DDoS has become an ever increasing problem and buzz word over the last couple of years. Although this term gets tossed around a lot, few people truly have a good understand of the scope of the situation or what the legitimate mitigate options are.
For those of you that are not familiar with the term or what it stands for; a Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. This occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.
Most often caused by Infected PC’s that are unknowingly participating in attacks against other devices on the Internet. We have seen attacks with participants in the hundreds of thousands on numerous occasions on our network. With today’s high speed Internet and readily available bandwidth, attacks have become larger in scale and duration.
Who is at risk to become a target of DDoS Attacks? Anyone connected to the Internet is a potential participant or target for a DDoS attack. Typical, though your average end users aren’t high-probability targets. Adhering to good online practices can help insure that they don’t become an unwilling participant or potential target.
Gamers are the most frequently attacked users we see on our network, particularly Xbox Live users, which is a common traffic conversation to see right before a DDoS attack. Gaming is the number one cause and target for DDoS attacks, accounting for more than 45% of the total attacks, according to one online source. Most of the time the attacks are provoked by trash talk or by motivated players trying to seek a competitive edge in which they render the targeted player helpless during the attack.
Financial services is another common target for DDoS attacks, but for a different reason. The attackers are usually seeking financial gain through cyber-extortion, which aim to blackmail banks into paying out high ransoms to avoid having their sites and services taken down or to be brought back online after an extensive attack.
Although ISPs (Internet Service Providers) are rarely the intended target of these attacks, unfortunately for us and our users, we feel the brunt of these attacks when the target is on our network as shared network resources are consumed and exhausted. Mitigation of these attacks has proved to be a challenge due to the distributed nature of the attacks, you cannot simply write an Access List to block one source address out on the network. Bots are distributed across multiple networks making it almost impossible to stop the source traffic.
The second problem we face is even if we could drop all source addresses with Access Lists, we would have to do it after it had already entered our network, thus saturating our uplink. About the best and only true way to deal with a DDoS attack, other than to grin and bear it, is to have strategically placed software probes in your network that sniff traffic and in the event of an attack steer all affected traffic to a third party datacenter that has the capacity to swallow the entirety of the attack, scrub the affected traffic and send only the clean bandwidth onto your network. This gives you a dynamic and automated protection from DDoS, some solutions that rely on human identification and intervention, such as provider Remotely Triggered Black Holes can be somewhat effective but are slow and reactive solutions. Fully automated solutions have proven to be extremely cost prohibitive and are usually marketed to premiere customers with deep pockets. In most cases, we have seen that purchasing extra bandwidth for DDoS is cheaper with Megabit per second than buying the DDoS mitigation. The typical Megabit per second cost of buying bandwidth from an uplink provider has a broad range depending greatly on your location and transport cost, but has proven to be much cheaper than a DDoS mitigation which we have seen pricing around $7 per meg. Given this extremely high cost of mitigation and the fact that other mitigation techniques are for the most part ineffective and purely reactive for the meantime, it looks like it will be a problem where we just have to buy the bandwidth and live with it, unless you deem your traffic important enough to buy a hosted solution.