DDoS Attacks:  Know Your Enemy

Distributed-denial-of-service (DDoS) attacks are more frequent today than they’ve ever been, according to the latest report by Verisign.  In the final quarter of 2015, DDoS attacks globally rose by 85% compared with the previous year – and 15% on the previous quarter alone.  Not only that – they’re also getting more dangerous, deploying higher volumes of packets than ever before.

DDoS attacks aren’t just an annoyance;  they can be extremely damaging.  Offline websites and networks are non-trading websites and non-operating networks, which can lead to substantial revenue losses. And they’re a more insidious form of cyberattack than you might think; research by Kaspersky has suggested that around a third of all DDoS attacks coincide with a network intrusion, which can lead to loss of sensitive data.

Fortunately, there are some simple defensive tactics available, all of which make your network less vulnerable to DDoS disruption. These include:

• Network segmentation. By dividing your network into discrete segments, and separating public and internal systems from each other, each protected by a separate firewall, you can maintain internal services even during a full-blown attack targeted at public systems.
• Limiting the number of new connections being set up. By setting parameters for the number of new connections set up during a specific time period or in total from a single user or network, you can make it far harder for criminals to overload the protected systems.
• Managing load balancing and bandwidth. Bandwidth shaping is most often used to manage legitimate traffic volumes during busy periods, for example Black Friday. However, if configured intelligently, it can also be a powerful weapon against DDoS attacks.
• Considering the use of packet scrubbing services. Packet scrubbing reduces traffic volumes by diverting traffic via an ISP.

These are all well-established defensive measures, which many organisations may already have in place as part of your overall information security posture.  After all, network segmentation isn’t just good practice from a DDoS defense point of view; it also protects the network against damaging APT attacks, for example.  However, as DDoS attacks continue to proliferate, it’s clear that we need additional defensive measures against them.

Knowing your enemy

We’ve all heard the old adage ‘know thy enemy’ – and this is particularly relevant to DDoS attacks.  Most botnets, which are the originating point for DDoS attempts, are centered in a particular geographic location or group of IP addresses, and the majority of botnet command and control centers worldwide are actually located in a small list of countries, which includes China, Ukraine, Russia, Pakistan, and Turkey.  By establishing the locations – i.e. the unique IP addresses – from which the attacks originate, it’s possible to dramatically reduce the impact of an attack, in real time, by blocking those IP addresses.

This can be done by advanced next-generation firewalls, using a feature called geographic IP (GeoIP) blocking.  It works by generating an ongoing ‘heat map’ of where traffic arriving at the firewall or gateway originates from.  Using GeoIP, organizations’ IT and security teams can use the security gateway’s management console to get a real-time, highly visual overview of the traffic volumes hitting their network – and are able to quickly identify any unnatural traffic patterns that could signal the start of a denial-of-service attack.

If a DDoS attack is detected, the organization’s IT team can simply use the GeoIP feature to configure the security gateway to block the originating IP addresses in real time.  This way, the malicious traffic is rejected and simply bounces off the gateway, nullifying the impact of the attack and enabling the organization’s website and services to continue working, without significant interruption.

Closing your network’s borders

The great advantage of this approach is that it is flexible,  enabling organizations to dynamically respond to what is actually happening on their networks.  GeoIP can also be used pre-emptively, as there are huge numbers of websites and domains that shouldn’t be connected to, because they are known to host or control botnets, or distribute malware.  These IP addresses can be blocked in the gateway, to reduce exposure to potential attacks.

There are also countries or geographic regions globally where your organisation does not currently do business – and so it’s likely that traffic from hosts in these regions may be suspicious.  For example, if an organization that has no trading relationships in North Korea suddenly receives volumes of traffic originating from the country, it’s likely to be malicious activity.  So IP addresses from this and similar countries can be blocked, using GeoIP capability to act as a ‘border control,’ stopping undesirable traffic from reaching networks.

So when it comes to defending against DDoS attacks, establishing where the attack is being launched from is critical to being able to defend against it.  When you know this about your enemy, you can stop an attack in its tracks.