This article was originally featured on the NETSCOUT blog, which is available HERE.
Even before the current pandemic, the types and velocity of distributed denial of service (DDoS) attacks were on the rise. And with the architectural changes brought about by COVID-19—such as greater reliance on VPN gateways as more employees work from home—organizations are at increased risk of disruption.
In fact, according to NETSCOUT’s most recent Threat Intelligence Report, we have seen a 15 percent increase in DDoS attacks in 2020 compared to the same period in 2019—and a 25 percent increase over the height of the pandemic lockdown. At present, we are on track to experience more than 9 million attacks this year.
As organizations consider the steps needed to mitigate the risk from DDoS attacks and maintain resilience and availability, they should keep the following five areas in mind:
1) Be mindful of stateful attacks. When most people think about DDoS attacks, they think first of volumetric attacks. But state-exhaustion DDoS attacks that block stateful devices such as firewalls, load balancers, and VPN concentrators from serving incoming connections from legitimate clients can also negatively impact vital applications, services, infrastructure, and data. This problem is particularly acute now when we are increasingly reliant on remote connections through VPN concentrators. To protect against state-exhaustion attacks, it is important to design network infrastructure, including applications and service delivery stacks, to minimize state wherever possible.
There is a common misconception that firewalls are sufficient to protect against DDoS attacks. This is simply not true, as they are vulnerable to state-exhaustion attacks. This is why best practices (including from firewall vendors) recommend that companies deploy stateless DDoS protection in front of firewalls to protect them from state-exhaustion DDoS attacks.
2) Cloud-based protection is not enough. The most common form of DDoS attack protection is a cloud-based mitigation service, often from ISPs or independent providers. And while such services are indeed vital to stop large, volumetric DDoS attacks that outstrip the volume of internet circuits, that is only one part of a comprehensive protection strategy. For state-exhaustion and application-layer attacks, which are just as common, the industry best practice is a stateless, on-premises solution that can automatically detect and stop such attacks.
3) Be aware of shifting tactics. Many savvy DDoS attackers use attack performance management tools to monitor the effectiveness of their attacks in real-time. These tools help determine whether defenses are deployed when attack vectors are altered. This can lead to the launch of multivector attacks, which are far more challenging to mitigate without the right solution in place.
4) Size doesn’t always matter. The vast majority of DDoS attacks today are not massive in scale, but rather are smaller-sized and short-lived. It’s important to keep in mind that a DDoS attack does not need to be big and last a long time to have a negative impact. In fact, the overwhelming majority of DDoS attacks last one hour or less, and nearly a quarter of them last less than five minutes. This means organizations need DDoS attack protection that can instantaneously detect and mitigate attacks before the damage is done.
5) Consider a hybrid approach to DDoS protection. At NETSCOUT, we recommend a hybrid approach to DDoS protection. The cloud-based model, which relies on a service provider to deliver DDoS mitigation services against volumetric DDoS attacks, can be highly effective. However, to adequately protect the dynamic nature of most organizations from smaller application-layer DDoS attacks, we recommend augmenting with on-premises DDoS protection. This allows organizations to rapidly deploy customized DDoS protection as new applications or services are rolled out.
The fact is, DDoS attacks can be mitigated—if you are prepared. A key part of that preparation lies in a regular reassessment of your DDoS attack protection strategy. After all, today’s DDoS attacks are ever-changing, and traditional methods of protection may not be enough. Organizations should keep up with the latest trends in DDoS attacks, know what the current best practices are for defense, and test those defenses on a regular basis.