DDoS attacks grow bigger, but so do responses

Fighting distributed denial-of-service (DDoS) attacks today is very different than it was several years ago. Even though attacks are bigger than they have ever been, attack sizes have not grown faster than the rate of available bandwidth and resources to address them — so organizations are actually in a better situation than ever to prevent service-impacting DDoS attacks.

While average attack sizes have gone up, the sophistication around high-bandwidth attacks remains low. In most cases, the larger the attack, the less sophisticated the attack vector in use. Hence, there has been a branding of “advanced” or “multi-vector” DDoS attacks.  This means a victim has to fight against several vectors that are often changing. 

However, the industry is doing a lot to answer this challenge, and you can do more to protect your applications with best practices we discussed in a previous article, and by seeking out a CDN with a modern approach to security, which we will discuss in this article.

The industry’s maturing approach to DDoS attacks

When an attacker launches a DDoS attack, they often traverse several networks to reach their victim. As the impact of these attacks has increased, network providers no longer allow themselves to be willing participants in relaying these types of attacks. 

For example, in the largest known attack — a 2 Tbps one reported by Amazon earlier this year — the attackers targeted traffic using the Connectionless Lightweight Directory Access Protocol (CLDAP). The industry quickly responded by controlling the amount of traffic running on that protocol across the internet as a whole. 

However, that wasn’t the first protocol attack that triggered an industry-wide response. It’s also been seen with NTP, SSDP, and other amplification/reflection vectors. Organizations have also taken more proactive steps by scanning for “at-risk” devices on their network, or partnering with organizations such as Shadowserver Foundation, which provides timely threat data to help secure and protect organizations.

Collaboration across organizations involved in identifying, preparing, and defending against DDoS attacks and threat actors have become more commonplace, too. Several industry groups — including NANOG, MAAWG, and industry-specific Industry Sharing and Analysis Centers (ISACs) — have working groups focused on the tactics, techniques and procedures (TTPs) of DDoS, in which best practices and experiences are shared. These all contribute to organizational readiness and adoption of strategies. 

A modern CDN’s approach to DDoS attacks

Similar to the industry’s response, some CDNs are taking a more modern approach to protecting against DDoS attacks as well. Secure DevOps and security tooling have driven overall improvement around DDoS-specific KPIs with regard to time to detect (TTD) and time to mitigate (TTM), which can improve business uptime and customer experience. But by using a CDN with real-time visibility and security that’s baked in across the network, you can secure — and optimize — the delivery and performance of websites and mobile applications.

Intelligent network: As the size of DDoS attacks grow, so should your available bandwidth, enabling your CDN to “absorb” DDoS attacks. For example, our network’s more than 100 Tbps of capacity well exceeds the capacity of that biggest attack mentioned earlier. Many attacks evolve in real time to avoid blocking, so intelligent architecture that allows you to see and adapt in real time is hugely valuable. For example, with a mean global deploy time of about 13 seconds (as of March 31, 2019), policy can be applied to our 72 POPs in under a minute. 

Safer traffic: Blocking at IP and Port levels runs the risk of overblocking and can lack the level of granularity needed for effective mitigations for high-profile sites during key business events. A more modern CDN allows you to block with a higher degree of sophistication. For example, we only pass HTTP and HTTPS traffic back to sites, which provides an advanced degree of protection since many of the big attacks out there are unsophisticated and do not leverage HTTP and HTTPS.

Visibility: You can’t stop what you can’t see. HTTP(S) traffic can be hard to see at scale, especially when under attack, and there can be a fine line between the thundering heard of a viral campaign and a DDoS attack or abusive bot behavior. What’s needed is real-time and flexible logging capabilities to provide operators with excellent visibility for attack mitigation and minimize the impact of the event, keep your business running, and protect the experience of legitimate users that need to access your site.

Smarter logic: With an API-first platform that fits into your existing CI/CD cycle, you can automate manual processes that occur today within your security or application organizations. Such integrations drive successful outcomes such as minimizing time to detect and time to respond, and greatly reduces the risk of a DDoS attack negatively impacting your business.

Interested in learning about the other security benefits the next generation of CDNs can bring? Check out our Guide to the Modern CDN: security and performance for today’s developer.

Michael Sabbota
Sr. Security Solutions Architect

4 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Michael Sabbota
Sr. Security Solutions Architect

As a senior solutions security architect at Fastly, Mike focuses on customer security strategies to reduce risk while delivering performant applications. He brings more than 20 years experience in information security to his role and has held security architecture, engineering, and leadership roles for Arbor Networks, Liberty Mutual, and ADP. In his spare time, you can find Mike on the ice playing hockey — unless it's September when you will find him in Munich for his annual pilgrimage to Oktoberfest.

Ready to get started?

Get in touch or create an account.