A DDoS or Distributed Denial-of-Service attack is a form of cybercrime where the attacker inundates a server or other Internet-based entity with excessive traffic. This has the intention of stopping the server under attack from functioning, obstructing users from online services and websites. DDoS attacks can come from various sources and essentially drown targeted resources by bombarding them with an overwhelming number of data requests, destabilizing them and disturbing regular data flow.
These cyberattacks have continuously been on the rise and become more and more advanced since their start as the end of the 90’s.
We often hear about Denial of Service (DoS) and DDoS attacks, so what is the difference? Both the attacks have the same purpose to disturb the regular data traffic, but the difference is that DoS uses one computer while DDoS uses multiple sources across the Internet – hence distributed.
It is not easy to differentiate between legitimate data traffic from an attack traffic and it can be difficult to determine whether you are under attack or simply just experiencing high traffic volumes. However, there are some telltale signs of a DDoS attack:
A DDoS attack will often try to make all targeted online services unavailable, and the quantity of traffic sent can impact other parts of the Internet. The Internet has become a vital part of our lives, so it is our responsibility to use it safely, and protect it from the malware and threats that could ultimately harm it, and put our important data at risk.
The main steps in the DDoS attack mitigation process are:
DDoS detection techniques can vary depending on the tools and technologies available to the network security providers or network administrators responsible for safeguarding the network. The detection phase involves identifying and recognizing potential Distributed Denial-of-Service attacks. This means examining incoming and outgoing traffic for unusual patterns or anomalies with network monitoring tools or intrusion detection systems.
A baseline must be established for typical network behavior, including traffic volumes, protocols, and patterns. By comparing real-time network traffic against an established baseline, anomalies can be detected, and any significant deviation used to flag a possible DDoS attack.
Continuous monitoring and analysis of network traffic is crucial to identify and respond to DDoS attacks quickly and effectively.
During a DDoS attack, the main priority is to redirect malicious traffic away from its intended target. This is often achieved by rerouting incoming traffic to a dedicated DDoS mitigation service. At Arelion, we divert all suspicioustraffic to one of our scrubbing centers, which are specially designed to filter and clean incoming traffic. The scrubbing center analyzes the traffic, identifies any malicious requests or patterns, and separates legitimate traffic fromattack traffic.
The DDoS mitigation diversion phase is an ongoing process, as attackers may modify their tactics at any time or launch subsequent waves of attacks. By effectively diverting and mitigating attack traffic, organizations can minimize the impact of DDoS attacks and maintain the availability and integrity of their online services.
The scrubbing center uses predefined filtering policies to identify and block traffic that matches known attack patterns or exhibits suspicious behavior. These policies are typically based on various criteria, including IP reputation lists, signatures of known attacks, behavioral analysis, or anomaly detection techniques. Advanced filtering techniques such as IP address blacklisting, traffic rate limiting, and protocol-specific filtering, are applied to mitigate the impact of an attack. As an attack continues, the mitigation criteria are adjusted on the fly to counter evolving attack vectors.
Once the malicious traffic has been filtered and the clean traffic identified, the legitimate traffic is re-routed back to its intended destination, i.e. after a DDoS attack subsides, our system ceases redirection and restores normal traffic flow. When an attack has ended, the mitigation measures are lifted, ensuring that all incoming traffic resumes its regular path without any intervention from our system. This normalizes the path traffic takes, removing any latency or delay. In general, end users should notice little or no impact on performance.
There are several different DDoS mitigation techniques and it is common for providers to use a combination of these. From a customer perspective, cooperation with a trusted and experienced provider is a valuable investment.
At Arelion, we have a layered defense structure, based on carrier-grade mitigation technology and equipment, and supported by built-in network features that eliminate suspicious traffic at source or upon entry to our network. One of the major tools we use is BGP Flowspec.
BGP Flowspec (Border Gateway Protocol Flowspec) is a granular mechanism used in network routing to provide fine control over traffic filtering and mitigation. It extends the capabilities of BGP, the main protocol used to exchange routing information between routers on the Internet.
BGP Flowspac is excellent for isolating and dropping bulk flow traffic - common denominator of of most large DDoS attacks.
Arelion’s DDoS mitigation service reacts quickly to various types of network attack, by specifying specific filtering rules at the edge of the network. This method enhances network security and allows for effective traffic engineering and resource allocation. Our experienced engineers tailor responses to ongoing attacks, preventing cybercriminals from outflanking established mitigation policies.
The four most common groups of DDoS attack:
Arelion offers multi-homed DDoS as a solution for customers who procure IP access from multiple providers. Traditionally, customers would purchase DDoS protection separately from each provider. However, our service streamlines the process by providing a comprehensive all-in-one DDoS solution.
The Multi-homing service is similar to our standard service but with one key enhancement –our DDoS service can be used with Internet Transit connections that are not provided by Arelion.
With the Netflow protocol enabled by customers towards our routers, we can effectively monitor traffic. When an attack is detected, we utilize a friendly BGP hijack leveraging our key position within the routing ecosystem of the Internet to push all traffic through our scrubbing centers and then onwards to acustomer's site. Once an attack subsides, we drop the BGP route hijack announcement and traffic flows normally from all IP Transit upstream providers again.
The multi-homing service is fully automated, ensuring efficient and reliable protection for customer network estate.
However, Arelion understands that this may not be suitable for every customer. Some may not wish to provide Netflow for security reasons or even because there is a lack of compatible devices. During normal operation, we recommend that our customers announce /23 or larger prefixes to the external network, as our more specific announcement will take precedence in BGP routing decisions and this requires morepreparation.
As route hijacks, even friendly ones, present risks within the wider routing environment of the Internet, we require that prefixes protected by us must be covered by RPKI ROA (Route Origin Authorization). This allows Arelion to be confident that the prefixes you are asking us to redirect actually belong to you!
Frequent DDoS attacks can lead to increased operational costs, damaged reputation, customer distrust, potential legal liabilities, and the need for continuous investment in advanced mitigation technologies.
Emerging trends include the use of artificial intelligence to enhance attack precision, multi-vector attacks that combine various techniques, and the exploitation of IoT devices due to their security vulnerabilities.
Organizations can prepare by conducting regular security assessments, implementing robust firewall and intrusion detection systems, utilizing traffic monitoring and anomaly detection tools, and developing a comprehensive incident response plan.