DDoS attacks: know your enemy

Published: Friday, 22 April 2016 07:29

Andreas Åsander looks at how knowing your attacker’s location is the latest weapon in the fight against DDoS attacks.

Distributed-denial-of-service (DDoS) attacks are more frequent today than they’ve ever been, according to the latest report by Verisign.  In the final quarter of 2015, DDoS attacks globally rose by 85 percent compared with the previous year – and 15 percent on the previous quarter alone.  Not only that – they’re also getting more dangerous, deploying higher volumes of packets than ever before.

DDoS attacks aren’t just an annoyance; they can be extremely damaging.  Offline websites and networks are non-trading websites and non-operating networks, which can lead to substantial revenue losses. And they’re a more insidious form of cyberattack than you might think; research by Kaspersky has suggested that around a third of all DDoS attacks coincide with a network intrusion, which can lead to loss of sensitive data.

Fortunately, there are some simple defensive tactics available, all of which make your network less vulnerable to DDoS disruption. These include:

These are all well-established defensive measures, which many organizations may already have in place as part of the overall information security posture. After all, network segmentation isn’t just good practice from a DDoS defense / defence point of view; it also protects the network against damaging APT attacks, for example. However, as DDoS attacks continue to proliferate, it’s clear that we need additional defensive measures against them.

Knowing your enemy

We’ve all heard the old adage ‘know thy enemy’ – and this is particularly relevant to DDoS attacks.  Most botnets, which are the originating point for DDoS attempts, are centered / centred in a particular geographic location or group of IP addresses, and the majority of botnet command and control centers worldwide are actually located in a small list of countries, which includes China, Ukraine, Russia, Pakistan, and Turkey.  By establishing the locations – i.e. the unique IP addresses – from which the attacks originate, it’s possible to dramatically reduce the impact of an attack, in real time, by blocking those IP addresses.

This can be done by advanced next-generation firewalls, using a feature called geographic IP (GeoIP) blocking.  It works by generating an ongoing ‘heat map’ of where traffic arriving at the firewall or gateway originates from.  Using GeoIP, organizations’ IT and security teams can use the security gateway’s management console to get a real-time, highly visual overview of the traffic volumes hitting their network – and are able to quickly identify any unnatural traffic patterns that could signal the start of a denial-of-service attack. 

If a DDoS attack is detected, the organization’s IT team can simply use the GeoIP feature to configure the security gateway to block the originating IP addresses in real time.  This way, the malicious traffic is rejected and simply bounces off the gateway, nullifying the impact of the attack and enabling the organization’s website and services to continue working, without significant interruption.

Closing your network’s borders

The great advantage of this approach is that it is flexible, enabling organizations to dynamically respond to what is actually happening on their networks.  GeoIP can also be used pre-emptively, as there are huge numbers of websites and domains that shouldn’t be connected to, because they are known to host or control botnets, or distribute malware. These IP addresses can be blocked in the gateway, to reduce exposure to potential attacks. 

There are also countries or geographic regions globally where your organization does not currently do business – and so it’s likely that traffic from hosts in these regions may be suspicious.  For example, if an organization that has no trading relationships in North Korea suddenly receives volumes of traffic originating from the country, it’s likely to be malicious activity.  So IP addresses from this and similar countries can be blocked, using GeoIP capability to act as a ‘border control,’ stopping undesirable traffic from reaching networks.

So when it comes to defending against DDoS attacks, establishing where the attack is being launched from is critical to being able to defend against it.  When you know this about your enemy, you can stop an attack in its tracks.

The author

Andreas Åsander is product manager for Clavister.