Combating DDoS attacks: Hardware and software solutions

Distributed denial of service (DDoS) attacks are not a new threat in the realm of cybersecurity. In fact, the threat of DDoS goes back decades. However, these days DDoS attacks are more common and more sophisticated. 

As more businesses establish strong online presences, or operate fully as an online business, the threat is that much more relevant. The primary goal of a DDoS attack is to exhaust the available resources for a network, web application, or service so legitimate users are denied access. The result could be a slow-performing website or unavailability of a service or site for a period of time (anywhere from a few hours to a few days).

A recent study found 38 percent of businesses that provide online public-facing services (i.e. IT/technology, ecommerce, media, and finance) suffered a DDoS attack in the previous year.

Moreover, the same study found the business impact is sizeable: A single DDoS attack costs a company between $52,000 and $444,000 (depending on the size) in lost revenue and IT spending That’s a huge hit to any budget.

Luckily, DDoS mitigation methods and technology has changed to keep up with the threat. DDoS has evolved from affecting Layer 3 (network) and Layer 4 (transport) functions to targeting Layer 7, the application layer. Volumetric attacks have also increased in size.

Let’s take a look at how DDoS mitigation technologies have evolved, where they fell short and what’s needed now to protect a network and website from DDoS attacks.

Firewall/IPS 

Firewalls were the first solutions developed to combat DDoS attacks, followed by intrusion detection systems (IDS) and intrusion protection systems (IPS). These devices were able to separate trusted networks from untrusted networks and as an integrated protection they worked well for basic denial-of-service threats.

The challenge for a single-device solution is two-fold. First, a firewall or IPS can only handle so many connections at a time. The device monitors connections from start to finish and there is a limit. There comes a point where additional connections cannot be added, creating a bottleneck scenario.

Some Unified Threat Management (UTM) devices and Next Generation Firewalls (NGFW) offer some level of anti-DDoS service and in all likelihood can mitigate many DDoS attacks. There are advantages to having a single device for firewall, IPS and DDoS mitigation: ease of management and simplicity of deployment. However, a volumetric DDoS attack could easily overwhelm the device. Plus, the increasingly common Layer 7 attacks require resource-intensive protection to be detected.

Another factor to consider is overall device performance, which may be affected with anti-DDoS protections enabled. The result could be reduced throughputs and increased latency for end users.

Software-based platforms 

With the shortcomings realized in firewall/IPS device solutions, a string of software-based products were introduced to the market. This in-line program intelligence was based on “signatures.” Signatures are patterns identified from how malicious traffic behaved. Research would examine new attacks, develop a signature, and deploy the information to the software. When the characteristics of the attack were detected, the software reacted and stopped the traffic.

However, DDoS attacks change all the time and this type of software could not detect or mitigate zero day attacks. Further, signature-based defenses also could not differentiate between legitimate traffic being used for malicious purposes and could become overwhelmed by high traffic volumes leading to false positives.

Hardware-based solutions

This leads us to the most recent evolution of DDoS mitigation – a dedicated hardware-based solution. It solves three problems that plagued the traditional solutions:

  1. High Performance at an affordable cost: DDoS mitigation requires a significant amount of computing power and resources. To fully defend against DDoS, every packet must be examined and analyzed without causing significant latency.
  2. Deep behavioral analysis: Complexity comes with the territory in modern-day DDoS attacks. A single attack can come from thousands of connections or a small number of seemingly valid protocols that are behaving oddly (i.e. trying to read the same image file several times).
  3. Impenetrable fortress: An anti-DDoS solution should be invisible to the protected network and be able to handle high volumes of traffic to the point where it cannot be overwhelmed.

Using adaptive behavioral analysis, a hardware solution can detect known DDoS attacks, but also recognize new types of DDoS attacks (zero-day attacks). Network virtualization allows a hardware solution to scale quickly and seamlessly in the event of defense escalation, while maintaining connections for legitimate traffic.

Final thoughts

Businesses of all sizes from enterprise to small ecommerce shops are susceptible to DDoS attacks. Unprepared businesses could suffer site outages anywhere from a few minutes to several days, which could be catastrophic to both the bottom line and overall brand reputation. Minimize your vulnerability by taking steps to integrate DDoS protection into your greater cybersecurity plan. The latest DDoS mitigation solutions – a dedicated hardware-based approach – can keep businesses up and running in spite of malicious attacks.

Aamir Lakhani is a senior security strategist at Fortinet’s FortiGuard Labs. Follow him on Twitter @aamirlakhani.