How visibility can help detect and counter DDoS attacks

DDoS attack visibilityIt’s been proven that preventive medical strategies are more cost-effective for treatment and better solutions to support long-term health than reactive medical measures. Anticipating issues and preparing for and supporting healthy systems is simply more logical than troubleshooting and fixing things when they go wrong.

The same concept has been successfully used in IT security for years and it should be no different when planning for DDoS attacks. But despite their relatively predictable nature and deployment, too many IT execs seem to be caught by surprise when a DDoS attack hits home. Can we stop DDoS attacks from happening? Unlikely. Can we mitigate the impact or head it off in the pass? Absolutely.

The most expedient way to prepare for and quickly respond to an attack is to increase visibility into Internet assets, so DDoS attacks can be spotted as they’re gaining traction and mitigated in short order. Knowing what your network’s normal behaviour looks like via an internet performance management system means you will be able to more readily tell when an attack is underway so you can spring into action.

Of course there are times when your network is going to experience legitimately higher volumes of traffic. Whether or not it’s to mitigate DDoS attacks, businesses must provision for enough server capacity, tuned for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation. Yes, this is adding expense, but given the well documented consequences of a DDoS attack – or indeed any downtime – it’s one that’s easily justifiable if you’re facing a battle with the procurement department.

The theory is great, but it’s probably useful to examine a real life instance of what best practice when a DDoS attack is underway looks like. The following example demonstrates best practice in taking steps once internet performance monitoring systems have warned that a DDoS attack is underway.

Newspaper under DDoS attack

Sözcü is a popular Turkish daily newspaper. Like so many print publications around the world, it is increasingly reliant on its online offering to drive revenue into the business. It serves its web content from a large number of endpoints behind different providers around the world. Regularly the target of DDoS attacks, Sözcü uses traffic management tools to manage its endpoints and ensure visitors only connect to healthy endpoints.

Unbeknown to site visitors, this happens all the time, without their service being interrupted. Recently though, the newspaper suffered an attack that was much larger than usual at 40Gbps, lasting several hours. During this period, the attackers targeted all of Sözcü’s endpoints at some point. As usual, their traffic management system’s load balancing capabilities had reacted by actively removing unhealthy endpoints from being served up to site visitors. But critically, it was then re-adding them as the attackers moved on to other endpoints.

In effect, the attackers were playing a game of whack-a-mole with Sözcü’s infrastructure. But despite the service being unavailable for some users – site visitors dropped from a ‘normal’ level of 37,000 down to 25,000 – during the attack, Sözcü was able to hobble through the attack and stay online for the majority of people. Critically, they stayed out of the headlines.

Improvements to the distribution of traffic across all of an organisation’s data centres and content delivery networks, as well as the visibility to plan for and monitor internet performance, is critical to an organisation’s ability to effectively respond to any DDoS attack. But it’s also being used to optimise performance when the network isn’t under attack, and enable migration and critical infrastructure planning to provide the best user experience possible.

Planning for DDoS attacks should be a major consideration of any effective internet performance management strategy, rather than a problem tackled in isolation.