Author: Mark Stone
In February 2020, Amazon's Amazon Web Services (AWS) Shield service mitigated the largest distributed denial of service (DDoS) attack in history. At its peak, the attack threw 2.3 terabytes of traffic at an undisclosed AWS customer's network every second, ZDNet reported. Just how much is that? According to Amazon's threat landscape report from the first quarter of 2020, the February attack was approximately 44% larger than any network volumetric event previously detected by AWS.
The who, what, how and why of a DDoS attack
A DDoS attack is an amplified version of a denial of service (DoS) attack. In a DoS attack, a single source, usually a computer, maliciously floods a targeted resource—a web server, a network server or a computer—with more traffic than it can handle. Verizon's 2020 DBIR showed that DOS attacks were the number one attack vector in the tens of thousands of security incidents analyzed; more than half of all incidents had a DoS component at the center.
In a DDoS attack, the attack is distributed—meaning the attackers have multiplied the malicious traffic by using multiple compromised systems—which could include computers, servers, smartphones and other networked resources, such as Internet of Things devices—as attack sources. DDoS attacks can generate tremendous amounts of traffic, snarling the targeted server, service or network until it chokes.
Most DDoS attacks come from cybercriminals, but they can also come from nation-states, business competitors or would-be hackers testing their skills. Usually, attackers are after one of three goals: shutting down enterprise networks, services or applications; extorting money; or winning bragging rights.
Most attacks are small: Amazon reported that in the first quarter of 2020, 99 percent of attacks were smaller than 43 gigabytes per second. But high-profile attacks are getting bigger and bolder. In 2016, the Mirai botnet nearly toppled the internet, crashing major websites and crippling services such as PayPal and Netflix. And in March 2020, the Paris hospital authority was able to fend off an attack that sought to disable hospital services.
Identifying a DDoS attack in network security
The problem is that DDoS attacks' most common symptoms—traffic spikes and interrupted service—don't immediately register as suspicious. But analyzing those traffic spikes uncovers telltale attack markers, such as unusual or unnatural traffic patterns and suspicious traffic from a single IP address or device type.
It's easier to identify a DoS attack than it is a DDoS attack. A DoS attack can be identified by most intrusion detection systems and can be stymied with a firewall. Detection systems and firewall rules can sniff out a DDoS attack, but detection must be part of a broader strategy that includes prevention and defense.
Preventing DDoS attacks
It is difficult, but certainly not impossible, to defend against a DDoS attack in network security. Perimeter security doesn't often provide sufficient protection. To prevent DDoS attacks on the cloud, IT and security teams must ensure that the perimeter is secure and that firewall rules regarding dropping packets are firmly established.
Focus on prevention and mitigation. Some of the most common tools and strategies include:
- Content delivery networks, which automatically spread out traffic across thousands of servers, thus minimizing the chances that a tidal wave of toxic traffic overwhelms the targeted organization.
- Advanced firewalls, which add intrusion prevention and application-specific functionality to traditional firewalls
- Traffic scrubbing, which redirects malicious traffic to data centers to scrub attack traffic
- Source-rate limiting, which blocks excess traffic from the source of an attack
If your systems are down, the consequences could be inconvenient—or a disaster. Even an hour of downtime can compromise your bottom line.
For the best protection, seek out a managed services provider that can reduce the burden on your in-house IT teams and provide the intelligence to analyze traffic and defend against high-volume attacks.
Learn how Verizon's DDoS Shield technology can mitigate the effects of unexpected and unpredictable DDoS attacks.
The author of this content is a paid contributor for Verizon.