How Companies Fight DDoS (Denial-of-Service) Attacks?
The threat of DDoS (Denial-of-Service) attacks that send massive processing demands from multiple Internet-connected devices (be it a PC, a smartphone, a tablet or an IoT) to the target server and bring the system down has grown tremendously in the past decade. It is possible that an attack may shut down a network of one whole country, a city or a corporate network installation if done with enough intensity. DDoS attacks are very simple and cheap. However, if this attack is carried out continuously, it will cause great economic loss to the firm, regardless if it is public or private.
The majority of DDoS attacks are “volume attacks”, which focus on the network layer (layer 3) and generate a lot of traffic to congest the network. A “volume-type attack” that generates a large amount of traffic and congests the network mainly for the network layer (layer 3). In a nutshell, the way you look at it varies greatly depending on the person. Some people imagine DDoS attacks whose traffic exceeds 100 Gbps, while others think that 1 Gbps is large.
Here, we will talk about what measures should be taken against DDoS attacks that involve data transmission rates (hereinafter referred to as bandwidth) of Internet connection lines contracted by the company, that is, traffic that can not compete with the company itself. For example, if the bandwidth of the Internet connection line is 1 Gbps, what measures should be taken against attacks with traffic of 1 Gbps or more.
Take “Reflector Attack” (also called “Amplifier Attack”) as an example of volume attack method. In reflector attacks such as “DNS reflector attack” and “NTP reflector attack”, unmanaged DNS servers and NTP servers that exist on the Internet become a springboard. An attacker sends a request packet to a DNS server or an NTP server with the transmission source IP address as the attack destination IP address. As a result, these servers return response packets to the attack destination server. The reflector attack is also called “amp attack” because the response packet is several tens of times the size of the request packet size. The response packet is the same as a response packet from a normal DNS server or NTP server.
Basically, DDoS attacks are launched from the Internet side. Therefore, the traffic of the DDoS attack comes to the company via an Internet service provider (ISP). When attack traffic exceeds the bandwidth of Internet connection lines, it is physically impossible for companies to defend themselves, no matter how good security products are used. Therefore, it is a very effective means to prevent DDoS attacks at your ISP before your Internet connection is exhausted.
In order to meet such needs, many ISPs provide “DDoS attack countermeasure service” (names differ by each company) for dealing with DDoS attacks. The content of the DDoS attack countermeasure service differs depending on the ISP. Of particular consideration is how much traffic can be protected against DDoS attacks on the ISP side. In some cases, service charges reflect the size of manageable traffic. However, when selecting an ISP and its DDoS attack countermeasure service, considering too much risk will lead to a delay in decision making, and it will take too long to introduce the service. For example, thinking about what to do if there is an attack of 1 Tbps that has not occurred yet, etc. will stop the discussion.
For smaller networks, the common procedure employed by system administrators is to simply take the system down for the meantime, until the DDoS campaign ends. By doing so, packets are dropped and normal operations can proceed immediately as soon as the “campaign” ends. Of course, this is not acceptable for multinational companies like Google, Facebook, Twitter, Intel, Microsoft, Apple, Oracle etc. These huge companies simply out bandwidth the theoretical DDoS attacks, hence rendering them not affecting the services they provide in their site/systems.