June 14, 2017
June 14, 2017
Contributor: Kasey Panetta
Three techniques for responding to distributed denial of service attacks.
In 2012, a series of large banks in the U.S. began experiencing distributed denial of service or DDoS attacks. What was particularly unique about these attacks--later attributed to Iran--was that the attackers were posting online their target banks and the timing for the attacks. Despite knowing when the attacks were coming, the banks were largely defenseless against the large, sophisticated attacks. The attacks went on for a period of six to nine months.
In 2012, most DDoS attacks targeted the financial industry, but the attacks have since become widespread across most industries from government agencies to local schools. A large attack on Dyn took down sites including Amazon and Netflix and a french hosting vendor also saw a large attack.
While these large attacks may dominate the headlines, they’re not what dominates the DDoS landscape.
“This is not the mainstream stuff, most of you won’t deal with an attack this size,” says Lawrence Orans, research vice president, at the Gartner Security & Risk Summit 2017. Most attacks are in the 20 to 30 Gbps or less range, while the larger attacks have been reported at 1.2 terabits per second. There are really two types of attacks occurring, volumetric and application-based. While enterprises should be protected against both, volumetric is the simpler and more common attack.
However, DDoS attacks have seen an almost yearly evolution with the most recent focus being IoT. Enterprises should look into mitigation options as a way to protect and defend against these attacks.
The most common DDoS mitigation option is a scrubbing center. In the event where an enterprise with a scrubbing center detects any DDoS traffic, they can choose to divert all their traffic--good and bad--to the nearest scrubbing center. There, the bad traffic is scrubbed out, and the good traffic is sent on to the site. This option is good for multi-ISP environments and can be used to mitigate both volumetric and application-based attacks.
For those who have scrubbing centers but would like more protection, some vendors will actually place a device in your data center, but the cloud-based option is more cost-effective.
The second option has DDoS mitigation as a feature. The ISPs have their own scrubbing centers internally, and for a premium will monitor your site and mitigate attacks. In this circumstance, the ISPs operate as a one-stop-shop for bandwidth, hosting, DNCs, and DDoS.
Quality will depend on the experience level of the ISP, some have been offering this for a while, and others are just getting into the game. Some ISPs won’t offer this option at all.
Big content delivery networks (CDNs) will have over 200,000 servers caching globally and pieces of the website are distributed or cached all over the world. This creates a better experience with less latency for users. However, it can also be a good mitigation technique because the website is distributed globally on multiple global servers instead of one origin server, which is more challenging to take down.
This is a good option for enterprises that are already CDN customers as there is preparation that needs to be done ahead of time to even use the CDN.
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
DDoS: A Comparison of Defense Approaches
*Note that some documents may not be available to all Gartner clients.