Quick Guide: Keysight’s Four-Step DDos Mitigation Process

Quick Guide: Keysight’s Four-Step DDos Mitigation Process

白皮書

First Step: Pick Your Weapon

Here’s what you should look at when choosing your distributed denial of service (DDoS) mitigation technology:

  • On-premises / in the cloud – With attacks growing larger and becoming more complex, the dilemma facing many organizations is whether to deploy on-premises DDoS protection or subscribe to a cloud-based provider. Purpose-built defense solutions are deployed on premises, between the Internet and your network core. Deployed at the edge of your network, these tools offer real-time defense with complete and sophisticated visibility into DDoS security events. Cloud-based DDoS mitigation service, on the other hand, is most often utilized as an on-demand option for large-scale attacks. A recent report by SANS Institute stated: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions.”
  • Attack volume – What scale of attack is the tool or service capable of stopping? These days, the measure is in tens or hundreds of gigabytes per second of malicious traffic. Look into cloud-based tools that operate at large scale, so they can route even a massive amount of DDoS traffic to a network of cloud-based machines.
  • Impact on legitimate transactions – While the DDoS attack is going on, what will happen to your site’s visitors? The best result is for users to continue working as usual without even noticing that an attack is going on. For larger-scale attacks this will not be possible—users will be affected. But knowing what level of service you will be able to provide to your users and to how many users while under attack is critical.
  • Cost model – Many DDoS services are priced based on bandwidth protection. If you are paying for 100 Gbps protection, and the attack scales up to 300 Gbps, you must decide if and how much you are willing to pay for the extra coverage. Try to anticipate your cost structure based on realistic assumptions of attack size.
  • False positives – One of the most significant issues related to DDoS mitigation is the false positive. This is something every DDoS protection cloud service and vendor has to pay close attention to. A false positive is when a legitimate user triggers the protection system, and in response, that user is flagged as an attacker. False positives appear during DDoS mitigation and are often a consequence of complex Layer 7 application DDoS attacks. Detecting and eliminating false positives through continuous testing, behavior analysis, and rate limiting techniques is highly important in implementing a successful DDoS mitigation practice.

 

Second Step: Know Your Enemy

Just like an elite squad training for a mission, you need a clear idea what you’re up against. “DDoS attack” is a general term that includes several different types of attacks.

Volumetric attacks — network level 3/4

  • ACK attack/SYN flood – Attackers send large volumes of SYN packets to servers, using spoofed source IP addresses. The SYN flood creates embryonic connections which consumes all of the server resources and shuts down legitimate services running on it.
  • DNS reflection attack – Attackers contact a large number of open DNS servers, requesting a large DNS zone file and providing the source IP address of the attack target. The DNS servers respond by sending the large DNS zone answer to the attacked server. The server is effectively taken offline, because it is unable to respond to new DNS requests from real visitors.
  • SMURF/ping attack – Attackers send ICMP ping requests to a network’s broadcast address, which is known to relay ICMP to all devices behind the router. The attacker spoofs the source IP to be the same as the router. So, devices behind the router respond with a ping, overwhelming the router with ping traffic and making it unable to respond to real requests.