Evaluating DDOS Mitigation Services: Strategies and Implementation

Verified

Added on 2024/05/29

AI Summary

This report provides a comprehensive overview of Distributed Denial of Service (DDOS) attacks and strategies for their mitigation. It begins with an executive summary, highlighting the severity of DDOS attacks and their various forms, including protocol-based, network-based, and application-based attacks. The report delves into quantitative approaches and mitigation service scripts employed by mitigation service providers, such as DDOS Deflate, Fail2Ban, and Apache mod_evasive, detailing their configurations and functionalities. It discusses different types of services offered, including Clean-Pipe and Global Off-Loading, along with their respective protection policies. The report further explores operational considerations for different customer types, including multi-homed customers and those using service provider IP addresses, outlining diversion policies and the importance of On-Network Mitigation Capacity. It also addresses various motives of attackers and provides a comparative analysis of leading DDOS mitigation service providers like Akamai, Voxility, and Imperva (Encapsula), ultimately favoring Imperva due to its caching capabilities, scrubbing capacity, rate limiting features, automatic botnet blocking, and analytics. The report concludes by emphasizing the importance of On-Demand diversion and Always-On Cloud Scrubbing for effective DDOS protection, while acknowledging the complexities of real-world mitigation scenarios and the marketing claims of unlimited protection.

Defending Against
DDOS Attacks
1

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Summary
A Distributed Denial of Service (DDOS) Attacks is a serious threat for the entire world today.
A DDOS Attacks happens whenever multiple compromised resources whether its a
computer system or devices line up in a group and attacks the target at once with full
utilization of their resources and floods the target system with all their power like Zombies.
So, this is called as DDOS Attacks.
This flooding of packets or traffics can be in any form of malformed packets over the
internet, a large number of connection requests towards the targeted systems, a large
number of incoming messages towards the targeted system to either crash, stop functioning
or shut down entirely.
DDOS attacks misuse Vulnerability within the system and then exploits it with flooding.
Different types of DDOS Attacks are quite dangerous today. They are Protocol Based attacks,
Network-based attacks, and Application based attacks.
So, we will discuss a potential way to mitigate these attacks in below report.
1

Table of Contents
Executive Summary....................................................................................................................1
Table of Contents.......................................................................................................................2
Introduction...............................................................................................................................3
Quantitative Approach and Mitigation Service Scripts opted by Mitigation Service Providers 4
Type of Services Offered........................................................................................................6
Protection Policies..................................................................................................................6
OPERATIONALLY.....................................................................................................................6
SUMMARY................................................................................................................................11
References………………………………………………………………………………………………………………………….11
2

Introduction
A DDOS (named as Distributed Denial of Service) attack is one of the dangerous and
unfortunate events for any online security, with an increasing pattern of premeditated
attack against an Organization’s Assets or an Infrastructure. Necessity, Feasibility, and
Pricing gave to mitigate risk and damage arising due to DDOS Attacks. Due to a large number
of consumers have a High-Speed Internet Connection; it became easier to commence DDOS
Attacks. A DDOS Attack simply stated as target system attacked by multiple compromised
System at once with full utilization of their resources and floods the target system with all
their power and resources. This happens by the flooding of packets or traffic in any form of
malformed packets over the internet, a large number of connection requests towards the
targeted systems, a large number of incoming messages towards the targeted system to
either crash, stop functioning or shut down entirely.
Different types of DDOS Attacks are quite dangerous today. Different types of popular
arracks are - Protocol Based attacks, Network-based attacks, and Application based attacks.
Protocol-based attacks target network layer or transport layer of TCP/IP Protocol by
exploiting vulnerabilities within the protocol stack. Network-based attacks target networks
by consuming their bandwidth by flooding packets on to their network. Application-based
attacks targets vulnerabilities within the application attacked by exploiting those
vulnerabilities. DDOS attacks misuse Vulnerability within the target system and then exploits
it with flooding or misusing it. This type of attacks causes the target system to either crash
or shut down.
Generally, it involves using multiple Zombies or exploited external systems to flood the
target systems with a huge number of requests with the intention of overwhelming the
system with network traffic to either crash the target system or make it reboot or halt it for
some time. These attacks became successful because of an unprotected system which may
find it very difficult to differentiate between the genuine traffic and the DDOS traffic.
3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Quantitative Approach and Mitigation Service Scripts opted by Mitigation
Service Providers
Some unique scripts and tools used by Mitigation Service Providers to mitigate DDOS
Attacks. These are many popular, easy, efficient and effective DDOS attack prevention and
protection utilities or tools and scripts in the market for safeguarding cloud services. These
offer most server administrators the ability to protect their servers against the risk of DDOS
attacks (Specht¸2004).
DDOS Deflate: A very popular and lightweight open source shell script used to implement
on servers via configuration to mitigate most DDOS attacks. Best configurations of DDOS
Deflate are below:
 Automatic detection of rules for an Advanced Policy Firewall.
 Ability to block detected IP addresses within 30 minutes temporarily and even more
if required
 Whitelisting and Blacklisting connections to the server for allowing and blocking
respectively
Fail2Ban: Best configurations are below:
 Easy and quick configuration features
 Existing firewalls like iptables are very well compatible
 Whitelisting and Blacklisting connections to the server for allowing and blocking
respectively and with easy customization
 Ability to detect and block automated brute force attacks
 One of the add-on features is Time-based IP blocking, which is also very effective
Fail2Ban is the best option for any type of Web Servers that has SSH and few other services
running (Santanna, 2014).
Apache mod_evasive module: The mod_evasive module is best applicable for the
protection from the DDOS attacks for of Apache web servers. It also comprises features
notification via SYSLOG and email. This component is a sturdy performer that has the good
benefit to adapt the real-time situations through generating rules that are based on the
given detected patterns:
4

 Multiple Request access to the same web page or web site multiple times in a short
interval of time
 Running 50 or more concurrent connections at the same time of the same child
process evaluated per second wise
 Running requests from blacklisted IP addresses
Below unique actions taken to avoid DDOS attacks:
 Server Administrator has an authority for limit admission of web pages that are
based on the several requests in a short interval of time from a specific IP using
DOSPageCount option service.
 Entire website access is limited that are based on number of connections with
particular or a specific IP types to using the DOSSiteCount option.
 The feature of DOSHashTable is monitored the accessing, in the web server that is
based on their earlier visits and it can be make a decision or to permit or chunk the
connections.
Service Providers implements Hybrid DDOS Protection and uses above-discussed scripts
within their software to mitigate DDOS attacks.
 On-Network DDOS Mitigation Equipment (Up to 50Gbps)
 Cloud DDOS Scrubbing Service (Up to 1000Gbps
5

Type of Services Offered
The Service Provider offers below DDOS Protection Services.
 Clean-Pipe: This service offers basic protection of up to 50Gbps using On-Network
DDOS Mitigation Equipment.
 Global Off-Loading: This service offer premium protection of up to 1000Gbps using
Cloud DDOS Scrubbing Service.
Protection Policies
The Service Provider has the below policies are:
 For a Customer who DOES NOT subscribe to any DDOS Protection Service,
If an attack is greater than 10Gbps, the victim's IP subnet will be black-holed.
 For a Customer who has subscribed to Clean-Pipe service,
If an attack is less than 50Gbps, the victim's IP subnet will be diverted to On-Network DDOS
Mitigation Equipment for scrubbing.
If an attack is more than 50Gbps, the victim's IP subnet will be black-holed.
 For a Customer who has subscribed to Global Off-Loading service,
If an attack is less than 50Gbps, the victim's IP subnet will be diverted to On-Network DDOS
Mitigation Equipment for scrubbing.
If an attack is more than 50Gbps, the victim's IP subnet will be diverted to Global OffLoading
for scrubbing (Levenson, 2016).
If an attack is more than 1000Gbps, the victim's IP subnet will be black-holed.
OPERATIONALLY
For Type 1 customer,
 For this type of customer, normally they are multi-homed; it is common to propose
On-Premise Network Analyzer Appliance to perform monitoring of flow traffic,
profiling of network traffic, customized detection policies and automatic diversion
during an attack (Guo, 2015).
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 Instead of subscribing "Clean-Pipe" to each of the upstream service providers, this
type of customer would just subscribe to "Global Off-Loading" for full protection.
 For diversion of attack traffic to Global Off-Loading, it has to be minimum /24; /23,
/22, /21, ... /16
 Some customer would actually even have additional "On-Premise Mitigation" to
handle shorter & smaller network, session, protocols attacks; slow loris attacks.
For Type 2 customers,
 This type of customer will have a choice of subscribing "Clean-Pipe" and/or "Global
Off-Loading".
 Since this type of customer is using the Service Provider range of IP address, during
an attack, "Clean-Pipe" service will be able to divert as small as /32 IP Subnet.
 However, if an attack is huge and warrants a "Global Off-Loading", an entire /24 IP
Subnet will be diverted.
 Latency is key once traffic is diverted, the customer would want to scrub the traffic
using "Clean-Pipe" as much as possible instead of "Global Off-Loading". Therefore
when selecting an Internet Service Provider for "Clean-Pipe", it is important to
understand what is their On-Network Mitigation Capacity (Levenson, 2016).
For Type 3 customer, let’s use 103.23.121.0 /24 as an example. This Class C IP Subnet has 4
customers.
 Customer A is assigned an IP subnet of 103.23.121.0/26
 Customer B is assigned an IP subnet of 103.23.121.64/26
 Customer C is assigned an IP subnet of 103.23.121.128/26
 Customer D is assigned an IP subnet of 103.23.121.192/26
Let’s assume the below DDOS Protection services that each customer has subscribed.
 Customer A has NOT subscribed to any DDOS Protection Service.
 Customer B has subscribed to "Clean-Pipe".
 Customer C & D has subscribed to "Global Off-Loading".
The diversion policy can be configured as below:
7

 If Customer A is under attack and it is more than 10Gbps, the victim IP addresses will
be black-hole or null-route.
 If Customer B is under attack; the attack traffic will be diverted to On-Network
protection if it is less than 50Gbps. If it is more than 50Gbps, the victim IP addresses
will be black-hole or null-route.
 If Customer C or Customer D is under attack, the attack traffic will be diverted to On-
Network protection if the attack is less than 50Gbps. The attack traffic will be
diverted to Cloud protection if it is more than 50Gbps and less than 1000Gbps. Do
note that the Service Provider will be diverting an entire /24 traffic to the Cloud Scrubbing.
Therefore Customer A & B will be affected although they are not under attack (Yau, 2005).
8

Three different kinds of DDOS attacks are:
1. DNS Root server attacks
2. Dyn DNS Outage
3. Ping of Death
Motive of Attackers
1. Very simple goal is Money, especially Money through Blackmail.
2. They showcase their capacity to bring down the network or an application by
damaging.
3. Few attackers do showcase their skills to Cyber Mafia and being hired (Rao, 2011)
4. Few attackers do just for Fun.
Three DDOS Mitigation Service Providers are:
1. Akamai
2. Voxility
3. Imperva (Encapsula)
Their Similarities are:
1. Protecting private IP infrastructures and hosted IP applications in the cloud to
prevent full uplinks and offline IP applications
2. IP protection by SSP portal with fully managed SLA managed DDOS protection
3. Volumetric or Layer attack protection
4. Application Layer Protection for DNS, HTTP, HTTPS, VOIP
5. Maximum protection for IPv4 and IPv6 subnets
6. Incoming data traffic without any cost
7. Personal security layer creation as per IP specific to the application by a user
(Paxson, 2001)
Their differences are:
1. Big difference in uptime and uptime guarantee between different service providers.
2. Services including personnel training for better IP protection.
9

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Which one is the Best?
Looking at the Technology used, types, features, applications, costs, market captured, and
services and by my analysis I found, Imperva (Encapsula) seems to suit best due to below
reasons:
1. Caching of Proxy and its availability
2. Total scrubbing of real capacity in GBPS
3. Rate limiting of IP subnets and Layer 7 Protocols
4. Automatic Botnet Blocking
5. Service of the magic black box without any user control
6. Analytics (Santanna, 2014)
10

SUMMARY
On-Demand diversion offers a flexible approach to DDOS Protection while keeping operating
costs low and network latency optimized. However, On-Demand "Cloud Scrubbing" does
have some operational caveats. Alternatively, Always-On "Cloud Scrubbing" should be
explored. The above scenarios are simplified. In reality, most Mitigation Service Providers
actual scenario is actually much more complicated. Many of the Cloud Scrubbing service
providers market their service as unlimited protection. It is not possible to have unlimited
bandwidth and unlimited mitigation capacity to provide unlimited protection. In practice, as
long as the provider has more than 2 to 3 Tbps, it can be termed as unlimited protection.
As per the attacks and the methods adopted for an attack, the defence should be prepared
which should be changed and always upgraded to fight for new challenges and accordingly
mitigation services upgraded as per the severity and criticality of attacks.
11