How do you Mitigate a Denial-of-Service Attack?

You won't have time to think about and make a decision on your mitigation options if a denial-of-service incident occurs. It's critical to think about them before an incident occurs and to ensure that your controls are set up to automatically mitigate the attack and that your team knows how and where to respond.

To ensure that mitigations kick in before your system is knocked offline, all mitigations must be tuned to your systems. Without proper tuning, a small number of requests to computationally expensive resources could bring a service down while the protection service sees nothing "wrong."

What is a DDoS Attack?

A Denial of Service (DoS) attack is a malicious attempt to disrupt the availability of a targeted system to legitimate end users, such as a website or application. Attackers typically generate large volumes of packets or requests, eventually overwhelming the target system. In the case of a Distributed Denial of Service (DDoS) attack, the attacker generates the attack from multiple compromised or controlled sources.

DDoS attacks can be classified based on which layer of the Open Systems Interconnection (OSI) model they target. They are most commonly found in the Network (Layer 3), Transport (Layer 4), Presentation (Layer 6), and Application (Layer 7) Layers.

How to Mitigate a DDoS Attack?

Now that you understand what DoS attacks are and the reasons attackers use them, let's talk about how you can safeguard yourself and your services from them. Most common mitigation techniques work by detecting unauthorized traffic and blocking it at the routing level, managing and analyzing service bandwidth, and also being mindful when designing and implementing APIs to handle large amounts of traffic.

Understanding when you are the target of a DoS attack is the first step in any mitigation strategy. The first step in keeping your service available and responsive is to analyze incoming traffic and determine whether or not it is legitimate. Scalable cloud service providers are fantastic (and may even "absorb" a DoS attack invisibly), which is great until you receive a massive bill for bandwidth or resource overuse. Making sure that your cloud provider bases scaling decisions solely on legitimate traffic is the best way to ensure that your company does not waste elasticity dollars due to an attack. Early detection of an attack greatly improves the effectiveness of any mitigation strategy.

One of the first techniques for mitigating DDoS attacks is to reduce the surface area that can be attacked, limiting attackers' options and allowing you to build protections in a single location. We want to make sure that we don't expose our applications or resources to ports, protocols, or applications that aren't expecting any communication from them. As a result, the potential points of attack are reduced, allowing us to focus our mitigation efforts. You can do this in some cases by placing your computation resources behind Content Distribution Networks (CDNs) or Load Balancers and restricting direct Internet traffic to specific parts of your infrastructure, such as your database servers. In other cases, firewalls or Access Control Lists (ACLs) can be used to control what traffic reaches your applications.

Bandwidth (or transit) capacity and server capacity to absorb and mitigate attacks are the two most important considerations for mitigating large-scale volumetric DDoS attacks.

Capacity for public transportation. When designing your applications, ensure that your hosting provider provides ample redundant Internet connectivity that allows you to handle high traffic volumes. Because the ultimate goal of DDoS attacks is to disrupt the availability of your resources/applications, you should locate them not only near your end users but also near large Internet exchanges, allowing your users easy access to your application even during high volumes of traffic. Web applications can also go a step further by utilizing Content Distribution Networks (CDNs) and smart DNS resolution services, which provide an additional layer of network infrastructure for serving content and resolving DNS queries from locations that are frequently closer to your end users.

The capacity of the server Most DDoS attacks are volumetric, consuming a large number of resources; therefore, it is critical that you can quickly scale up or down your computation resources. This can be accomplished by running on larger computation resources or features such as more extensive network interfaces or enhanced networking that support higher volumes. Furthermore, load balancers are commonly used to continuously monitor and shift loads between resources to avoid overloading any one resource.

When we detect high traffic levels hitting a host, our baseline is to accept only as much traffic as our host can handle without affecting availability. This is known as rate limiting. More advanced protection techniques can go a step further and intelligently accept only legitimate traffic by analyzing individual packets. To do so, you must first understand the characteristics of good traffic that the target typically receives and then compare each packet to this baseline.

Filtering requests upstream, long before they reach the target network, is one of the most effective mitigation strategies. When done correctly, your API never sees this traffic, so any rate-limiting policies are bypassed. There are numerous "Mitigation Center" providers who will filter incoming network traffic. Amazon Shield (opens new window) and Cloudflare (opens new window), for example, both provide products that protect against DoS and DDoS attacks by comparing incoming packet IPs to known attackers and BotNets and attempting to only forward legitimate traffic. API gateways have similar capabilities, but they can also filter based on the requested endpoint, allowed HTTP verbs, or a combination of verbs and endpoints.

Passing responsibility for DoS mitigation to upstream providers can be a great way to reduce liability and risk, as mitigation can be extremely complex and is a never-ending cat-and-mouse game between service providers and attackers.

Using a Web Application Firewall (WAF) to protect against attacks such as SQL injection or cross-site request forgery that attempt to exploit a vulnerability in your application is a good practice. Furthermore, due to the unique nature of these attacks, you should be able to easily create customized mitigations against illegitimate requests that may disguise as good traffic or originate from bad IPs, unexpected geographies, and so on. It may also help mitigate attacks because they have experienced support to study traffic patterns and create customized protections.

Conclusion

DDoS risks are becoming much more dangerous, and the number of attacks is also increasing. Experts predict that the average number of DDoS attempts per year will rise to 15.4 million by 2023. That figure suggests that nearly every business will face a DDoS attack at some point, so preparing for this type of attack should be at the top of your security priority list.

As they are becoming more common by the day, organizations must be ready for any type of attack. If the organization does not plan ahead of time and an attack occurs, damage control could indeed take months and can severely harm the organization's reputation.