Line of defense against DDoS attacks

Governments, public authorities, online store providers, banks and many other companies have already been victims of DDoS attacks. Many have had to pay a high price, for example with the crash of their website or the interruption of data center operations; some even ransom because they were blackmailed by the attackers, such as NTT Com Security writes. An improvement is not to be expected, as the scope and type of DDoS attacks will increase.

Three types of attacks, three levels of protection

Overall, NTT Com Security distinguishes between three basic types of DDoS attacks. These include, first, the classic high-volume attacks that flood victims' Internet lines; second, the increasing attacks on infrastructure components, such as the overloading of firewalls or servers; and third, application-focused attacks that can take place within an encrypted connection and disconnect application servers.

According to these attacks, the types of defense are also different. The security company recommends three-tier protection:

1. defense against high-volume attacks: In this case, protection is only possible via providers that can provide extensive bandwidth or scrubbing centers. CDNs (Content Delivery Networks) are often no longer sufficient in view of the high volume of DDoS attacks; scrubbing centers, which NTT also offers, represent an additional layer of protection and are placed upstream of companies' systems. They are a kind of cleaning center that is set up for extreme data volumes, analyzes the traffic and filters out the different types of attacks.

2. defense against infrastructure attacks: In principle, this type of attack can also be intercepted with scrubbing centers. However, if the number of connections below which a scrubbing center becomes active is not reached, DDoS-aware firewalls are more suitable. They can process significantly more connections than classic firewalls and thus intercept the corresponding attacks.

3. defense against application-focused attacks: The tool of choice in this case is called a WAF, or Web Application Firewall. In contrast to classic firewalls, WAFs examine application-specific communication and are thus able to detect attacks that target the application.

Step by step procedure

If a company is dealing with the defense against possible DDoS attacks, it should proceed in several steps:

1. inventory analysis: The first measure is to check whether systems already exist that can be used for protection and how they should best be supplemented to ensure the best possible DDoS defense. WAFs, for example, are not very common in companies, and very rare is the protection provided by scrubbing centers.

2. monitoring: Companies are often unaware that they are under attack. The firewall logs all connections, but the high number of entries makes monitoring at this point almost impossible, at least manually. Performance monitoring tools are better suited, but they are usually queried too infrequently to get an idea of the actual state of the infrastructure. Extensive DDoS attacks are also regularly carried out to distract attention from the actual intrusion with a few packets, for example on a server. A well-developed SIEM system is needed to detect such attacks.

3. response process: What should be done when an attack occurs? A company must prepare the respective measures in order to be able to react quickly and adequately. Even at the first test of DDoS attackers, a company should be able to switch to emergency mode and immediately activate a scrubbing service, for example.

Focus shifts

"DDoS is usually associated with web server attacks, but web server operators are now very well equipped to deal with them," explains Tom Hager of NTT Com Security. "Much more serious, however, are attacks on corporate infrastructure, which are likely to increase in the future because companies are much less protected there. If logistics or the ordering system collapses and there is no longer any communication or partner connection, the company could come to a standstill. So appropriate preparation is essential."