If you’ve ever been to an airport, you can understand why a DDoS security strategy needs to be selective and flexible.
Just as airports screen passengers and baggage for suspicious items, DDoS mitigation devices screen networks for suspicious traffic.
But what would happen if an airport security department, after finding a series of suspicious objects, suddenly decided that everyone in the airport was a potential threat? The line-ups, bag searches, metal detectors, sniffing dogs and intensive questioning of passengers would quickly ground all the planes, and everyone would miss their flights.
This is analogous to what can happen when an improperly configured DDoS security system is looking for suspicious traffic, notices some, and then concludes that you’re under attack. Instead of acting like a filter, it becomes a brick wall and your network availability plummets.
The other meaning of ‘stateless’
To understand how the problem can occur, it’s useful to distinguish between network devices that are either “stateful” or “stateless.”
The term stateful basically means that the device is keeping track of the wider picture of all the connections to the network and determining their “state.” For example, says James McCloskey, an analyst at Info-Tech Research Group, a stateful device like a firewall will look at whether a connection is being negotiated, established and acknowledged. And then whether a connection is live and exchanging data.
By contrast, he says, a stateless device looks at every package that comes in as an individual entity. When it comes to DDoS mitigation, that’s a key distinction.
“In the DDoS protection world,” he says, “it’s actually fairly important to be stateless because you want to look at each packet as it’s coming in [and] determine whether or not it may in fact be part of a partial connection that someone is trying to establish.”
Partial connections look suspicious to your DDoS protection system simply because attackers aren’t interested in actually connecting to your site. They’re not there to find out about your products and services or to buy furniture. Their ultimate objective is to knock it offline, and using a flood of partial connections that grinds your system to a halt is a classic hacker technique.
“A lot of these DDoS attacks are in fact carried out by generating multiple connections and not completing the connection-negotiation process,” says McCloskey. “And so, resources are taken up on the target device waiting for the rest of the connection before it times out.”
This is why traditional firewalls, or even DDoS mitigation devices that aren’t properly set up, either fail to prevent such attacks in the former case, or seriously affect network availability in the latter. They can be overwhelmed by a skilled hacker who sends out numerous initial connection attempts that back away at the last moment, he says.
DDoS mitigation is a personal issue—but you need help
As with firewalls, there is no one-size-fits-all DDoS mitigation product or service. A good network security device will be intelligent enough to distinguish between legitimate traffic and bad traffic. But the people deploying them have to configure them properly and according to their organization’s particular needs.
So, how do you ensure you’re protected from DDoS attacks yet avoid “throwing the baby out with the bathwater,” as McCloskey puts it?
First of all, recognize that no two organizations are the same. If you’re deploying your own on-premise DDoS mitigation system, work closely with the vendor so you can fine-tune it according to your specific needs, he says. Look at your applications and your infrastructure to determine what needs the most protection and what kind of protection. Certain applications, for example, can be protected in other ways.
This is important because amidst a DDoS attack, you’ll face the choice of blocking everything, or blocking almost everything—potentially letting some malicious traffic through. Depending on the business, the second option may be better, says McCloskey. Your DDoS mitigation system can block the most blatantly obvious threats “at the gates,” with your other internal security infrastructure taking care of the remainder that slips in.
Leave it to the pros
But while the concept of fine-tuning your own DDoS security tools with help from a vendor is sound, it leads us once again to yet another example of how a cloud or managed services provider can be a better option than a do-it-yourself approach.
Specific DDoS mitigation products are relatively new and still maturing, meaning there aren’t a whole lot of people with the requisite expertise. That’s the first obvious reason why having a provider handle your DDoS security beats going it alone.
Another is simply that you can put more distance between your network and malicious traffic. According to McCloskey, his organization is seeing more and more customers moving to a cloud-based solution because they’re concerned about the amount of bandwidth they’ll end up using to block this traffic once it hits their networks, even when the attacks are unsuccessful. Having a provider in the middle to absorb the impact will certainly lessen bandwidth costs.
And balancing costs is indeed at the core of any DDoS mitigation strategy, beginning with the cost of investing in DDoS protection versus the cost of being offline for a few days, to considering whether to rely on yourself or on a provider to provide that protection. But this balance is going to tilt in one direction: towards managed services.
This isn’t just because prices will come down. Among hackers, the traditional high-bandwidth DDoS attack remains popular as ever. Nobody wants DDoS on their doorstep. With few exceptions, having a cloud provider sitting between you and the hacker is the most logical way to prevent that from happening.
Learn more by downloading ‘Planning Security Budgets: Quantifying the Financial Risk of DDoS,’ an Allstream white paper.