DDoS protection is a never-ending battle with cybercriminals; hackers try to bring your website down, while you strive to operate with zero downtime. To win this battle, you must choose the right technologies within your network, but also implement the right solution for your requirements. This process will be different for each company; every network is different, and thus has its own specific needs. These differences in architecture will impact the way you approach DDoS protection.
This article is a summary based on the author’s more than 7 years of experience in DDoS protection. Content presented here will be useful to anybody looking to upgrade the cybersecurity of their online resources and improve operational stability.
What are DDoS attacks?
A DDoS attack is a type of cyber attack in which the ill-wisher creates a multitude of computer-generated requests to the server. Usually coming from a bot-net — a network of devices infected with malware that grants the attacker control — the wave of requests overloads the network and renders the website unavailable to customers.
As a result, the company experiences downtime and is unable to serve customers for an unknown period of time. Worse yet, a lot of attacks happen at peak hours, during the holidays or events like Black Friday, causing e-commerce companies to lose millions of dollars during downtime.
Unfortunately, DDoS is a persistent phenomenon that we will have to learn to live with. Based on some sources, the number of DDoS attacks in the first half of 2020 increased 151% compared to the first half of 2019. The scale of attacks is also increasing.
One of the largest DDoS attacks in history, pushing 1.17 terabits of traffic per second, targeted an unknown victim in the first half of 2020. Further, in February of the same year, Amazon Web Services reportedly mitigated a 2.2 terabit attack that had the capability of rendering thousands of hosted clients unusable.
The total number of attacks in 2020 amounted to 10 million. This number is expected to rise to 12 million in 2021. Then, to roughly 14 million in 2022.
The DDoS Protectability Problem
Not every Internet service can be fully protected from DDoS attacks — some services are easier to defend than others. Furthermore, simply connecting an anti-DDoS filter or purchasing a subscription from an external service is usually not enough. In the real world, setting up effective DDoS protection is a nuanced process with many variables to consider, before, during, and after connecting the protection.
We subdivide DDoS defense into 4 groups:
- Parameters that describe the ability to conceal information that may aid an attacker. This group includes a range of techniques for hiding the Internet service from unwelcome users, checking its performance state, and protecting information security against hacking attacks.
- Parameters that define how well a DDoS defender can evaluate protection effectiveness.
- Parameters showing how well a company can differentiate bots from legitimate users, as well as how easily it can communicate the defense protocols and mechanisms to their DDoS protection service.
- Parameters that define reliability under stress: redundancy at the application level, resistance to weak attacks, allocation of various functions to different IP addresses, how much system components depend on each other and whether they can work autonomously.
Now, let’s look at two examples of protected online services:
Let’s start with a “bad” example. Imagine an online game running over UDP. Typically for this kind of application, the game has a website and a server that are responsible for processing data. Both are running on the same IP address. After receiving a request, the website accesses the game’s database to calculate statistics. The game’s protocol allows a potential attacker to simulate a sequence of packets, similar to legitimate ones, and overload the application, drastically reducing its performance. Obviously, protecting a service like this is difficult. Firstly, the DDoS protection system must “learn” how to recognize real players and filter out bots. Secondly, even if a relatively weak attack reaches the website, the game will be unavailable for players.
Now for the “good” example, let’s take a look at a hypothetical taxi ride hailing service. This time, the website is located on a separate IP address from the mobile app. All services operate over the HTTPS protocol. The infrastructure is deployed on a pool of IP addresses that are randomly taken from different subnets. Each taxi driver, depending on his login, is given a unique set of IP addresses to connect. The application establishes a TCP connection with several IP addresses at once. If some are unavailable, it quickly switches to a backup. Also, every time a client connects to the network, the authentication token, as well as the client’s IP address are checked to filter out bot traffic. As you can imagine, this architecture is significantly more resistant to DDoS attacks. Attackers will really have to sweat to bring down this kind of service.
The conclusion is simple: DDoS protection must be incorporated into the architecture at the design stage — a good system design will increase uptime and reduce the cost of protection.
In the next article, we’re going to take a look at the types of DDoS protection available to companies today.