Mitigating DDoS Attacks: Key Considerations for Effective Implementation
Before implementing a DDoS (Distributed Denial of Service) mitigation service, companies must consider several factors to ensure they receive the protection they need. According to expert Ed Moyle, understanding the steps to improve safety is crucial in this process.
As Ed Moyle points out, there are two types of customers: those who use DDoS mitigation services and those who have never encountered DDoS attacks. The reason for this dichotomy is simple: even a single DDoS attack can cause significant losses to business operations, making DDoS mitigation a must-have service for many organizations.
A 2015 paper published by Leuven University and the State University of New York at Stony Brook, “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers,” highlights the problems associated with popular cloud-based DDoS mitigation technology. The paper demonstrates how attackers can circumvent certain types of DDoS mitigation services using vector collection, particularly those that rely on DNS rerouting.
The Risks of DNS Rerouting
Many cloud-based DDoS mitigation services depend on DNS rerouting as their primary mechanism. This involves adjusting a customer’s DNS records to point to a “flow purification center,” which filters out malicious traffic and allows only legitimate traffic to reach the protected website. However, this approach has a significant vulnerability: the original IP address of the protected site may be exposed, allowing attackers to bypass protection if they can find an unprotected IP address.
The CloudPiercer tool, described in the paper, demonstrates this vulnerability by exposing the original IP address of the protected site. This exposure can lead to attacks bypassing protection, making it essential for organizations to understand the risks associated with DNS rerouting.
Implementation Considerations
To effectively mitigate DDoS attacks, organizations must consider several key factors during the implementation process:
- Source Address Discovery: Understanding the source address is crucial in assessing and implementing cloud-based DDoS mitigation services. Large customers may need to choose between BGP and DNS redirection as their primary method of protection. While BGP introduces additional complexity, it is worth the effort to discover the source address.
- Periodic Source Address Exposure Checks: Establishing a process to periodically check for source address exposure is vital. This can be done using vulnerability scanning tools, application testing tools, DLP tools, or custom rules to identify and address potential leaks. Self-examination and regular testing are also essential in maintaining a secure posture.
- Testing DDoS Attack Protection: Testing DDoS attack protection is crucial in ensuring that the service works as expected. This can be done through DR testing or other emergency measures. Reputable companies will not refuse this request, and it can serve as an opportunity to demonstrate capabilities.
- Filtration and Detection Mechanisms: Companies should evaluate filtration and/or detection mechanisms to ensure they receive the protection they need. This may involve using an IDS or other detection control to alert the security team of suspicious connections initiated from the service provider.
By understanding the risks associated with DNS rerouting, discovering the source address, testing DDoS attack protection, and evaluating filtration and detection mechanisms, organizations can stay ahead in the fight against DDoS attacks.