DDoS Blog Series 1: Four Approaches to DDoS Protection

Sean Leach | Jun 12, 2013

I speak about DDoS quite often these days - it's a topic everyone wants to know about and yet, so few people know much about it.  It's one of those topics where good information is not readily available, and I would like to fix some of that with a few upcoming blog posts.  This post, (the first in a series), will be about the 4 types of protection against a DDoS.  The next one will cover the six things an enterprise can do to be prepared for an attack, and the final post will be around some of the tools and technologies we use here at Verisign to protect our customers and ourselves from DDoS attacks.

A quick refresher - a DDoS attack is a method an attacker uses to deny access for legitimate users of an online service.  This service could be a bank website, e-commerce site, SaaS application, or any other type of network service (some attacks even target the VoIP infrastructure).  An attacker uses a non-trivial amount of computing resources (either that they have built themselves or more commonly by compromising vulnerable PC's around the world) to send "bogus" traffic to a site.   If the attacker sends enough traffic, legitimate users of a site can't be serviced (i.e. if a bank website can handle 10 people a second clicking the "Login" button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can login).  There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage, and just plain old boredom (trust me, we have seen attacks due to that).  

DDoS attacks vary in both sophistication and size.  An attacker can make a "fake" request look like random garbage on the network, or more troublesome, make the attack traffic look EXACTLY like a real user of the site.  In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target’s bandwidth. (We have seen large attacks against our own infrastructure and towards our customers.)  The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack).  These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target.  A more complex Layer 7 attack “simulates” a real user trying to use a web application (searching for content on the site, or clicking the “add to cart” button, etc.).

Enterprises and providers of Web applications naturally want to protect themselves and their customers from these types of attacks (who wants their site to be inaccessible?).  Currently, there are four main types of "protection" from DDoS attacks we’ll cover in this blog post:

  • Do It Yourself
  • Specialized on-premises equipment
  • Using your Internet Service Provider (ISP)
  • Using a specialized cloud DDoS mitigation provider
Do It Yourself

This is the simplest and least effective method.  Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try and use their existing firewall (firewalls are NOT built to withstand a DDoS attack).  This will protect you from only the smallest and most trivial attack.  Back in the early 2000s, when attacks were pretty simple, this could work. But these days, attacks are far too large and complex for this type of protection.  A firewall will melt quite quickly under the load of even a trivial attack. 

Specialized On-Premises Equipment

This is similar to “Do It Yourself” in that an enterprise is doing all the work to stop the attack, but instead of the enterprise relying on some scripts or an existing firewall (which are quickly proven not to work), they will purchase and deploy dedicated DDoS mitigation appliances in their data center.  These are specialized hardware that sit in an enterprise’s data center in front of their normal servers and routers and are specifically built to detect and filter the malicious traffic.  There are some fundamental problems with these devices:

  1. These are very expensive CAPEX purchases that may sit around and do nothing until you get attacked.  Not only that, they are expensive to operate.  You need very skilled network and security engineers to work these devices (there is no magic “mitigate DDoS” button).
  2. They must be constantly updated by your operations team to keep up to date with the latest threats.  DDoS tactics change almost daily – it’s amazing how skilled the attackers we see on a regular basis are.  Your team must be prepared to be constantly updating these devices to the latest threats (IF the vendor has been patching/updating the system to keep up).
  3. They can’t handle volumetric attacks.  Remember those large attack I mentioned?  Do you have that much bandwidth coming into your data center?  Didn’t think so – so these hardware appliances don’t do any good when the attack exceeds your network capacity. 

Internet Service Provider (ISP)

Some enterprises use their ISP (the same network provider they get their bandwidth from) to provide DDoS mitigation.  These ISP’s definitely have more bandwidth than an enterprise would have, which can help with the large volumetric attacks, but there are three key problems with these services as well:

  1. Lack of core competency: ISP’s are in the business of selling bandwidth; they don’t always invest the required capital and resources to stay ahead of the latest DDoS threats.  It can become a cost center to them - something they have to provide, so they do it as cheaply as possible.  In the DDoS mitigation game though, you have to constantly be on your toes, researching the latest threats, developing countermeasures, etc.  This is NOT a service to do on the cheap, which unfortunately a lot of ISP’s do.
  2. Single provider protection:  Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider going down and taking your site with it.  Having two providers is a best practice to maximize uptime.  ISP DDoS mitigation solutions only protect their network links, not the other link you might also have, so now you need two DDoS mitigation services, from two different providers, doubling your cost.
  3. No cloud protection:  Similar to #2, a lot of Web applications these days are split between enterprise-owned data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc.  ISP’s can’t protect your traffic on these cloud services.
Cloud Mitigation Provider

Cloud mitigation providers are experts at providing DDoS mitigation from “the cloud.”  This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic (whether you use multiple ISP’s, your own data center, any number of cloud providers, etc.), scrub the traffic for you, and only send “clean” traffic towards your data center.  

Cloud mitigation providers have the following benefits:
  1. Expertise:  Generally, these providers have any number of network and security engineers and researchers who are constantly monitoring for the latest DDoS tactics to better protect their customers
  2. Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on their own to stop the biggest volumetric attacks
  3. Multiple types of DDoS mitigation hardware:  DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats.  Cloud providers should take advantage of multiple technologies, both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks
As an example, here at Verisign, we have DDoS scrubbing centers around the world that protect enterprises in all verticals from DDoS attacks.  We can take the attack traffic destined for a customer’s website either via the Border Gateway Protocol (BGP – the protocol that manages all of the “routing” on the Internet) or by the customer simply making a DNS change to point to our network.  Once the traffic hits one of our scrubbing centers, we filter out the bad DDoS traffic and pass on the good traffic to our customers (no matter where their site is hosted).  The diagram below is a good visual of how the process works.


Hopefully this post has been educational on the various types of DDOS mitigation.  I may be biased, but in my view, cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs.  They are the most cost effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.

What type of DDoS mitigation techniques, if any, does your company use?

Very well written Sean.