David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
There are numerous types of DDoS protection for your business. I’d like to expand on that topic and discuss how organizations are affected by non-volumetric DDoS attacks and what they can do to recover.
Volumetric DDoS is the big boy on the field or as I call it – the bully of Internet attacks. It gets the majority of the attention and when aimed at someone’s Internet presence it lumbers in and then bludgeons the services and infrastructure into submission. Without the proper preparation on the part of the target, the bullying and intimidation lasts until either the attacker runs out of money to pay for the service or the target company meets the demands.
However, volumetric DDoS are only one facet of DDoS and the other types can be even more difficult respond to and to detect. Volumetric attacks are often detected fairly rapidly because of their size and collateral damage, but resource starvation and application level attacks are normally lower key. They often start out well below the radar unless advanced DDoS technology is deployed or specific systems and application monitoring are in place.
In the case of a resource starvation attack, the goal is usually to attack the hosting system via service calls to the Internet Protocol (IP) stack like tcp-syn requests. Calls to the underlying operating system or authentication system are also used to tie up processes, memory, and IP ports until the system cannot accept or respond to any more requests for connections. To win at this game, the attacker must have done some basic reconnaissance to know what operating system is being run.
Application-based DDoS attacks perform a similar function but focus not on the network or operating system stack, but on a specific target application. The attacker will present a wide variety of bogus data inputs to forms, attack login screens with bogus credentials and find any other interfaces for the application to throw data at. The goal is to both affect the application, the application server and/or the back end database. To do this well, the attacker has to have done some reconnaissance and know more about these components making this more of a precision attack than the others.
As the bully, volumetric attacks are designed to make a big show to get attention, but both resource and application DDoS attacks are often much smaller than volumetric attacks because they are targeted. The goal of the latter two is often not to take the system out of commission, but to use the attack to actually compromise the system to create a foothold in the network for the attacker. Though volumetric attacks are often used in conjunction with the resource and application attacks to draw attention from the compromise or data extraction, there is no requirement to do so.
The defense for resource and application-level attacks requires a significantly higher level of precision than volumetric filtering. Volumetric attacks are very often leveraged as a front for the others because to an untrained eye or less effective defense system, resource and application attacks look like real traffic so they are often passed through to their target which is great for the attacker.
To be successful the DDoS filtering defense must be system and application aware and preferably integrated with the DDoS volumetric filtering to facilitate a feedback system between them. Without that feedback the problem becomes almost a chicken and an egg scenario. Which comes first? IF volumetric response is first it has to be configured very loosely to try to ensure that all of the good traffic gets through for filtering by resource and application filters. This will most likely not only reduce the efficacy of the volumetric scrubbing but it is bound to still drop some desired traffic and add significant load on the latter two scrubbers. Placing resource and application scrubbers in front of the volumetric scrubbers is a no starter.
DDoS is a technology problem and requires a strong technology solution. If you are going to come through DDoS unscathed you will need not only a strong technology partner but a strong incident response program. Choose wisely on both counts.
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.