What is distributed denial-of-service (DDoS) protection?

While the IBM®  X-Force®  Threat Intelligence Index reports that DDoS attacks account for 2% of the attacks that X-Force responds to, the disruptions that those attacks cause can be costly. In fact, the IBM Cost of a Data Breach Report notes that the cost of lost business due to a cyberattack averages USD 1.47 million.

Enabling strong DDoS protection measures helps ensure system uptime, prevent downtime and business disruptions and protect organizational reputation.

Prevention of DDoS attacks begins with understanding what they typically target. DDoS attack traffic tends to focus on one of three layers of the Open Systems Interconnection (OSI) network model:

• The application layer (layer 7), which is the topmost layer, where user-facing applications interact with a network.
• The transport layer (layer 4), which is the layer at which data is transmitted to and from individual applications.
• The network layer (layer 3), which handles data addressing, routing and forwarding processes for devices interacting across different networks. 

Application layer attacks target the application layer of a network. An example is an HTTP flood attack, in which an attacker sends an overwhelming number of HTTP requests from multiple devices to the same website to crash it. DNS query floods attack Domain Name System (DNS) servers, overloading them with requests for fake websites.

Protocol attacks target the network and transport layers. Examples include SYN flood attacks, which take advantage of the TCP handshake—a process by which two devices establish a connection with one another—to overwhelm servers with fraudulent packets. Smurf attacks take advantage of the Internet Control Message Protocol (ICMP), flooding a victim's device with hundreds or thousands of ICMP echo replies.

Volumetric attacks consume all available bandwidth within a target network or between a target service and the rest of the internet, preventing legitimate users from connecting to network resources. 

Examples include UDP floods, which send fake User Datagram Protocol (UDP) packets to a target host’s ports. The host's resources are tied up in a vain effort to find an application to receive these fake packets. ICMP floods, also called “ping flood attacks,” bombard targets with ICMP echo requests from multiple spoofed IP addresses.

Multivector attacks exploit multiple attack vectors or nodes, rather than a single source, to maximize damage and frustrate DDoS mitigation efforts.

Attackers might use multiple vectors simultaneously or switch between vectors midattack, when one vector is thwarted. For example, hackers might begin with a smurf attack, but when the traffic from network devices is shut down, they might launch a UDP flood from their botnet.

Absolutely. According to the US Federal Bureau of Investigation (FBI): “Participating in distributed denial-of-service attacks (DDoS) and DDoS-for-hire services is illegal. The FBI and other law enforcement agencies investigate DDoS attacks as cybercrimes.” Penalties can include:

• Seizure of computers and other electronic devices
• Arrest and criminal prosecution
• Significant prison sentences
• Monetary fines

DDoS security solutions and services are often built around automatic detection and response capabilities to help organizations identify and act on abnormal patterns or suspicious spikes in network traffic in real time. When unusual activity is detected, many DDoS protection solutions instantly block malicious traffic or close off vulnerabilities that attackers might try to exploit.

Common DDoS prevention and mitigation tools and techniques include:

A “black hole”—also known as a “null route”—is a part of a network where incoming traffic is deleted without being processed or stored. Blackhole routing is the act of diverting incoming traffic to a black hole when a DDoS attack is suspected.

The downside is that blackhole routing can discard the good with the bad. Valid and perhaps valuable traffic might also be thrown away, making blackhole routing a simple but blunt instrument in the face of an attack.

Bot identification and management tools help combat DDoS threats by identifying malicious traffic from bots.

Some bots—such as the bots Google uses to index pages in search results—are benign. But some are used for malicious ends. For example, many DDoS attacks are carried out by using botnets. Botnets are networks of bots that cybercriminals create by taking over laptop and desktop computers, mobile phones, Internet of Things (IoT) devices and other consumer or commercial endpoints.

Bot management software is often used to block undesired or malicious internet bot traffic while permitting useful bots to access web resources. Many of these tools use artificial intelligence (AI) and machine learning (ML) to distinguish bots from human visitors. Bot management software can block potentially malicious bots with CAPTCHA tests or other challenges and automatically rate-limit or deny bots that might overwhelm the system. 

A CDN is a network of distributed servers that can help users access online services more quickly and reliably. With a CDN in place, users’ requests don’t travel back to the service’s origin server. Instead, requests are routed to a geographically closer CDN server that delivers the content.

CDNs can help support DDoS mitigation efforts by increasing a service’s overall capacity for traffic. When a CDN server is taken offline by a DDoS attack, user traffic can be routed to other available server resources in the network.

Endpoint detection and response (EDR), network detection and response (NDR), user and entity behavior analytics (UEBA) and similar tools can monitor network infrastructure and traffic patterns for indicators of compromise. They often work by constructing baseline models of normal network behavior and identifying deviations from the model that might signify malicious traffic.

When these systems see possible DDoS signs—such as abnormal traffic patterns—they can trigger real-time incident responses, such as terminating suspicious network connections.

Device fingerprints use information collected about software and hardware to determine the identity of specific computing devices. Some DDoS protection tools, such as bot management systems, use databases of fingerprints to identify known bots or screen out devices associated with proven or suspected malicious intent.

Load balancing is the process of distributing network traffic among multiple servers to optimize application availability. Load balancing can help defend against DDoS attacks by automatically routing traffic away from overwhelmed servers.

Organizations can install hardware- or software-based load balancers to process traffic. They can also use anycast networking, which enables a single IP address to be assigned to several servers or nodes across multiple locations so that traffic can be shared across those servers. Normally, a request is sent to the optimal server. As traffic increases, the load is spread out, meaning that the servers are less apt to be overwhelmed.

These appliances can be physical devices or virtual machines installed on a company’s network. They monitor incoming traffic, detect suspicious patterns and block or limit potentially dangerous traffic.

Because these appliances are installed locally, they don't have to send traffic to a cloud-based service for inspection or scrubbing. On-premises DDoS protection appliances can be useful for organizations that require low levels of latency, such as conferencing and gaming platforms. 

Protocol filtering analyzes network traffic against the normal behavior of common communication protocols, such as TCP, DNS and HTTPS. If traffic that uses a particular protocol deviates from that procotol's norm, protocol filtering tools can flag or block it.

For example, DNS amplification attacks use spoofed IP addresses and malicious DNS requests to flood victims’ devices with large amounts of data. Protocol filtering can help spot and drop these unusual DNS requests before they can cause damage. 

Rate limiting means placing limits on the number of incoming requests that a server is allowed to accept during a set time. Service might also slow for legitimate users, but the server is not overwhelmed. 

Scrubbing centers are specialized networks or security services that can filter malicious traffic from legitimate traffic by using techniques such as traffic authentication and anomaly detection. Scrubbing centers block malicious traffic while allowing the legitimate traffic to reach its destination.

While standard firewalls protect networks at the port level, WAFs help ensure that requests are safe before forwarding them to web servers. A WAF can determine which types of requests are legitimate and which are not, enabling it to drop malicious traffic and prevent application-layer attacks.

AI and ML tools can enable adaptive DDoS mitigations, which help organizations combat DDoS attacks while minimizing disruptions for legitimate users. By analyzing and learning from traffic, AI and ML tools can fine-tune their detection systems to reduce false positives that would mistakenly block valid traffic and harm business opportunities.

Probably not. DDoS attacks are often launched from botnets built with hundreds or thousands of hijacked devices that belong to innocent users. The hacker commanding the botnet usually spoofs the devices' IP addresses, so tracking them all down can be time-consuming and most likely will not point to the real culprit.

That said, in certain circumstances, and with sufficient resources, some DDoS attacks can be traced. Using advanced forensic analysis in cooperation with internet service providers (ISPs) and law enforcement teams, organizations might be able to identify their attackers. This outcome is more likely in the case of repeat attackers, who might leave behind clues in the patterns of their attacks. 

Most of the time, no. If the attack is small or unsophisticated, a traditional network firewall might offer some protection, but a large-scale or sophisticated attack would slip through.

The problem is that most firewalls cannot recognize and stop malicious traffic that is disguised as normal traffic. For example, HTTP GET attacks send multiple requests for files from a targeted server, which are likely to appear normal to standard network security tools. 

However, web application firewalls (WAFs) operate at a different network layer than traditional firewalls and have use cases for mitigating DDoS attacks, as mentioned previously. 

DDoS attacks can take an organization’s applications, websites, servers and other resources offline, disrupting service for users and costing significant money in terms of lost business and damaged reputation.

DDoS attacks can also prevent organizations from meeting their service level agreements (SLAs), which can drive customers away. If an organization’s systems are not available on-demand, users might decide to take their business elsewhere.

These cyberthreats increasingly target critical infrastructure, such as financial services and public utilities. A recent study reported that DDoS attacks against critical infrastructure have increased by 55% in the last four years.

Moreover, DDoS attacks are often used as cover for even more damaging cyberattacks. For example, hackers sometimes launch a DDoS attack to distract the victim so they can deploy ransomware to a network while the cybersecurity team is occupied with the DDoS attack.

DDoS mitigation solutions and DDoS protection services can help organizations stop many of these attacks altogether, preventing outages in key sectors and services. If they cannot stop an attack, they can significantly reduce downtime to help ensure business continuity.

Modern DDoS protection solutions can help defend both on-premises and cloud-based assets, enabling organizations to protect resources regardless of where they are located.