When considering a DDoS mitigation strategy, whether it is entirely new or a re-evaluation of an existing practice, organizations should begin with determining their goals and objectives. Start by identifying the top 5 to 10 applications and APIs and why they are important to your business. Consider how to define the entire technical estate that supports these apps, whether on-premises and cloud, along with traffic capacities of each point of presence. If applicable, determine your incumbent application delivery/application security methods, such as load balancers and web application firewalls, and solicit input from the responsible teams –  many have signaling and integrations available for cloud SaaS DDoS scrubbing vendors.

Armed with this information, you are better prepared to meaningfully evaluate the specific suitability of the best DDoS solutions available today. It is important, however, to understand from where we have come in the evolution of DDoS to properly understand and consider modern threat vectors and how to effectively defend against them.

Well, how did I get here?

DDoS is a key business risk and cyber defense challenge.

From 2022 to 2023, FS-ISAC/Akamai reported that DDoS volume against financial services increased by 22% overall. In Europe, specifically, DDoS attacks against financial institutions increased by 73%, and financial institutions were the target of 50% of all DDoS attacks.

Historically, DDoS attacks are categorized into three main groups:

  1. The volumetric attack is the classic DDoS - overwhelm the infrastructure or saturate the bandwidth, and the application becomes unavailable for legitimate traffic. These are generally thought of as packet floods which consume all your network pipe.
  2. Protocol attacks are sometimes lesser in volume but no less destructive. These attacks abuse networking protocols to burden or crash network infrastructure. These are your "packets per second attacks," and your network may struggle to pass legitimate packets when all capacity is inundated by a huge traffic rate.
  3. Application layer attacks seek to overwhelm the application or API rather than the supporting infrastructure. Older examples include Ping of Death where a malformed packet stream could lead to memory exhaustion, and Slowloris, Low Orbit Ion Cannon, among others, where a socket connection is held open for an atypically long time, resulting in that socket being unavailable for other traffic. Thus, connection tables on firewalls, application delivery controllers or servers are exhausted long before the saturation point of available network throughput. App attacks can also consist of slow rates and reads, along with slow POST or large POST payloads.

Faster than the eyes can flick, the 4 big concerns

It's 2024. What's new to be concerned about these days? Everything in the previous section is still out there, and it's all evolving and adapting regularly.

1) AI/ML

The first area to think about is the rise of artificial intelligence (AI) and machine learning (ML). Attackers are increasingly leveraging these techniques to launch more sophisticated and evasive DDoS attacks. AI-powered attacks utilize algorithms to dynamically adapt attack patterns, identify vulnerabilities, and bypass traditional defense mechanisms, making them harder to detect and mitigate. These attacks may involve automated botnets with AI capabilities, allowing them to intelligently target specific weaknesses in a target's infrastructure or defenses.

Polymorphic malware and botnets - fewer breadcrumbs: AI techniques enable attackers to develop polymorphic malware and botnets that can continuously adapt and mutate to evade detection and mitigation. Polymorphic malware can alter its code structure and signatures, making it challenging for antivirus and intrusion detection systems to recognize and block the malicious code. AI-powered botnets can autonomously evolve their command and control (C&C) infrastructure, change communication protocols, and adopt decentralized architectures, making them resilient against traditional mitigation techniques.

Zero-day exploits - they don't stop coming: AI algorithms can analyze large volumes of data and identify previously unknown vulnerabilities or zero-day exploits. Therefore, attackers can leverage AI to discover and exploit these vulnerabilities, launching targeted DDoS attacks that specifically exploit weaknesses, for which there are no known patches or defenses.

Advanced evasion techniques - more specific than ever: By using AI algorithms to analyze network topologies, traffic patterns, and security configurations, attackers can identify gaps and weaknesses in defense systems and exploit them to avoid detection and mitigation.

2) Internet of Things (IoT) attacks

IoT-based attacks are nothing new and still consist of massive botnets bolstered by millions of devices with weak or non-existent security features and well-known default access credentials. Things like cameras, routers, home automation devices - everybody has one (or several!). With so many devices participating in these botnets, attack scale and impact is greatly amplified, and such DDoS services are cheaply available for rent on the dark web; requiring no great technical expertise on the part of the attacker.

3) Current application layer attacks

Like IoT attacks, application attacks like HTTP floods and SQL injection aren't new, but perhaps more formidable than ever. Bolstered by AI/ML, improved evasion of signature detection means attacks fly under the radar longer. Discriminating attacks from legitimate traffic is harder now - attacks more closely resemble normal behavior, attack vectors are significantly more dynamic and risks like scraping and data exfiltration expand due to increased automation with AI/ML.

4) Encrypted traffic attacks

You can't secure against traffic you cannot see. Encryption means higher computational overhead and SSL/TLS certificates used to require money and effort. Now, certificate issuance is largely automated and available for free. This has resulted in attackers increasingly using traffic encryption to conceal and amplify DDoS attacks. Such encrypted traffic may bypass traditional traffic inspection and mitigation techniques, which makes it difficult to detect and mitigate in real time. In fact, given sufficient volume, encrypted traffic attacks can exploit the aforementioned computation requirements and themselves overwhelm decryption/inspection infrastructure.

Defending the past and the big 4

Modern DDoS defenders must prioritize IoT security strategy, bolstering application layer vector security and employing robust traffic decryption/inspection mechanisms.

Defenders must recognize and understand the implication of how AI/ML have evolved, and continue to evolve, current attack techniques. Put succinctly, to defend against such attacks, you must do what they do to defend against them. Analyze your network traffic, Identify anomalous patterns, and quickly adapt defense mechanisms. 

Examples of countermeasures and strategy include behavior-based anomaly detection, such as analyzing network traffic and identifying deviations from normal patterns of behavior. ML algorithms are employed to establish baselines of normal traffic behavior and detect anomalous activity that may indicate a DDoS attack. Given this deviation from baseline, a DDoS attack can be identified and mitigated in real-time. Practically, this means actions like continuously looking for abnormal traffic spikes, high request volumes and other irregular patterns. Many security vendors provide current, actionable information about emerging DDoS threats, known botnets and C&C - you should use these intelligence feeds!

It stands to reason that if attacks are now driven by machine learning, so should it be part of your defenses. ML-driven mitigation algorithms do the traffic analysis, identify malicious traffic, and dynamically adapt mitigation strategies, such as filtering rules, rate limits and traffic diversification techniques at a much faster rate than a human security analyst ever could.

In the realm of IoT attacks, the best controls and countermeasures start not in the technical, but in the organizational policy. Your organization should have a security framework for IoT design, development, deployment and updates. Network segmentation, micro-segmentation and IoT isolation is a must, along with traffic monitoring and alerting.

Application attack DDoS defense should include the following list, as a starting point:

  • Web Application Firewall (WAF).
  • Secure coding practices.
  • Cloud DDoS scrubbing.
  • CDNs for traffic diversification.
  • Strong authentication and authorization.
  • Regular periodic scanning and penetration testing.
  • SIEM.

Defending against application traffic attacks should include:

  • DPI for header/metadata/signatures without needing full packet decryption.
  • Traffic analysis with machine learning - look at patterns, flows and packet sizes.
  • Analyze decrypted traffic for IoC, C&C traffic and malware activity.
  • Full decryption of SSL/TLS when appropriate.
  • Leverage threat intelligence data.

Vendor Evaluations

Significant parity of features and capabilities exists across DDoS mitigation vendors; the most appropriate fit depends on the detail and nuance of the specific organization, their applications and technology ecosystems.

General considerations

  • Do you need cloud-based, on-premises or a hybrid combination of DDoS mitigation capabilities?
  • Always on versus on-demand mitigation?

Considerations regarding business applications

  • What is their supporting application delivery controller/load balancing architecture?
  • What is the approximate amount of traffic throughput observed for each app to which you need to provide protection? This impacts how many scrubbing centers a DDoS vendor may need to offer.
  • What SLAs are required of the application?
  • How does a customer collaborate with the scrubbing vendor during an active incident?

Recommendations

We recommend that customers employ a multi-phased approach to optimize technology investments such as DDoS and WAF:

Phase 1: Perform a detailed Functional and non-functional requirements analysis to validate a proposed reference architecture. Score vendors against customer-specific details with the WWT vendor evaluation tool. This will also enable a rough order of magnitude (ROM) cost to be produced.

Phase 2: Perform a proof of concept of the proposed architecture against a set of specific use cases.

Phase 3: Develop a high-level design and low-level design that meets customer requirements.

Phase 4: Deploy the solution into production at the customer, moving through development, testing, pre-production and then into production.

WWT is committed to providing customers with the support necessary to accelerate the implementation of these recommendations. When fully realized, these measures will help organizations maintain their industry-leading commitment to providing their own customers with world-class service, in an era of proliferating cyber threats attacks and evolving challenges.

Technologies