This article was originally published on the NETSCOUT blog. Click HERE to read the original article in its entirety.
Although distributed denial-of-service (DDoS) attacks have been around for more than 20 years, they remain something of a moving target as cybercriminals regularly discover and weaponize new attack vectors and techniques, such as the following:
- Launching different types of attacks such as volumetric, TCP state-exhaustion, and application-layer attacks simultaneously as multivector attacks, each with a unique signature.
- Using different botnets to change the source of attacks and stay one step ahead of blocked IP addresses.
- Using DDoS attacks as a smokescreen to distract from the real cybercrime underway. DDoS traffic can consist of incoming messages, requests for connections, or fake packets.
But here’s the catch: attacks are based on legitimate traffic, and it can be difficult to determine which traffic is legitimate “good” traffic and which is the “bad” traffic. Therefore, you must continually test your web servers and services, cloud offerings, and network topology for their ability to allow good traffic to pass through while stopping the bad traffic.
The reality is that a DDoS attack is a matter of “when,” not “if.” With that in mind, this is what we recommend for verifying your resiliency to DDoS attacks:
1. Test your solutions. All DDoS mitigation solutions are tested. The question is whether the testing is conducted in a proactive, controlled manner or by a real attack. Proactive testing is a far better plan, because it gives you a chance to fix issues outside the stress of a real attack in which services might be failing. All public-facing services are subject to attack and should be tested. In addition to web servers, this includes session border controllers (SBCs), unified communication and collaboration (UC&C) systems, edge routers, and others.
2. Test regularly, particularly after significant upgrades. For example, one U.S. service provider tests the resiliency and vulnerability of cloud-based virtual environments prior to providing them to its commercial accounts. A second company—a network equipment manufacturer—tests for DDoS resiliency during preproduction testing of embedded mitigation software in a series of its hardware and software solutions. In one test, for example, the company found a product’s CPU (I/O card) was pegged at 99 percent after sending only 1 Gbps of TCP SYN traffic, which blocked “good” traffic from passing as initially expected. The company was therefore able to adjust the software prior to commercial launch.
3. Test by using customized attack simulations. One of the best ways to check how well your defenses can differentiate between good traffic and bad traffic is to launch attacks alongside good traffic. A good testing tool will let companies easily create custom multivector attacks that integrate into the existing test and mitigation infrastructure. Launching simulated attacks allows companies to find and fix issues before they are discovered in the heat of a real attack.
DDoS attacks are on the rise exponentially—in terms of both frequency and size (bandwidth consumed). The latest NETSCOUT Threat Intelligence Report highlighted record-breaking DDoS attack activity in 2020, with more than 10 million observed attacks.
Additionally, DDoS attack costs are increasing globally. According to a recent NETSCOUT Worldwide Infrastructure Security Report, the cost of downtime associated with internet service outages caused by DDoS attacks was $221,836.80, while a report from Allianz Global Corporate & Specialty found that the average cost of cybercrime to an organization increased by 70 percent over five years, to $13 million. Can your business really afford not to test your DDoS resiliency?