This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
Unless you’ve taken the necessary steps to protect your websites, they’re highly vulnerable to DDoS attacks. Now you might think of a DDoS attack as the attack that knocked out French news sites after the country’s election in May. Or you may think of the attack in October 2016 when subscribers couldn’t access the New York Times or Wired because hackers used DDoS to attack the DNS provider. In those cases, the system was hit with so many requests from bots around the globe that they couldn’t handle legitimate requests. And that, in a nutshell, is a DDoS attack. It’s flooding the service with so many requests that the system grinds to a halt.
But today DDoS attacks comes in many flavors. They have evolved from simply flooding the firewall or DNS servers with noise, to targeting an enterprise’s infrastructure and web applications. It’s actually attacking you from inside your enterprise.
A Surge in Application DDoS Attacks
Unlike network layer DDoS attacks like the one on the New York Times, application layer DDoS attacks typically needs less volume of traffic to do their damage. Application layer campaigns repeatedly making calls to applications, such as websites, web apps, servers and plugins, slowing or stopping the applications altogether by taxing the resources of the server it resides on.
Internet facing web applications are vulnerable to a myriad of attacks such as cross-site scripting (XSS) and SQL injection. An application attack also differs from a perimeter – or Layer 3 attack in because a hacker uses targeted commands to take an application down and ties up the server’s resources.
On the whole, DDoS attacks are on the rise, and the kind that attacked French newspapers is not the where the surge is coming from. The largest increase increase in DDoS attacks is hitting servers that host web applications.
For example, for four quarters in a row, Incapsula recorded a decrease in the number of network layer assaults, which it says fell to 269 per week compared to 568 in the second quarter 2015. In contrast, it saw yet another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.
Security experts predict that Internet facing enterprises will experience DDoS attacks more than once a year. “It’s not a question of if, but rather when you will be attacked,” Tim Matthews, Imperva’s vice president of marketing told Dark Reading.
The reason for the surge in DDoS attacks on applications is two fold.
First, the number of application is on the rise. In 2016, half of the organizations surveyed indicated that they are looking to releasing and maintaining custom applications.
The other reason for the rise in DDoS attacks is due mainly to the abundance of resources available to hackers — and wannabe hackers. Not long ago it was quite difficult to build a force of bots to attack a given resource. Now, for little to no money, anyone could acquire the hacking software on the dark web, or for as little as $5 they can hire someone to do it for them. In 2015, a high school student paid for a DDoS attack on his school.
The Cost
Any DDoS attack costs the business’ reputation and eventually customers, because the customer really doesn’t care what kind of DDoS was invoked, whether it was a network layer or application layer attack; they only know they cannot complete a transaction. For example, a DDoS attack on an application brought down an undisclosed U.S. college in February. The attack created a network outage for more than two days preventing students, parents and staff from logging in. The school was effectively shut down in that time.
In the case of a school, the monetary loss is difficult to quantify, but for a business that sells widgets, it gets expensive very fast. In terms of dollars, a single hour of downtime can cost a business as much as $20,000. And that doesn’t factor the soft costs attributed to the loss of reputation and future sales. After all, users might wonder how well the business is protecting client data when it can’t even protect itself.
DevOps Needs a Secure Environment for Their Apps
Coupling the spike in DDoS attacks on applications, and the low cost and ease of creating an attack as well as the results from a business impact analysis, it’s clear that developers need to prepare for an attack.
But like most of IT, DevOps have viewed security as an obstacle to delivery targets. According to Gartner, implementing information security policies and teams creates a perception that it prevents developers from delivering value. What’s worse, most developers didn’t learn secure coding in school, and if they’re not coding with security in mind, it leaves applications open to attacks.
Garner also reports that developers need to change their practice. It says, “Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.”
So while developers are improving their skills and are reminded nearly every day that they need to build security into their code, there are a lot of apps in the wild right now which are ripe for attack. The fastest way to mitigate this vulnerability is to buy a service that provides a web application firewall (WAF). It’s an appliance or cloud-based service or combination of both that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules, many types of web attacks can be identified and blocked. It’s a matter of routing traffic through the WAF before it hits your application servers.
How to Choose a DDoS Protection Service for Your Website
It’s time to go shopping for a web application firewall but there are far too many options. Not all WAF and support staff are same. Some make big claims but struggle with various attack complexities. Most are cloud based and the better ones can be set up in a just a few minutes.
Here is a set of questions that you should ask your WAF sales rep:
Does the DDoS Solution Use Crowdsourcing?
Using crowdsourcing techniques allows immediate protection to the entire customer base. Using the collective knowledge about the current threat landscape builds a database of threat information that can be aggregated across the community using big data analytics.
What is Their Market Share?
Biggest isn’t always best, but it is important when we’re valuing crowdsourcing. A small customer base won’t be much help to reduce the risk of attacks.
Is the Web Application Firewall certified by the PCI SSC?
Payment Card Industry (PCI) Security Standards Council is a vendor-agnostic body that certifies vendors that demonstrate compliance with its twelve PCI Data Security Standards.
Is the DDoS on Prem Only?
While dedicated DDoS security appliances prevent application DDoS attacks, they cannot handle massive volumetric attacks – attacks that top 200 Gbps of throughput and surpass customers’ Internet bandwidth limits. To eliminate downtime, organizations must block volumetric attacks before they reach the network. While it may be useful in some cases to have an on prem box, see if the provider has a cloud solution to complement it.
Does Your WAF perform Behavioral Anomaly Detection?
Anomaly detection is the science of using intelligence to detect items and events which do not conform to an expected pattern or other items in a dataset. In this case anomaly detection checks for behavioral patterns that don’t appear to be human.
Is Your WAF Set and Forget?
That’s a trick question. Given enough time and persistence any attacker will find a way into a network. It takes people to recognize the shift in strategy and adjust accordingly. Artificial intelligence is good, but it’s better when backed by human intelligence.
Look for a provider that has all of the above. Incapsula, for example has what the company calls a Five Ring Approach to Application Layer DDoS protection. In fact Incapsula was the solution provider that helped that U.S. college mentioned above to quickly mitigate the attack. Engineers noticed that the attackers modified their attack when they noticed the mitigation and adjusted to quickly bring the attack under control, while allow legitimate traffic through.
The business of DDoS attacks is a booming. DDoS is used for extortion, ransom, revenge, vigilantes, or just for kicks. Those site developers that choose not to protect themselves are sitting ducks for criminals with the tools and a desire. Like Tim Matthews of Incapsula said, “It’s not a question of if, but rather when you will be attacked.”
Frequently Asked Questions about DDoS Protection Services
What is the importance of DDoS protection for my website?
DDoS (Distributed Denial of Service) attacks are a significant threat to any online business or website. These attacks can overwhelm your website’s server with traffic, causing it to slow down or even crash. This can lead to loss of revenue, damage to your brand’s reputation, and potential loss of valuable data. Therefore, having a DDoS protection service is crucial. It helps to ensure your website remains accessible to your customers and safe from malicious attacks.
How does a DDoS protection service work?
DDoS protection services work by filtering the traffic that reaches your website. They identify and block malicious traffic, allowing only legitimate traffic to reach your site. This is achieved through various methods such as rate limiting, IP reputation lists, anomaly detection, and more. Some services also offer additional features like load balancing and failover systems for enhanced protection.
What factors should I consider when choosing a DDoS protection service?
When choosing a DDoS protection service, consider factors such as the service’s effectiveness in blocking different types of DDoS attacks, its scalability to handle large traffic volumes, its response time, and its cost. Also, consider the service’s reputation and customer reviews. Some services offer additional features like SSL support, CDN services, and more, which can be beneficial depending on your needs.
Are there different types of DDoS attacks?
Yes, there are several types of DDoS attacks, including volumetric attacks, protocol attacks, and application layer attacks. Each type of attack has a different method and requires a different approach for mitigation. Therefore, it’s essential to choose a DDoS protection service that can effectively handle all types of DDoS attacks.
Can I protect my website from DDoS attacks without a protection service?
While there are measures you can take to reduce the risk of DDoS attacks, such as implementing rate limiting and IP blocking, these methods are often not enough to fully protect your website. DDoS attacks can be complex and overwhelming, and without a dedicated DDoS protection service, your website may still be vulnerable to attacks.
How quickly can a DDoS protection service respond to an attack?
The response time of a DDoS protection service can vary depending on the service. Some services offer immediate response, while others may take a few minutes. The faster the response time, the less impact the attack will have on your website’s performance and availability.
Does a DDoS protection service affect my website’s performance?
A good DDoS protection service should not negatively impact your website’s performance. In fact, some services can improve your website’s performance by providing features like load balancing and content delivery network (CDN) services.
Is DDoS protection service expensive?
The cost of DDoS protection services can vary widely depending on the features and level of protection offered. Some services offer affordable plans for small businesses, while others may be more expensive but offer more comprehensive protection. It’s important to consider the potential cost of a DDoS attack, including lost revenue and damage to your brand’s reputation, when deciding how much to spend on protection.
Can a DDoS protection service guarantee 100% protection against DDoS attacks?
While a DDoS protection service can significantly reduce the risk of DDoS attacks, no service can guarantee 100% protection. DDoS attacks are constantly evolving, and attackers are always finding new ways to bypass security measures. However, a good DDoS protection service will continually update its methods and technologies to provide the best possible protection.
How can I tell if my website is under a DDoS attack?
Signs of a DDoS attack can include a sudden slowdown in website performance, an unexplained increase in traffic, or a complete outage. If you suspect a DDoS attack, it’s important to contact your DDoS protection service immediately for assistance.
Dino LondisDino works for a multinational law firm as an information security engineer. He writes for Dice, and has written for Information Week and Dark Reading.
