main

Attack MitigationDDoS AttacksSecurity

6 Types of DDoS Protection for Your Business

July 14, 2014 — by David Monahan2

David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.

DDoS attacks have become commonplace these days.  The offending attackers may be hacktivists, cyber-criminals, and nation states or just about anyone else with an Internet grudge and a PayPal or Bitcoin account.  These attacks themselves often require no technical skill.  Someone with a bone to pick can simply purchase the use of any number of nodes on one or more botnets for an hourly fee (long term rate discounts available); use a Graphical User Interface (GUI) to organize the attack and then launch it.

The purpose of an attack can be to disrupt business for Internet bullying or extortion, or to distract an organization while other attacks are launched to attain a different target.  The latter is a bit scarier because the attacker has a plan to work their way into the victim’s network elsewhere, while the target’s resources are all focused on the DDoS.

Types of DDoS Attacks

There are three main types of DDoS attacks and multiple subtypes. It is important to note this because each solution handles the different types with various levels of efficacy.

Volumetric/Flood:  This straight-up bully attack hits a target with so much traffic that it is overwhelmed.  These attacks often affect the Internet connection as much as they impact the end-target host

Resource Starvation:  Attacks the underlying operating system and network stack resources in an attempt to crash either or both.  This does not rely so much on the total volume of traffic but more on the types and combinations of traffic that will best affect the application or application services.

Application:  This assaults the application at layer 7 of the OSI model and is an attempt to crash the application itself or the underlying application server.  Again, this does not rely on total traffic volume but the types and combinations of traffic that will best affect those subsystems.

What can you do?

Fortunately, there are options available to protect against DDoS attacks. Let’s take a look.


1: Nothing

Description

Go on with business as usual. Every day is a roll of the dice and for smaller companies without a significant web presence, this may work. For companies with a more significant web presence, each day is a roll of the dice with some probability that you will become a victim.

Cost

Short Term: Nothing to implement.

Long Term: May cost the business everything in the event of an attack.


2: A Disaster Recovery Site

Description

This involves having a back-up site in case the primary business site is attacked.  If by some odd chance the attacker is identifying you only by IP address, this will work. However, it is flawed at best. 

Since the vast majority of Internet traffic is identified by DNS, as soon as you roll over, the DDoS traffic will follow you to the Disaster site when the DNS is rerouted

Cost

This will vary by the size (floor space, CPU’s RAM, connection) and type (hot, warm, or cold) of the Disaster Recovery site.  However, since DR planning generally does not include provisions for DDoS, you will most likely not get much usefulness out of this.


3: Purchase an On-Premise DDoS Mitigation Appliance(s)

Description

These appliances are made by a number of reputable vendors but differ in their throughput and efficacy against the various types of attacks.  They use proprietary and patented engines to sort the bad traffic from the good, letting only the good traffic through.

As with any process of this sort, there will be some mislabeling.  Some good traffic will probably get filtered while some bad traffic will get through.  However, the losses are not enough to cause the servers and applications to see a significant change in performance.

The critical issue is if you experience a volumetric DDoS attack, your internet pipe will fill up so non-malicious traffic will still be essentially stopped because of the access connection “traffic jam.”

Cost

The appliances supporting these solutions can be purchased through vendors and cost may vary by vendor, time of the month/quarter, amount purchased, and also the volume of attacks that you are trying to repel. 

Think about what you expect your Internet connection growth to be over the next 3-5 years and size your purchase based upon that number plus 25%.


4: Purchase a DDoS Mitigation Service From Your Hosting or Internet Provider

Description

Some hosting and cloud vendors offer DDoS mitigation as a premium service add-on.  Check your contract to see if this add-on is available. 
Many of them only deal with volumetric attacks, taking advantage of their connections and resources to deal with the volume.  This option may not be wholly effective against resource and application attacks.  (In many cases they are reselling one of the mitigation services and purchasing the carrier grade DDoS mitigation appliances.)

This type of service is generally better at fighting volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being effective.  Depending upon the technology or provider being used, effectiveness against the resource or application attacks will vary.

Cost

The good news is these are generally operating expenses, not capital expense charges.  The bad news?  You have to be very watchful and deliberate about the service provider you choose. 

There are (generally) two charging models.  The 1st is a flat rate.  While more expensive up front, the advantage is cost awareness. 

The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks.  Lower up-front costs, but when attack(s) come, the costs cannot be foreseen.  It boils down to risk tolerance and luck. 

Note:  For large volumetric attacks against companies with large Internet connections and recurring attacks – the charge for the by-the-attack/by-volume services can get into the millions of dollars.

 

4a: On-Demand DDoS Mitigation 4b: Automatic DDoS Mitigation

Description

This type of service is only activated when the customer identifies an issue and contacts its provider. The technologies are generally the same as the automatic services but the provider has a little more set up to do to make it operable. This implementation is often done to reduce the provider’s cost-of-service or infrastructure so they can purchase a less capacity system or service and only use it when a customer calls in to enable it.

Description

Automatic should respond faster, but that depends on whether it is “Always-on” or “Always Available.” “Always-on” generally means the service is integrated into the infrastructure and always looking for trouble against subscribed customers. “Always Available” generally means that you are using an on-demand service. The primary difference being that the provider is performing internal monitoring and will activate the service for you without the need to call them.

Cost

This is generally a lower cost than an automatic solution. Providers can oversubscribe the service, assuming not all customers will be attacked simultaneously. The downside is activation speed and the pre-activation impacts, since it may take some time to get the mitigation operational.

Cost

This type of service is generally a little more costly than the on-demand because it is Always-on” or “Always Available” so the provider has to purchase more solutions or service to support each active customer.


5: Purchase a DDoS Mitigation Service from a Specialized Mitigation Service

Description

This skips the middle man of the provider model above.

Customers who purchase this service either change their DNS or their Internet routing so all traffic, normal and attack, is redirected to the provider as a middle-man.  The mitigation services’ facility is purpose-built with specialized hardware and a “secret sauce” that the provider has created to identify and remove the bad traffic.

This type of service is generally better at dealing with the volumetric attacks because it keeps that bulk traffic away from your Internet connection so it has less of a possibility of being affected.  Depending upon the technology or provider that it is using, effectiveness against resource or application attacks will vary.

Cost

The good news is these are generally operating expenses, not capital expense charges.  The bad news?  You have to be very watchful and deliberate about the service provider you choose. 

There are (generally) two charging models.  The 1st is a flat rate.  While more expensive up front, the advantage is cost awareness. 

The 2nd model charges per attack or by the volume of traffic to be absorbed/cleaned during attacks.  Lower up-front costs, but when attack(s) come, the costs cannot be foreseen.  It boils down to risk tolerance and luck. 

 

5a: On-Demand DDoS Mitigation 5b: Automatic DDoS Mitigation

Description

This type of service is only activated when the customer identifies an issue and contacts its provider.  This approach is often done to remediate an attack in progress for organizations that do not currently have protection.  There is a significant delay in operationalizing these because all of the network/DNS changes have to be made and propagate across the Internet.

Description

All of your traffic passes through the provider, making this always-on and ready to go.  For the major providers, it is very possible you will not know there is a DDoS attack until the provider notifies you.

That is just the way it should be, business as usual.

Cost

This has no cost until activated but be forewarned that if you are suffering from an attack to the point where you call one of the providers, it is highly probable that the emergency-setup fees will be significant.

Cost

For the DDoS Mitigation service, the cost comes down to which defense model you choose:  by the number of attacks, by attack volume or a fixed rate.  If you choose one of the former then the cost may be lower for the months or years that you do not get attacked, but can skyrocket when activated.


6: DDoS Hybrid System

Description

This approach uses a combination of an on-premise system and the specialized mitigation or provider-based solution.  The goal here is to gain the best of both worlds by having the external service clear out the bulk traffic and then use the on-premise system to surgically remove any other remnants of the resource or layer 7 attacks that are getting through.

Cost

Most effective but also most expensive as it uses both solutions.


There you have it.  Choose your solution based upon your risk tolerance and your budgetary constraints.  Options abound.

Like this article? Receive similar articles by subscribing to our blog today!

David Monahan

David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *