In our previous post in this series, we discussed how automation can save you invaluable time during a DDoS attack.
While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.
After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with the right strategies in place, you can be resilient to the attack.
Here, we’ll reveal three critical ways DDoS defense systems can stop the impact of attacks in their tracks while protecting your users:
Three Strategies for Blocking DDoS Attacks
Each of the three methods listed above is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block.The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.
While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.
Let’s take a closer look at each one:
1.Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.
Specifically, a defense system can analyze data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.
2. Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behavior commonly exhibited by DDoS botnets and reflected amplification attacks in real time.
For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy
3. Reputation: To utilize reputation as a source-based blocking strategy, a DDoS defense system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.
The system will then use that intelligence to block any matching IP addresses during an attack.
They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.
Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.