Distributed denial-of-service attacks are some of the most serious security attacks in modern computing, yet we tend to know very little about them. DDoS attacks are, in essence, launched by multiple systems -- often compromised by malware -- that target victim systems like servers and network infrastructure devices, as well as specific services such as web applications and domain name systems. Designed to prevent legitimate access to computing resources, DDoS attacks can start with something as seemingly benign as a handful of malformed packets and end up flooding their target systems with several hundred gigabytes -- or more -- of traffic per second that the system simply cannot handle.
As with all facets of IT and security, there is a variety of DDoS detection tools and technology available to minimize the impact of DDoS attacks on your organization, regardless of its size. But selecting the correct product requires an in-depth understanding of the various offerings, including knowledge of what each can and cannot do for your particular system and situation.
DDoS detection, protection tools explained
Professionals in the market for anti-DDoS tools can surf the web or walk expo floors of shows, such as the RSA Conference, and quickly seen that there are myriad security product and service vendors promising to protect your organization from DDoS attacks. Some DDoS prevention technologies are as simple as traditional load balancers and network firewalls; others are more modern, like next-gen firewalls that have a greater focus on the application layer. DDoS features built into these network security controls have been around for years and are very solid. They might be beneficial for warding off small to medium-sized DDoS attacks, but if the going gets really rough with a full-fledged attack that clogs the target with several hundred megabits -- or more -- of traffic per second, you're likely going to need a dedicated DDoS protection system. As with most security controls, the more granular you go with purpose-built tools, the better.
How DDoS tools work
DDoS detection and prevention products come in two main flavors: on-premises and cloud-based. Many DDoS vendors have the ability to provide hybrid failover features involving both the cloud and on-premises equipment. These tools work by detecting and rejecting, or simply absorbing, DDoS attacks, all in real time. The impact of the various DDoS exploits such as ping floods and fraggle attacks, slow HTTP attacks and the recently popular Mirai botnet can all be minimized by these tools.
On-premises DDoS detection and prevention tools are in-line appliances that monitor and respond to denial-of-service attacks. These products are great for internet service providers and managed security service providers. They also scale nicely for large data centers. Even small businesses with high visibility that are being targeted can benefit from this approach. On the other hand, cloud-based DDoS services are application and content delivery networks that use cloud technologies to spread access and resources to protected systems across the globe rather than the system being available in only one location, which makes it vulnerable.
Where cloud-based services really shine is their ability to scale to accept the impact of extremely large DDoS attacks, which can have a quick and tangible impact on the systems under attack. All that's typically required to set up cloud-based DDoS services are some simple domain name system record changes -- i.e., A, CNAME and nameservers. You could have this type of service up and running in mere minutes after detecting a DDoS attack. Purchasing and installing an in-house appliance takes a bit longer.
Features to look for
Cloud-based services tend to be very popular given their scalability and ease of setup. Products designed for on-premises DDoS detection and protection can work just as well, but they might be costlier up front. In order to implement the best features, you need to step back and think about how your organization is at risk. Simply going with a service or product because of a nice website or sales presentation is not the best approach. You have to understand your environment and the threats it faces, along with the business impact of DDoS attacks and how you might minimize the risks. You need to be able to answer the following questions about your own environment:
- What are our current denial-of-service risks? Are they tangible or just theoretical?
- Is there anything we can do with our current setup and tools to minimize those risks?
- How will DDoS protection tools integrate with our business continuity needs or with our incident response program?
- Will we have to give up doing something we're currently doing in order to take on yet another tool? What will that be? Will it require hiring new staff?
Once you have the necessary background information, you need to consider what, in an ideal world, your DDoS protection measures would consist of -- cloud-based, on-premises or maybe a hybrid of both?
In addition, you need to ask the following questions of prospective vendors:
- How do I know that your product or service will meet our needs? (This question ensures that they're asking you the proper questions and fully understand your priorities.)
- If we're ever caught up in the middle of a DDoS attack, will your support personnel, developers and consultants be available to help us work through it all?
Just be sure to vet these companies and choose a solution in advance. Even though cloud-based DDoS services are simple and quick to set up, you don't want to have to scramble and do that in the middle of an attack. If you think an on-premises product is better, then get a demo unit and try it out. Another thing to consider is contacting your internet and cloud service providers -- again, in advance -- and see how they can help with DDoS attacks as well.
How to approach DDoS tool selection
When weighing the merits of an anti-DDoS tool be sure to ask these questions:
- Does a cloud-based or on-premises tool make the most sense? Or should you consider a hybrid option?
- Will the new tool or service affect those you already have in place?
- Will you need more staff to manage this new tool or service?
- What does the vendor promise in terms of support in case of a DDoS attack?
- How will the tool or service fit into your existing incident response plan? (And while you're at it, make sure your incident response plan is up to date.)
There are many moving parts associated with DDoS detection and protection. Most people don't know their current level of resilience. Why? Lack of information and feedback. It just doesn't make good business sense to launch such an attack against yourself, nor would it be a simple task. You may never know just how things will go down. Still, by using DDoS protection tools and services, you put yourself in the catbird seat for when the going gets rough.
Just be careful. You cannot take a "buy, implement and forget it" approach to DDoS protection tools. Nor can you simply absolve yourself of this threat when your systems are hosted in the cloud or elsewhere outside of your environment. The most important aspect of DDoS protection goes back to what's stated above: Make the decision in advance. This means selecting a technology and vendor to call on once the attacks begin or to have in place so that your DDoS response will engage automatically as soon as you need it to, which will truly minimize the impact and risk.
DDoS attacks are no different than other security incidents. Make sure that you fully address DDoS in your incident response plan as well as any applicable security policies and standards. Prevention is key. There's no good excuse for having a vulnerability that facilitates a DDoS exploit in a web application, server or -- heaven forbid -- an internet of things device. This low-hanging fruit can be largely eliminated by proper and thorough vulnerability and penetration testing.
Beyond DDoS detection and prevention, you need to know your network and have good visibility into your environment -- two things that are missing in way too many organizations. Once your security program reaches a level of maturity where all of this is in place, you can rest better knowing you're prepared and that you'll just have to tweak things as needed moving forward. Anything less and, well, who knows what will happen?
Create a solid defense plan to thwart DDoS attacks
What to consider before you implement any cloud DDoS service
How the internet of things affects the DDoS threat