0

Distributed Denial of Service Attacks: Picking your Mitigation strategies

DDoS Attacks: What is it in a nut shell?

A distributed denial of service (DDoS) attack targets available services for legitimate users by flooding the
target with data connections from multiple sources. The attacker’s intentions are various and the attacks can
be either intermittent or continuous. Common targets are online businesses, e-Gaming operators,
government, retailers and financial websites. DDoS attacks are one of the major threats that have the
potential to impact a company’s revenue and brand reputation.

What types of DDoS Attacks are out there?

There are a number of DDoS attacks, but generally they all fit into one of two categories;

  1. Bandwidth Depletion Attacks (BDA): A bandwidth depletion attack floods a target network with
    unwanted traffic and prevents legitimate traffic from reaching the target system. Think of it as a
    Big Army Tank and its goal is to saturate the bandwidth link between the ISP and the customer.
  2. Resource Depletion Attacks (RDA): A resource depletion attack, on the other hand, reaches the target host and consumes all system resources so that the system cannot process legitimate
    network requests. Think of it as a Sniper and its goal is to target a specific resource with a ‘low n
    slow, under the radar’ attack methodology that takes out the server’s CPU and prevents that
    server from accepting any new requests.

ddos

BDA (Bandwidth Depletion Attack)
Red: Attackers
Green: Legitimate Users

ddos2

 

RDA (Resource Depletion Attack)
Red: Attackers – Low and Slow, under the radar
Green: Legitimate Users

What type of Protection & Mitigation strategies are out there for DDoS attacks?

There are three main types of Protection & Mitigation strategies;

  1. In-House DDoS Protection & Mitigation
  2. ISP DDoS Protection and Mitigation offering
  3. In-The-Cloud DDoS Protection & Mitigation

In-House-DDoS Protection & Mitigation

Overview: These are appliance based solutions that sit within the customer premises and is typically managed by the customer. This could be an IPS appliance, an NBA (Network Behaviour Analysis) appliance or a router / firewall that incorporate some IPS / NBA functionality. Typical players in this space include Top Layer, Tipping Point, Source fire (IPS), Arbour (NBA), Palo (Firewall with IPS functionality)…

Verdict: This strategy is only effective against RDA type of attacks. It offers no protection and
mitigation against BDA attacks as these attacks saturate the link between the ISP and the Customer.
BDA attacks are the most common type of attacks and thus, this strategy offers no real benefit for that particular environment.

ISP-DDoS Protection & Mitigation Offering

Overview: ISP can offer their customers a protection and mitigation services for both RDA and BDA based attacks, however there are limitations with this service for e-Gaming operators.

Verdict: This strategy is ideal for Small Medium Businesses. All operators are multi-homed. This means they have more than one ISP for network traffic entry and exit points. The customer would have to subscribe to both ISPs service which is costly. If cost is not an issue, this strategy is still not effective as each ISP is its own entity and as such, they do not have an overall picture of an attack.

In-The-Cloud DDoS Protection & Mitigation Offering

Overview: This is Computrad’s VeriSign offering and has strong merits within e-Gaming. In essence, VeriSign can protect and mitigate before the attack reaches the ISP. The diagram below illustrates how the solution works, but essentially;

  1. VeriSign will take ‘network’ feeds from all the customers entry and exit points (complete picture)
  2. They will baseline the customer network, so they understand what type of traffic is expected on
    Wednesday at 11am and so on
  3. Anything they start to see which does not conform to these baselines will be discussed with the
    customer
  4. More often than not, VeriSign can mitigate an attack closer to the source or advise the customer
    how best to leverage their existing infrastructure to mitigate the attack
  5. If the attack is more sophisticated than what can be achieved in the above point, VeriSign can
    then swing the traffic to their data centre and then return the good traffic back to the customer

Verdict: This clearly fits within an e-Gaming operator’s environment and does not inherit the same draw backs as identified with the other solutions. VeriSign data centres are over-provisioned so they can absorb multi-gig attacks, in essence your Big Tank / Bandwidth Depletion Attacks. The only point to make is that they do not see application or more sophisticated RDA attacks until the traffic is swung. However, these type of attacks are more often mitigated by the customer’s own in-house appliances, if they have an Arbour solution VeriSign can tie into this to provide a complete layer 7 monitoring and mitigation solution. It’s also worth emphasising that once an attack is swung to VeriSign both BDA and RDA attacks can be mitigated.

Computrad

Leave a Reply

Your email address will not be published. Required fields are marked *