*A 3 minute read
When Distributed Denial of Service (DDoS) attacks are successful their affect is always one and the same – knocking services offline and preventing enterprises from serving their customers, employees and supply chain stakeholders.
No one could have guessed!
While the effect is always the same – downtime, protecting a network from DDoS attacks is complicated not only because DDoS mitigation needs to be perfectly configured to protect against well over 100 different DDoS attack vectors traversing 3 OSI layers (3, 4 & 7) but there are also 7 different points of failure that could be responsible for denial of service. Like the following example illustrates:
A leading global e-commerce company was neutralized by an attack that left them dumbfounded. They had an elaborate multi-tiered DDoS mitigation posture with CDN, always-on scrubbing and cutting edge on premise CPE equipment with a total bandwidth of over 150Gb and after 2 hours of downtime they still didn’t know what was keeping them down.
We helped them understand their border router had an excessive amount of Quality of Service (QoS) features that malfunctioned when they came under attack and was responsible for their downtime.
7 Shades of Downtime
The story above could be applied at any of the following DDoS Kill Chain points of failure:
- Limited Capacity: Limited capacity at the ISP / CDN or Scrubbing Center level could result in the respective service malfunctioning and lead to downtime.
- DDoS Mitigation: When DDoS mitigation policies are not perfectly configured to reflect the underling network, malicious DDoS traffic could leak and expose downstream network components and lead to downtime.
- Saturated Pipe Bandwidth: High bandwidth DDoS attacks (typically Layer 3 & Layer 4) could be big enough to completely saturate an enterprise’s network bandwidth and cause denial of service.
- Border Router: Enabling an excessive amount of Quality of Service (QoS) features could result in border routers malfunctioning when under a DDoS attack.
- Stateful Devices: Devices like: Firewalls, Web Application Firewalls (WAFs), Load Balancers are not designed to process the amounts traffic caused by DDoS attacks and could malfunction leading to denial of service.
- Origin Server: Could be overwhelmed by the amount of requests generated by the DDoS attack and fail to serve legitimate users – denial of service.
When services are taken down by a DDoS attack understanding what needs to be fixed is anything but straightforward.
Pinpointing The Root Causes for Denial of Service
The key to breaking the DDoS Attack Kill Chain is being able to gain visibility into each point of failure’s performance and remove the root cause before the DDoS attack hits and causes downtime. Unfortunately, best of breed DDoS mitigation solutions don’t provide insight into the DDoS Attack Kill Chain.
Reactive solutions like ThousandEyes highlight points of failure that helps expedite detection after things go south – but they do not help understand the root cause of denial of service that could be prevented in the first place.
One needs to take a proactive approach to understand the root cause before an attack takes the network down. An approach that analyzes, discovers and strengthens the DDoS mitigation posture continuously, 24/7 and is able to close specific DDoS vulnerabilities responsible for the potential disruption. The DDoS Radar is a service based on a Proactive Feedback Module that does just that.