Taking a Behavioral-based Approach to DDoS Security
As the proliferation of online data has grown, so too has the need for companies to develop massive and complex virtual infrastructures in order to support their online traffic. These systems offer users untold benefits in terms of front-end experience, web performance, and data storage. Yet one of the unfortunate consequences that has arisen from the development of these enormous infrastructures is their susceptibility to different forms of online attacks.
One such method of online incursions that’s being deployed more and more by attackers is through a distributed denial-of-service, or DDoS attack. Simply put, a DDoS attack involves hijacking a system’s performance capabilities by flooding it with ancillary requests and tasks. The end goal of such an attack is to tie up the system sufficiently enough to make it unable to support actual user traffic, or to slow its operations to the point of making it virtually inaccessible. Simple denial-of-service attacks involve only one attacker, while DDoS attacks typically involve multiple parties attacking a system at different access points.
Defining a DDoS Attack
The success of a DDoS attack depends largely upon the size of the system that’s being placed under siege. Given that the ultimate goal is to tie up a system’s performance, attackers tend to focus on high-profile, high-volume web servers such as those employed by financial institutions, or domain name systems servers and credit card payment processing systems. Based upon those detected as having launched such attacks, many industry insiders have come to view DDoS incursions as online protests meant to handicap organizations and destroy user confidence in their systems. Currently, it’s estimated that DDoS attacks happen at a rate of 28 attempts per hour.
RELATED: Moving Disaster Recovery to the Cloud
DDoS attacks can be carried out in a number of different ways. These include:
- Smurf attacks: In this attack, the attackers send out IP packets to all of the hosts on a network with a source address made to appear like that of the targeted system. This quickly eats up all of network’s available bandwidth.
- Teardrop attacks: With this method, attackers are able to crash systems by triggering bugs in their TCP/IP fragmentation reassembly codes. Mangled IP fragments are sent with overlapping payloads, and the system often can’t support the work needed to read them.
- Starvation attacks: Starvation attacks are considered to be asymmetrical, as an attacker uses either greater external resources (i.e., multiple attacking computers) or access to multiple properties and applications within the targeted system. Either way, the purpose is to consume the victim’s resources to the point of “starving” it out.
- SYN floods: In a SYN flood, the attacker floods his or her target with TCP/SYN packets with forged sender addresses. The targeted server recognizes these packets as connection requests, and thus creates a half-open connection to the sender via another packet. This connection is left open awaiting a response, which never comes. Thus, the number of connection requests available on the server is tied up.
- HTTP POST DDoS attacks: Here, an HTTP POST header is sent with a content message that specifies the size of the message that will follow. The attacker then sends the actual message at a very slow rate. Because the system recognizes the “Content-Length” field in the header, it will wait for the entire message to be received.
Other, less common attack methods have been given more ominous names like “Nuke” or “RUDY (R-U-Dead-Yet),” but the purpose of each attack method is the same:
- Consume system bandwidth, memory, and/or processing time
- Interrupt routing information, state information, and physical network components
- Impede communications between legitimate users and the targeted system
RELATED: How to Prevent Spam Attacks – Protecting Your Inbox
Some attackers also rely on malware to try and max out processor usage, exploit errors in an operating system, create errors in sequencing and the microcode of machines, or to actually crash the targeted system completely.
Common Security Protocols
Just as with other internet security concerns, developers have been hard at work in creating programs to try and block DDoS incursions. Firewalls can be set up to include simple rules that either allow or deny system access from different ports and IP addresses. Advanced switches and routers often include rate limiting, delayed binding, and traffic shaping capabilities that can help provide system wide protection. However, these security measures are typically only capable of defending a system against simple incursion attempts. More complex DDoS attacks require advanced security systems. Some systems are in place, such as scrubbing centers or DDS based defense systems, yet these programs are often specialized and not effective at providing comprehensive protection.
A Smarter (Better?) Alternative
Recently, some forward-thinking service providers have begun to employ a smarter, behavior-based security approach that’s already being employed by certain online retailing, finance, and credit card companies to help analyze consumer spending habits. Unlike other security measures, this method follows the full cycle of the packet that a system receives, specifically the system resource that the packet is intended for, that resource’s ability to process the packet’s request, and the content of that request being sent back to the source.
RELATED: Is the Next Cloud Storage Evolution Here?
This method monitors traffic by utilizing a unique algorithm which assigns a risk score to all two-way traffic being run through the system. Depending upon the resources of the targeted system application and the response time triggered by an incoming request, the algorithm can raise the risk score to the point of identifying an attack in progress and immediately trigger a drop of that high-risk traffic.
Perhaps the most attractive feature of this new behavior-based security method is that it is essentially self-learning. As new attacks are launched, the algorithm updates to include the characteristics of that attack, allowing it to recognize those features much faster in the future. This allows it to differentiate erratic from consistent traffic and recognize legitimate users from attacking programs intent on causing harm. The obvious drawback is that one is placing the security of business-critical data into the hands of a fluid, signatureless program as opposed to tuned, threshold-driven security protocols.
The threat of DDoS isn’t something that can completely be eliminated, especially given the rate at which attackers are developing new strategies such as multivector and application layer attacks designed to overcome current security protocols. Thus, the need for an intelligent “on-site” solution is needed in order to protect the performance capacity of those business applications that users consistently call upon, By employing smart, behavior-based methods of DDoS mitigation, organizations may be able to outthink their attackers, ensuring that they remain one-step ahead in the constant struggle to defend the performance capability of their systems.
Top image ©GL Stock Images