Pankaj Gupta, Senior Director at Citrix, outlines how distributed denial of service attacks have become increasingly sophisticated, bigger and economically motivated.
Distributed denial of service (DDoS) attacks have become increasingly sophisticated, bigger, and economically motivated. Even after 25 years, they still pose a huge security risk for every business. This is in large part because DDoS attacks are relatively easy and cheap to launch. A case in point: Bad actors launched the largest DDoS attack of all time in September 2021, demonstrating the continued viability of DDoS attacks for unscrupulous parties who have something to gain from them.
DDoS attacks are at the forefront of the war on digital businesses, and no company or industry is safe. DDoS attacks aim to overload (or exhaust) a business’s digital resources and prevent them from performing normally. At worst, the massive influx of traffic will cause web servers to crash. DDoS attacks can also be a smokescreen for data breaches, attempting to draw IT’s attention to the DDoS attacks rather than the data breach. Ransom DDoS attacks — where bad actors demand payment to prevent or cease a DDoS attack — are also on the rise.
So how can DDoS attacks be mitigated? They key is to block as much bad traffic as possible while keeping the application or service running optimally. And there are four key considerations each business must assess to select the right DDoS protection solution.
1. Comprehensive Protection Against DDoS Attacks
DDoS attacks come in many forms, but the primary types are connection-protocol attacks, volumetric attacks and application-layer attacks:
- Connection-protocol attacks aim to fill connection tables of edge devices like routers, firewalls, and load balancers— which will take down the network. Common examples of connection-protocol attacks include SYN floods and UDP floods.
- Volumetric attacks attempt to attack the network directly and fill the pipe to prevent legitimate requests from getting through. Common examples of volumetric attacks include ICMP floods, IP/ICMP fragmentation, and IPSec floods.
- Application-layer attacks are the most disruptive type of DDoS attack because they target an aspect of your application or service that can affect your customers or workforce. Additionally, they may have low traffic throughput rates that make them difficult to detect. Application-layer attacks such as HTTP GET floods and DNS amplification have been growing in popularity over the past few years.
A truly effective DDoS protection solution must be comprehensive enough to mitigate all these attack vectors.
2. Scalable to Mitigate the Biggest DDoS Attacks
A key question to ask is “How scalable does my DDoS protection solution need to be?” The answer is “very” because the scope of DDoS attacks is increasing every day.
Another question to ask is: “Should I use cloud-based DDoS protection or defend my systems with an on-prem solution?” On-prem devices have a limited ability to scale on demand, so you must prepare for the lead times associated with increasing your capacity. Moreover, on-prem DDoS protection solutions can be complex to install and maintain, so a dedicated IT team would be necessary.
Cloud-delivered solutions provide a simple service with nothing to install or maintain and they can auto-scale with the size of a DDoS attack. They offer centralized mitigation to provide consistent protection across all applications and sites. The global presence of an established mitigation service can offer high-throughput scrubbing capacity, protecting you from massive DDoS attacks. When it comes to DDoS defense, cloud-based solutions have much to offer.
3. Always-On vs. On-Demand DDoS Protection: Find the Right Balance of Investment and Protection
Do you prefer to have all online traffic always redirected, or do you prefer to redirect traffic for scrubbing only during an attack? Always-on DDoS detection provides constant protection, but it will also add a small amount of latency to normal operations.
On the other hand, on-demand DDoS protection will reduce application latency day to day, but you will have increased exposure to a DDoS attack when it begins and before you start to redirect traffic. Always-on solutions are more expensive than on-demand solutions, so it’s a question of balancing protection vs. cost to meet your business requirements.
4. Integrated vs. Stand-alone DDoS Protection: Choose Between Simplicity or Complexity
The stand-alone approach to DDoS protection will only protect against DDoS attacks. You will require additional application protection services that must be deployed and managed individually, and that can add significant complexity. With an integrated solution, DDoS protection comes with web application firewalls, bot management, and API protection, offering both comprehensive protection and simplicity. You only need to manage a single solution rather than multiple products from multiple vendors.
It’s Time to Re-Evaluate Your DDoS Protection Solution
Citrix offers a comprehensive, cloud-delivered DDoS protection solution with always-on and on-demand options. It has one of the largest scrubbing capacities to protect against large-scale DDoS attacks. The Citrix DDoS protection solution is available as a stand-alone service and also as an integrated solution that includes a web application firewall and bot management and API protection.
With a 25-year track record, it’s clear that DDoS attacks are here to stay. And they will only become much larger and more pervasive with the advent of 5G and the proliferation of poorly secured IoT devices.
So ask yourself now: Do I have the right DDoS protection to thwart them and keep my business safe?