DDoS Mitigation

What is DDoS Mitigation?

The term ‘DDoS mitigation’ refers to the process of successfully protecting a target from a distributed denial of service (DDoS) attack.

A typical mitigation process can be broadly defined by these four stages:

DDoS Mitigation Stages
  1. Detection – The identification of traffic flow deviations that may signal the buildup of a DDoS assault. Effectiveness is measured by your ability to recognize an attack as early as possible, with instantaneous detection being the ultimate goal.
  2. Diversion – Traffic is rerouted away from its target, either to be filtered or completely discarded.
  3. Filtering – DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls and search engine bots) and malicious visitors. Responsiveness is a function of your being able to block an attack without interfering with your users’ experience. The aim is for your solution to be completely transparent to site visitors.
  4. Analysis – Security logs are reviewed to gather information about the attack, both to identify the offender(s) and to improve future resilience. The process's effectiveness relies on the existence of detailed security logs that can offer granular visibility into the attack traffic.

Diversion Techniques: DNS vs BGP Routing

The above described process relies on rerouting mechanisms that can divert attack traffic away from its target.

In most cases, a mitigation solution will use either DNS (Domain Name System) or BGP (Border Gateway Protocol) routing to divert attack traffic. This choice will define its functionality and the type of security features it can offer.

  • DNS routing (a.k.a., DNS redirection) is a method commonly used by always-on DDoS mitigation services.

    DNS routing is activated by changing your CNAME and A record, so as to point them to the IP(s) of your mitigation provider. Afterward, DNS initially routes all incoming HTTP/S requests to your provider’s scrubbing servers, where malicious requests are dropped and legitimate ones are forwarded.

    DNS redirection is only truly effective in the mitigation of application layer attacks. It does, however, have the side benefit of masking your domain’s IP address. This offers some measure of protection against direct-to-IP network layer attacks.

  • BGP routing is a manually activated solution. It mitigates network layer DDoS assaults directly targeting the IP addresses of your hosting server(s) and other network assets.

    Activated by way of a BGP announcement, it diverts all network layer packets from your IP address(es) to your mitigation provider’s scrubbing servers. There malicious packets are filtered out, with the remainder being forwarded to your systems via a secure GRE tunnel.

    BGP routing is the most comprehensive traffic diversion method. It’s effective across all protocols, offering protection from all types of network and application layer assaults.

    BGP routing benefits are offset by its having to be manually activated. This may slow response times and cause some attack traffic to leak through.

Deciding between DNS and BGP based solution usually boils down to the question of: what type of attacks am I more likely to face?

From a security point of view, however, it’s considered best practice to use DNS and BGP routing in conjunction, the former for protection against application layer assaults and the latter defending against direct-to-IP attacks and other network layer threats. This is why, today, it’s common to have both methods offered to you by the same mitigation provider.

Choosing a Mitigation Provider

Besides the method of traffic diversion, there are several other key aspects you must consider when choosing a mitigation provider. These include:

Network Capacity

Network capacity remains a great way of benchmarking a DDoS mitigation service. It’s measured in Gbps (gigabits per second) or Tbps (terabits per second) and reflects overall scalability available to you during an attack.

For example, a 1 Tbps network can theoretically block up to the same volume of attack traffic, minus the bandwidth required to maintain its regular operations.

Most cloud-based mitigation services offer multi-Tbps network capacity—well beyond what any individual customer might ever require. On-premise DDoS mitigation appliances, on the other hand, are capped by default—both by the size of an organization’s network pipe and the internal hardware capacity.

Processing Capabilities

In addition to throughput capacity, consideration should also be given to the processing capabilities of your mitigation solution. They’re represented by forwarding rates, measured in Mpps (millions of packets per second).

Today it’s not uncommon for attacks to peak above 50 Mpps, with some reaching as high as 200 – 300 Mpps and more. An assault exceeding your mitigation provider’s processing power will topple its defenses, which is why you should inquire about such a limitation upfront.

Time to Mitigation

Once an attack has been detected, time to mitigation is critical. Most assaults can take down a target in a matter of minutes and the recovery process can take hours. The negative impact of such downtime can potentially be felt by your organization for weeks and months ahead.

By providing preemptive detection, always-on solutions have a distinct advantage here. They offer near-instant mitigation—often protecting organizations from the first salvo during any assault.

But not all always-on solutions offer such a response level. This is why inquiring about time to mitigation should be on your checklist when evaluating a DDoS protection provider, in addition to testing it during a service trial.

Network Layer Mitigation Techniques

Various service providers have different methods of protecting from network layer (OSI layer 3-4) DDoS attacks, some of which are less preferable than others:

  • Null routing – Null routing (a.k.a., blackholing) directs all traffic to a non-existent IP address. Its downside is that it’s likely to cause a high ratio of false positives—the disposal of malicious and legitimate visitors alike.
  • Sinkholing – This method diverts malicious traffic away from its target, usually using a list of known malicious IP addresses to identify DDoS traffic. While not as indiscriminate as null routing, sinkholing is still prone to false positives since botnet IPs can be also used by legitimate users. Moreover, sinkholing is ineffective against IP spoofing — a common feature in network layer attacks.
  • Scrubbing – An improvement on arbitrary sinkholing, scrubbing routes all ingress traffic through a security service. Malicious network packets are identified based on their header content, size, type, point of origin, etc. The challenge is to perform scrubbing at an inline rate without causing lag or otherwise impacting legitimate users.

Application Layer Mitigation Techniques

Being much stealthier than their network layer counterparts, application layer (OSI layer 7) DDoS attacks typically mimic legitimate user traffic to evade security measures. To stop them, your solution should have the ability to profile incoming HTTP/S traffic, distinguishing between DDoS bots and legitimate visitors.

During mitigation service trials, testing its application layer defenses is essential. Effective filtering uses cross-inspection of HTTP/S header content and behavioral patterns, in addition to IP and Autonomous System Number (ASN) information. Many security services also use different types of challenges, such as testing each request for its ability to parse JavaScript and hold cookies.

It’s equally important to verify that the service doesn’t overuse CAPTCHAs, “delay pages” and other such filtering methods that only serve to annoy legitimate visitors.

Protection of Secondary Assets

Your network infrastructure likely comprises a number of servers and other IT assets. These may include web servers, DNS servers, email servers, FTP servers and backoffice CRM or ERP platforms. In a DDoS attack scenario, they might also be targeted by a perpetrator, causing downtime or otherwise paralyzing your business.

Assess your entire network infrastructure risk and determine which components need to be protected. At a minimum, bear in mind that your DNS service is one of the most common attack targets and your single point of failure.

Pricing and SLA

Pricing for DDoS mitigation services range from flat monthly fees to pay-as-you-go.

The latter is based on cumulative attack bandwidth (e.g., 50 Gbps/month) or cumulative number of hours under attack (e.g., 12 hours/month). Since a DDoS assault can last several hours or days (and sometimes weeks), such costs can quickly get out of hand. This is why a flat monthly fee is generally preferable for long-term agreements.

The mitigation provider’s service level agreement (SLA) is another important consideration—sometimes more so than the price. Here, be sure to check it for the following:

  • Uptime guarantee – Five nines (99.999%) represents the best case. Anything below three nines (99.9%) is unacceptable.
  • Protection levels – As described herein, the provider’s SLA should define attack types, size and duration that it covers.
  • Support service level – The SLA should spell out the provider’s response times for support issues. These are usually defined based on problem severity levels.

Generalist or Specialist

A diverse range of technologies, services and providers comprise the DDoS mitigation market.

Specialty companies having a security focus provide more advanced solutions—typically with experts dedicated to ongoing security research and round-the-clock monitoring of new attack vectors.

Generalists, such as ISPs and hosting providers, offer basic mitigation solutions as an “add-on” to their core services, with the aim of upselling them to existing customers.

Mitigation services offered by generalists may be adequate for small, simple attacks. But if your online applications are essential to day-to-day business operations, a specialist provider is the best and lowest risk choice for your organization.