Behind DDoS attacks, there are complex economic interests in the underground industry. Therefore, effective governance needs to start from multiple dimensions, including policy, industry, resource, and technical dimensions. This chapter dwells upon how to mitigate DDoS attacks from the following perspectives.
4.1 Upgrading the Network Architecture and Technology
During the development of computer technology and the Internet, inherent and developed vulnerabilities in the architecture and technology provided the hotbed of DDoS attacks.
For example, the lack of effective methods of IP address identification and traceability has resulted in the widespread use of various attack methods with address spoofing as the core. In the existing network architecture, spoofed IP addresses can hide the identity of attackers. Reflection attacks are launched via requests from spoofed IP addresses.
In addition, the lack of unified network traffic control led to the delay of DDoS attack detection, alert, and response, hence the broadened attack impact. Today large-scale and distributed DDoS attacks make it difficult for existing heterogeneous and complex network architectures to detect their early signs in time. When a DDoS attack is launched across the board, it is difficult to quickly isolate malicious traffic and target devices.
Fortunately, with the development of DDoS mitigation technology, computing technology and the establishment of related standards, the preceding problems have been greatly mitigated. For example, the solution of separating the network data plane from the management plane represented by software-defined networking (SDN) technology lays a critical foundation for the global and intelligent management of network traffic and network nodes; the core capabilities of cloud computing (such as resource virtualization) provide support for the isolation, fault tolerance, and restoration of cloudbased network resources. The emergence of various algorithms and standards for packet labelling and filtering helps effectively reduce the transmission paths of packets with a spoofed IP address.
4.2 Exposing Service Management
Launching DDoS attacks requires large-scale attack resources, and the various open services in the Internet are potential resources available to attackers. For example, reflective DDoS attacks are usually launched by exploiting open public services on the Internet or accidentally exposed intranet services. The number of potentially exploitable service resources exposed to the Internet is enormous.
For open services, such as DNS and NTP services, it is necessary for relevant departments and asset owners to investigate the service vulnerability, strengthen the control of response policies, and deploy effective detection mechanisms, so as to prevent malicious use. For accidentally exposed intranet services and protocols, such as SSDP, Memcached, and intranet DNS, relevant enterprises should enhance network isolation measures and improve their personnel’s security awareness, in a bid to prevent accidental exposure of intranet services.
4.3 Dismantling Botnet
Botnets are always the main force for launching DDoS attacks in the underground industry. By releasing various worms, viruses, and malware, attackers can infect and control a large number of zombies. To dismantle botnets, two mitigation strategies need to be implemented:
(1) we need to start with malicious samples, analyze attack methods, and strengthen protection measures at each stage of the kill chain;
(2) we need to improve proactive protection policies, monitor botnet trends, and provide early detection, alerting, and trackback of DDoS attacks.
For example, through honeypot and honeynet technology, we can proactively obtain malicious samples and capture malicious traffic behaviors. Taking advantage of correlative analysis, we can identify the attacker’s purpose, crack his/her attack methods, and break the kill chain.
4.4 Analyzing Traffic
Analysis capability is of great importance to DDoS attack protection and governance.
With the increasing demand of networks and the rapid development of IPv6 and 5G technologies, network bandwidth is growing rapidly. In this context, traditional traffic analysis technology & methodology can no longer keep up with networks with huge amounts of incoming and outgoing traffic. For example, deep packet inspection (DPI) technology incurs high CAPEX costs, and the analysis capability of traditional deep flow inspection (DFI) technology is far from adequate. This brings a great challenge to the return on investment (ROI) of traffic analysis.
For today’s network traffic, tracking hotspot traffic (whether malicious or not), malware type, traffic direction, geolocation, country information, company name, device type, application name, and CDN identification are all vital data for traffic analysis. Only by acquiring, processing and understanding all the above data can managers rapidly detect and handle abnormal events. In other words, traffic analysis is an important index for measuring an organization’s ability to protect against and cope with current and future DDoS attacks.
Profits continue to be the main motivation of attackers, who always use DDoS as a handy weapon.
Since DDoS attacks are easy to launch and can bring quick returns, they will always be favored by attackers. Industrial and technological changes indicate that DDoS attacks will take more forms on the battlefield between the offensive and defensive sides.
Therefore, DDoS protection cannot continue with the use of conventional mitigation strategies. Instead, we should
• make greater use of big data and artificial intelligence (AI) technology,
• better remediation of medium and high severity vulnerabilities especially in IoT devices,
• implement more effective early warning and detection solutions,
• take advantage of cloud cleaning services & threat intelligence,
• regularly share threat information with regulatory bodies and security vendors, thereby achieving a more coordinated defense which is a win-win scenario for all.
Only by learning to change and adapt DDoS strategies and defenses over time will organizations be able to survive the next generation of DDoS attacks. Sticking with conventional defensive strategies and not understanding the rapid changes in attacker groups and their attack techniques & patterns could result in the end of an organization. Remember, 60% of all small and medium companies that suffer a successful cyber-attack are out of business in 6 months.14