How Do You Protect Yourself Against a DDoS Attack?

The big problem with every DDoS attack is that it can cause major damage with relatively few resources. Not only because of the temporary unavailability of the attack itself, but also because of the costs of protection against DDoS attacks. That cost is quite high – think of several thousand euros per month – simply because it is technically not easy to protect against DDoS attacks.

Heuristic software

DDoS protection must be intelligent, because most DDoS traffic is barely distinguishable from legitimate traffic. It is therefore not a black and white choice, but a playing field with more than 50 shades of gray. To protect yourself against DDoS attacks, you need a heuristic approach, in which you work with pattern recognition.

For example, a certain number of ping requests to a server is normal, but from a higher level it is suspected. Because most of those borders are relative, it requires complicated software to make the right decisions. Moreover, that software must make these complicated decisions during a deluge of traffic.

Network capacity

At the same time, the network must also have been greatly expanded. After all, what is the benefit of having DDoS protection on your side of the line if your drums are ready to enter on your 1 Gbps 40 Gbps line? Our own figures at Nucleus show that about 80% of the attacks are less than 5 Gbps. But we do see a growth curve. Today, a 10 Gbps attack is no longer an exception. Worldwide, attacks of 400 Gbps have already been reported.

No conclusive solution?

The combination of complex heuristic software with a need for computing power and the development of a super network means that anti-DDoS tools are not cheap.

The question is therefore mainly how far you want to go in your protection against DDoS attacks. The characteristics of a DDoS attack ensure that there is no real solution. What is better? Protect you 95% of the time with a limited budget? Or spend a huge budget on safety during 99.99% of the time. An overview of some alternatives …

Blackholing

Blackholing is the most commonly used ‘protection’ against DDoS attacks. Blackholing is a technique where one decides to get the IP address of the victim from the internet by having all the traffic sent to it disappear into a ‘black hole’. Hence the name blackholing.

Blackholing means that we give the attacker his way and make his goal unattainable. This happens in the hope that he can put enough plumes on his hat and stops the attack. Since most DDoS attacks are the work of script kiddies , this is often effective. In addition, you try to hit the attacker in his purse via blackholing: after all, using a botnet costs money. The question is how much money the counterparty can and will continue to spend to attack you.

Blackholing is the weakest form of protection, because if the attacker is stubborn and has sufficient resources, you will stay offline for a long time.

Mitigation

A better form of DDoS protection is mitigation. Compare it to a car wash: all traffic goes into the car wash and all the dirt is washed away. Only the clean traffic comes from the car wash.

This is done by means of the heuristic software discussed earlier, which makes light-hearted decisions based on patterns on legitimate or unauthorized traffic. Today there are already specialized providers such as Incapsula, Akamai and DOSarrest who offer mitigation-as-a-service. They play as it were car wash before the ‘clean’ traffic is sent in your direction.

CDN versus DDoS?

It is also often suggested that Content Delivery Networks (CDN) are a solution against DDoS attacks. After all, CDN have been designed to manage a network of proxies around the world, so that very busy websites remain permanently online. Since CDN are designed to handle a great deal of traffic, they can therefore help in the fight against DDoS.

But CDN exist in many forms and some characteristics of CDNs ensure that they too remain vulnerable to DDoS attacks. For example, suppose you have a CDN that only caches the static content of your website and nevertheless takes the dynamic parts off your web server in real time. It then remains fairly simple to set up an attack that focuses on those items that are not handled by the CDN.

CDN can make it more difficult for attackers, but they are not anti-DDoS solutions.