have enormous budgets for their security strategy, small to midsize organizations are working with more limited resources.