The sophistication, size, and frequency of Distributed Denial of Service (DDoS) attacks continue to increase—with no apparent end in sight. Where 2 Gbps attacks were once the norm, organizations are now routinely taking steps to mitigate 200+ Gbps attacks against not only the network (Layer 3 and Layer 4), but the applications (Layer 7).
SYN/UTP/TCP flood attacks, DNS Amplification, NTP Reflection/Amplification, SQL injection, and native SSL attacks have become topics of conversation well outside IT and infrastructure organizations.
As these threats continue to permeate mainstream business conversations, we’ve identified five key questions to ask your organization and your service provider about their DDoS mitigation strategy.
1. Do regulations IN your industry or organization require a DDoS mitigation strategy?
Some industries, most notably the financial sector, already established formal requirements for DDoS mitigation. The Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Handbook on Business Continuity Planning outlines six steps they expect member institutions to take to proactively address DDoS risks.
Even if your industry or organization doesn’t require a DDoS mitigation plan, it certainly won’t be long before requirements are defined. It can’t hurt to investigate these burgeoning requirements in advance, as compliance regulations are both time-consuming and technically dense.
2. How are DDoS attacks mitigated?
Delays in mitigation start time depend on the type of attack and solution in place:
|Type of DDoS Solution||Delays to Mitigation||Known Attack||Unknown Attack|
|In-line with the network (the technology is in place and scanning for attacks)||Fingerprinting and addressing the attack||Mitigation begins in <5 sec.||Mitigation begins in <30 sec.|
|Not in-line with your network, also referred to as on-demand mitigation (network traffic is routed off-network to a third-party scrubbing center)||Time for traffic rerouting rules to engage via BGP route diversion and DNS redirection, packet transmission across the network to and from the scrubbing center, and any potential queues awaiting your traffic when it arrives at the scrubbing center||15-90 min.||15-90 min.|
Each solution has its merits. There are significant time and cost implications involved with in-line and on-demand mitigation. As you consider your options, it’s important to understand both your organization’s expectations and its ability to support downtime.
3. Is the support team onsite?
This is a very simple question—one that should have a very simple answer. The benefit of having support staff onsite is being able to rest assured that a network engineering and security team are immediately involved in the event of an attack. The minutes and seconds saved by having these resources at the ready can mean the difference between a small hiccup for your end users and a full-scale takedown of your network and/or applications.
4. Is Layer 7 (application) DoS protection really necessary?
The short answer is yes. The long answer is that a rapidly increasing number of DoS attacks are targeted directly at Layer 7 (applications). These attacks are painstakingly designed to look like legitimate traffic. They attempt to successfully compromise the targets—especially where Layer 3 and Layer 4 attacks failed. Layer 7 DoS attacks are frequently structured to overload specific elements of application server infrastructure. Even simple DoS attacks—for example, those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic web sites—can critically overload CPUs and databases. Be sure to ask your provider whether or not they provide Layer 7 protection as part of their solution to address these risks.
5. How are Secure Socket Layer (SSL) attacks mitigated?
“They aren’t” is an acceptable answer for some. Not all organizations need it. However, if your organization relies on SSL-based traffic and transactions, it’s critical to understand if and how your service provider supports this capability.
Be certain that the provider’s SSL attack mitigation solution supports in-line decryption and re-encryption of traffic so data stays on your network with your security policies intact. If the SSL attack mitigation is offloaded to another network, just make sure the decryption and re-encryption process performed by your provider meets your security and service level goals.
There are hundreds of questions that you can (and should) ask your organization or DDoS mitigation provider. We hope these five serve you well in beginning those conversations.
As always, if you’d like to speak with a ServerCentral expert about an appropriate DDoS mitigation solution for you, don’t hesitate to contact us.