DDoS attacks can vary widely in their scale, persistence, and goals. They can also vary in their intended target: sometimes it will be a server, while at other times it will be an intermediate device such as a router or firewall. Each attack depends on the attacker’s motivation, skillset, and available resources.
Common Attack Methods
Researchers and threat actors have discovered a wide variety of ways to commit DDoS. It can be helpful to organize them into these categories:
Malformed requests that are meant to crash or otherwise adversely affect the targeted system.
Legitimate requests that are sent for illegitimate purposes.
Volumetric attacks, designed to flood the target with an overwhelming volume of (seemingly) legitimate requests. This is the most common, and usually the most dramatic, form of DDoS.
How Not to Mitigate a DDoS Attack
For many victims, being on the receiving end of a DDoS is bewildering. Many security solutions do not provide full visibility into incoming traffic. Therefore, when a DDoS occurs, the only thing that’s known for sure is that their web applications have become non-responsive to their customers.
The problem is exacerbated when the targeted network relies on an on-premise security appliance. These devices require continual maintenance, patching, and updating to stay current. When a new exploit is seen in the wild, it often takes time for a patch to be issued, and for busy staff members to install it. Meanwhile, the organization’s web applications are vulnerable.
A worse problem is that on-premise security solutions are, by their nature, unable to fully mitigate a modern DDoS. Volumetric attacks can saturate the incoming internet pipe before the attack traffic reaches an on-premise appliance for filtering. This can result in the upstream ISP being overwhelmed and blackholing all incoming traffic, which cuts off the targeted network from the Internet. (Which is exactly the result that the attacker was hoping to achieve.)
Successful DDoS Mitigation
An effective defense against DDoS attacks requires multiple things:
Traffic scrubbing that occurs upstream from the ISP.
Dynamic processing (going beyond packet inspection to maintain session context and analyze resource usage over time).
Comprehensive protection (against all known forms of DoS and DDoS)
Immediate and automated updates as new forms of attack arise.
Autoscaling of bandwidth and other resources to absorb even massive volumetric attacks.
Full visibility into incoming traffic (showing all details for all requests).
The ability to accurately identify and track individual requestors even as they attempt to evade rate limiting (for example, by switching IP addresses).
A single-tenant environment, so that each protected network is not affected by DDoS attacks aimed at others.