Nexusguard: DDoS Mitigation Begins With Effective DDoS Detection

DDoS detection is one of the most important elements in an effective DDoS mitigation strategy, as mitigation cannot begin without the detection of an attack. In a recent report, NXG Labs researcher Tony Miu analyzes the pros and cons of current DDoS detection methods.

  • Share on TwitterShare on FacebookShare on Google+Share on LinkedInEmail a friend
While host-based authentication is the most effective defense against DDoS attacks, attackers are getting better at bypassing it. Increasingly sophisticated attacks require more comprehensive approaches to DDoS detection and mitigation.

(PRWEB) August 31, 2013

Too often a high-profile attack will generate buzz about the size of the attack traffic at it’s peak, but abnormally high peak traffic is rarely sustainable. The effectiveness of DDoS attacks is no longer measured by how much malicious bandwidth an attacker bombards a server with—today, the real question to ask is this: how much traffic actually reaches the backend servers? This simple shift in thinking has sparked the development of incredibly innovative, sophisticated and stealthy attacks.

In his recent report, “Are DDoS Mitigation Technologies Falling Behind,” NXG Labs researcher Tony Miu reiterates some key points on the pros and cons of current DDoS countermeasures, as well as how DDoS mitigation technologies can keep up with the rapid and continuous evolution of DDoS attacks. Since any DDoS mitigation strategy begins with detection, it is naturally a very important aspect of DDoS mitigation. Miu categorizes current methods of detecting DDoS attacks as the following:

Rate-/Flow-based Detection:
Especially effective for detecting volumetric attacks by monitoring source IP, destination IP, TCP flags, HTTP requests, etc. However, while most volumetric attacks can be detected this way, today’s botnets are usually massive, globally distributed and highly customizable—an attacker can launch a low-bandwidth attack, where hundreds of thousands of bots send a small amount of traffic, allowing the attack to fly under the radar.

Protocol-based Detection:
Protocol-based detection identifies signatures in a layer 7 attack and drops traffic that fits known anomalies in the network protocols. In the case of the Apache Killer, the length of the HTTP field is usually abnormal, so the attack traffic can be dropped easily once the protocol pattern is detected. However, today’s clever attackers can mimic normal traffic so that the attack traffic is difficult to differentiate from normal traffic, effectively nullifying this line of defense.

Host-based Authentication:
Different approaches of host-based authentication have been developed to combat attack scripts—TCP SYN, HTTP redirect, HTTP cookies, Javascript and CAPTCHA authentications are only a few of the many authentication procedures out there. These procedures aim to authenticate each attempted connection to online services. Though difficult, some attackers have found possible ways to bypass these authentication procedures—for example, by simulating the traffic flow of an authenticated session.

Blanket DDoS Detection:
Since all methods are flawed to some extent, the most effective way to detect and mitigate DDoS attacks is to use a combination of multiple detection methods, and do big data analysis on traffic statistics and behavior. By analyzing historic data, this method can prevent even the most clever attacks from sneaking by; it is also the most effective way to detect potential Layer 7 attacks. However, real-time big data analysis is difficult because of the vast amount of traffic volume incurred during a DDoS attack—it is difficult to collect data, analyze it, create the attack signature, and finally detect and mitigate the attack in such a short time.

In the report, Miu concludes that while host-based authentication is the most effective way to defend against DDoS attacks, attackers are getting better at designing attacks that bypass it. Increasingly sophisticated attacks will require a more comprehensive approach to DDoS detection and mitigation. More importantly, as attackers come up with more and more clever ways to sneak past defense mechanisms, effective DDoS detection becomes more critical than ever. For the complete report, please visit the NXG Labs Blog.

###
About Nexusguard
Nexusguard is an industry-leading Internet security service provider, proven by years of experience mitigating thousands of attacks per month. Established in 2008, Nexusguard continues to provide innovative end-to-end, cloud-based Internet security solutions. By protecting clients against the ever-increasing and evolving multitude of Internet threats, Nexusguard's cloud-based security solutions empower clients around the globe with uninterrupted services. For more information, please visit http://www.nexusguard.com.


Contact

Follow us on: Contact's Google Plus