Mapping DDoS Attacks to Mitigation Mechanisms

Management will always drive to minimize downtime and trust you to ensure that the DDoS mitigation solutions you have invested in can ensure that.

With hundreds, if not thousands, of variants of DDoS attack vectors in the wild, testing your DDoS mitigation against them all would require weeks of downtime (for maintenance windows) with your team "on deck" and is simply impractical.

So what do you do?

You flip the question!181129 Mapping Attacks to Mitigation

Instead of focusing on testing hundreds of different types of DDoS attack vectors in the wild, you test the mitigation mechanisms that are widely used to mitigate DDoS attacks, which narrows your target test population to just six main mitigation mechanisms.

BaseLine Testing was designed on the basis of this insight and allows you to test your environment against 95% of the DDoS attack vectors in just three hours.

Here’s what these mitigation mechanisms are, and what they do:

Signature-based DDoS Mitigation

Signature-based mitigation mechanisms identify certain rates and strings in packets for Layers 3, 4 and 7 from SRC IPs. They generally do this by blocking or suspending SRC IPs. Specific mitigation mechanisms vary by vendor, but the approaches are similar.

Behavioral-based DDoS Mitigation

Based on the vendor, these mechanisms use various proprietary algorithms to identify malicious DDoS traffic, such as measuring the normal baseline rate and comparing it against IPs that deviate from that rate. Protection occurs with the application of some type of dynamic signature or similar techniques. These mechanisms generally block based on SRC IP but may have more complex and granular blocking mechanisms e.g. protocol type, packet size etc. – this differs from vendor to vendor.

Challenge-based DDoS Mitigation

This mitigation defense may issue a challenge to specific or all new connecting IPs when an anomaly has been discovered to determine whether the traffic is legitimate. This challenge may be Layer 7 or Layer 4: a SYN cookie challenge, DNS challenges, or JS/302 redirect challenges, etc. Again, each vendor may offer different mitigation variants and different variants of challenges.

Out-of-state Packet DDoS Mitigation

Some DDoS mitigation devices in certain deployments may enforce stateful sessions or deliver partial enforcement for TCP traffic.

Rate-based/Geo-blocking DDoS Mitigation

When no other option is available, these primitive fallback methods are used. They are false-positive prone, so they may cause more problems than they solve; however most vendors offer rate limiting options. When you have no option, some false positives may be better than complete site outage.

Botnet-detection DDoS Mitigation

Botnet-detection DDoS mitigation generally involves applying a known list of attacking IPs to perimeter defenses. It is only part of a wider toolbox for mitigating attacks because it’s only as good as the quality of the list. It may also introduce some level of false positives, and it will never find zero-day attacks. The lists also vary by vendor, so some IPs on one list may not be on another.

Appropriate mitigation protection will protect you against most types of DDoS attacks – if you’ve stress-tested it well enough. BaseLine mitigation testing is key.

Get Our Guide: Tailoring DDoS Mitigation to Your Needs

Picture of Yotam Alon

About Yotam Alon

Yotam is the Dev Lead at MazeBolt and is in charge of all R&D activities, infrastructure and security. With five years in the security industry, Yotam brings fresh perspectives and insights into current technologies and development flows. He holds a BSc. in mathematics and philosophy and enjoys hitting the archery range in his spare time.