How to Prevent DDoS Attacks: Tools and Best Practices

A distributed denial-of-service (DDoS) attack aims to disrupt the day-to-day functioning of a victim’s server, service, or network by inundating it with excessive traffic. By overwhelming the target with a flood of requests, the attack can render the server or network inoperable – resulting in significant financial losses, or even inoperable security tools.

Protección DDoS Download DDoS Ebook

Tipos de ataques DDoS

We can split the DDoS attacks field into three core attack types, depending on the methods used.

Volume-Based Attacks

A server, whether virtual or physically-hosted, demands power to identify, retrieve, and send the requested file(s) back to the requesting device. The amount of data that can flow to and from a server at once is called bandwidth – think of it like a pipe through which data can move.

Volumetric attacks explicitly take advantage of this inherent resource limitation, blocking up the pipe with huge quantities of bogus traffic. The size of a volume-based attack is measured in bits per second (bps), and this volume is the foundational difference between Denial of Service and DDoS attacks.

In almost all DDoS attacks, this distribution comes from many different, attacker-controlled devices (botnets).

ICMP and UDP attacks are some examples of volumetric attack vectors.

  • When a server receives a UDP packet, it first needs to check whether there are any programs listening on the specified port.
  • If no program is available, the server sends back an error, notifying the sender that the destination is unreachable.

Note the fair amount of work demanded from the server: UDP floods take advantage of this and send large amounts of illegitimate UDP packets that force the server to check corresponding ports for services that aren’t running there: with enough packets, this cuts the server’s ability to handle genuine traffic.

Protocol or Network-Layer Attacks

These take advantage of the underlying processes that dictate how servers handle and respond to requests. For instance, the TCP/IP protocol demands the TCP three-way handshake. Before any data can be transferred, a SYN packet is sent to request a connection; the server then responds with a SYN/ACK packet, confirming it received it.

Finally, the client replies with an ACK packet – and then data can begin to be exchanged. Every TCP connection must adhere to this process.

A protocol-level attack takes advantage of these set, structured protocols:

  • SYN floods explicitly do this by flooding a target server with SYN packets from fake IP addresses.
  • The server responds to each SYN packet with SYN-ACK, and waits for the final ACK.
  • But, this never comes, leaving the server with numerous half-open connections that quickly fill up its resources.

This is why it’s common to see overlap between specific DDoS types in real-world attacks: a single handshake denial doesn’t bring a server down, but instead it relies on a large volume of handshakes being struck up.

Application-Layer Attacks

Application-Layer Attacks focus on the gap between web pages and their underlying server.

As an example, let’s explore SSL renegotiation.

  • When you browse a site, your browser and the server establish a secure connection through an SSL handshake – in which they exchange encryption keys and verify a device’s identity.
  • Keep browsing, and eventually the session times out, and SSL renegotiation occurs.
  • This updates encryption keys or re-authenticates as needed without starting a new session, appearing seamless.

In an SSL renegotiation attack, the attacker intercepts the client’s initial SYN message and repeatedly sends it to the server, making the server believe it’s continuously renegotiating with the original client.

A more famous application-layer attack is SlowLoris: this targets the HTTPS protocol, and the fact that a server can simultaneously maintain multiple HTTPS connections with one device. Each connection is then kept open for as long as possible. This, slowly but surely, reduces the free resources left available for the server.

Techniques Used in DDoS Attacks

Here are the most common techniques used with all common types of DDoS attacks:

Spoofing

This involves falsifying the source IP address in data packets. By altering or obscuring the packet’s header, attackers make it appear as though the traffic originates from a different location.

This prevents the victim from identifying and blocking the attack source, as IP addresses can be cycled out rapidly.

Reflection

Another obfuscation method, this sees attackers exploit third-party systems to direct malicious traffic to the victim.

By using the victim’s IP address as the source for requests, the attackers trick these external servers into responding directly to the victim.

Amplification

This takes reflection a step further by dramatically increasing the volume of traffic directed at the victim.

The attackers send small, spoofed requests to vulnerable servers, which then respond with significantly larger packets to the victim. Protocols like DNS, NTP, SSDP, and memcached are often platforms for amplification attacks, as they allow attackers to use open servers on the internet to drastically multiply their volumetric attacks.

How to Prevent DDoS Attacks with Protective Tools

DDoS attack prevention tools work by distributing the load of attacks, while filtering malicious requests. This means that attacks fail – even if they slip past defenses.

DNS Load Balancer

In DNS resolution, a user’s browser communicates with a DNS server to obtain the correct IP address for a desired website. This process of retrieving an IP address from a domain is known as a DNS query.

DNS-based load balancing leverages DNS to distribute traffic across multiple servers by returning different IP addresses in response to DNS queries. The selection of which IP address to provide is guided by specific rules or methods defined by the load balancer. A widely used technique for DNS load balancing is round-robin DNS, which systematically rotates through available IP addresses to distribute traffic evenly.

Anycast

Like DNS load balancing, anycast is a networking protocol that routes incoming traffic to multiple data centers or servers, based on proximity and availability. When under attack, this approach disperses the traffic across a broad network of servers – making it far harder for the attacker to overwhelm a single target server.

The sheer quantity of backup servers means they are highly unlikely to be overwhelmed.

Caching

Caching helps reduce server load by storing and serving frequently requested content from intermediary storage locations, such as content delivery networks (CDNs). Instead of repeatedly fetching the same data from the origin server, caching allows responses to be served quickly from these intermediate points.

This minimizes the impact of high traffic volumes on the primary server and ensures faster responses for legitimate users, even during a DDoS attack.

WAF

A Web Application Firewall (WAF) sits between internal networking devices, and the public internet.

This allows it to monitor and cut off attacks before they reach your own servers. A WAF helps prevent DDoS attacks by filtering and monitoring incoming traffic to block malicious requests. It identifies and blocks abnormal traffic patterns, such as those from bots or traffic floods, while ensuring legitimate users can still access the application.

3 Best Practices to Prevent DDoS Attacks

A DDoS-protected network responds to an incoming identified threat by dropping malicious bot traffic, and absorbing the rest of the traffic. This is supported by a number of core best practices.

#1: Set Intelligent Rate Limits

Intelligent rate limits are vital to mitigating DDoS attacks. Bare-bones rate limits risk damaging the organization’s ability to respond to large spikes in genuine traffic. Instead, limits should take into account the type and context of traffic.

UDP floods can be countered by allowing UDP traffic only when the application behind the server actively requires it. Blocking all unnecessary UDP traffic drastically reduces the risk of attack.

Similarly, ICMP traffic, like UDP, is highly spoofable and can be exploited in ICMP flood attacks.

A Web Application Firewall (WAF) can build a profile of normal ICMP traffic patterns and thereby enforce strict rate limits on ICMP traffic. These tailored restrictions balance the demands between legitimate and malicious traffic.

#2: Implement the Correct WAF Rules

Since it’s such a critical piece of security architecture, and usually closest to the public Internet,  your firewall can offer solid security against DDoS attacks. However, It similarly needs to be protected, too.

Rate-based rules allow your WAF to place maximum request rates, blocking any traffic that exceeds that threshold – this forms the foundation of the intelligent rate limiting above. Collecting and reviewing the firewall logs it generates is vital to identifying unauthorized network behavior.

This in turn lets you fine-tune these thresholds.

There’s a great deal of request hygiene that can be implemented through your WAF, as well: geographic-match rules allow your WAF to block requests from countries that are unlikely to generate legitimate traffic for your business. IP-match rules deny access to known malicious IP addresses, while string-match rules identify and block requests containing harmful patterns or keywords.

More advanced WAF tools can use behavioral analytics to assess your networks’ usual traffic, and take automated action when there are suspicious deviations from this.

#3: Build a DDoS Resiliency Plan

Critical to achieving DDoS resiliency is the ability for teams to track and understand their own progress. This is where a full-scale plan is needed.

Inventory Your Network Assets

Start by cataloging all web assets that need protection against DDoS attacks. Include details, such as:

  • Network configurations
  • Protocols in use
  • Domain names
  • Aplicaciones
  • Specific functions
  • The dates of the latest updates.

This inventory forms the foundation for identifying vulnerabilities and planning defenses.

Assess Your Attack Surface

Conduct a detailed analysis of your network’s attack surface, including hardware, software, and the overall topology. This assessment identifies potential points of entry and highlights components most at risk of being overwhelmed in an attack.

Identify Potential Attackers

Understand who might target your assets and why. Potential attackers could range from hacktivists and disgruntled individuals to competitors or nation-state actors. Third-party threat intelligence can bolster this. Analyzing the motives and resources of these groups will help in tailoring a threat model that reflects your organization’s specific risks.

Determine Likely Attack Vectors

Pinpoint the methods attackers could potentially use to disrupt your systems.

Evaluate the Risk Level

For each identified attack vector, evaluate its risk level by considering the likelihood of attack, the quantitative impact a successful attack could have, and how effectively an attack can be identified and neutralized. Use this evaluation to prioritize best practice implementation.

By systematically addressing these steps, your organization can significantly enhance its ability to withstand and recover from DDoS attacks.

Prevent DDoS Attacks with Quantum DDoS Protector

Check Point’s DDoS Protector is a powerful real-time defense solution designed to safeguard your application infrastructure from network outages, application downtime, vulnerability exploits, and abnormal traffic. It delivers scalable attack mitigation with protection capacities of up to 800 Gbps.

This cuts off the risk of Ransom DDoS attacks, while providing multi-environment, flexible network connectivity options. The intuitive dashboard enables administrators to efficiently monitor events, implement policies, and fine-tune configurations—all within a single interface.

Request a demo to discover how Quantum DDoS Protector handles the ever-scaling threat of DDoS attacks.

Combining DDoS protection with Web Application Firewall tooling is Check Point’s CloudGuard WAF. Alongside full-stack API and application protection, CloudGuard employs advanced bot detection that differentiates between legitimate users and malicious traffic. Blocking common avenues of DDoS attack isn’t the only form of protection: CloudGuard routes all traffic through Check Point’s secure servers, completely mitigating high-volume attacks. For wider DDoS protection, it can integrate with other cloud-based mitigation platforms.

Comenzar

Protección DDoS

Solicitud de escaneo DDoS Bot

Ficha técnica de Quantum DDoS Protector serie X

Elegir la solución DDoS adecuada

Temas relacionados

What is Denial-of-Service (DoS)

Ataque DDoS

DoS frente a DDoS

¿Qué es la seguridad de IoT?

¿Qué es una Botnet?

x
  Comentarios
Este sitio web utiliza cookies para optimizar su funcionalidad y para fines de análisis y marketing. Al seguir usando este sitio web, usted acepta el uso de cookies. Para obtener más información, lea nuestro Aviso de cookies.
Aceptar