Imperva Cyber Community

 View Only

DDoS Attacks: How Imperva Mitigates Increasingly Powerful and Sophisticated Attacks

By Muqeet Khan posted 07-14-2020 09:51

  


Distributed Denial-of-Service attacks remain one of the most dangerous and expensive threats in the global cybersecurity landscape and DDoS attacks are making headlines again thanks to reports of the largest-ever recorded attack in June 2020.The attack in question is remarkable for its volumetric capacity and sophistication with 1.44 terabits-per-second and 385 million packets-per-second at its peak. This record-breaking DDoS attack was carried out over nine different types of traffic, rather than usual two or three that security providers are used to seeing.

Unfortunately, this attack is part of a troubling trend. Distributed Denial-of-Service attacks are growing in frequency, size, and scope. Experts estimate that the number of attacks experienced worldwide is likely to swell to 14.5 million by 2022.

Quick Stats and Insights about DDoS Attacks

  • 90% of organizations experience a DDoS attack at least once a year.
  • 25% of DDoS victims get hit ten times or more.
  • 91% of organizations suffer downtime as a result of successful DDoS attacks.
  • One hour of downtime can cost approximately $300,000, according to Gartner.
  • A 24-hour DDoS attack costs cybercriminals only $540 to execute.

The low cost and high payoff of a DDoS attack makes it a highly effective threat. But since cybercriminals don’t often directly benefit from carrying out the attacks, security professionals have to keep cybercriminals’ motivations in mind when establishing their defenses.

In this webinar Imperva experts talk about some DDoS risks and some case studies. 

The Anatomy of a DDoS Attack

Before going deeper into how Imperva thwarts these kinds of attacks, it’s important to cover what a DDoS attack is, how the attack works, and the kinds of motivations cybercriminals have for carrying out these attacks.

DDoS attacks is a malicious attempt to force victims to temporarily shut down services by flooding their network infrastructure with internet traffic. Cybercriminals will typically command an army of compromised computer systems to carry out these kind of attacks – that’s why the denial-of-service attack is distributed.

Network connection is composed of different layers and these attacks can happen over multiple layers according to the OSI model. Categorizing attacks by their OSI layer helps to distinguish between types of DDoS attacks and their goals. For instance:

  • Application Layer DDoS attacks exhaust the target’s bandwidth and computing resources by impersonating human behavior on an enormous scale. They are cheap to execute and very difficult to reliably identify and defend against.
  • Protocol attacks disrupt services by consuming all of the available capacity of the target’s web application servers, or their security resources like firewalls and load balancers. They require a high-capacity automated network to carry out.
  • Slowloris attacks force victims to commit to extremely slow requests, disrupting genuine services while utilizing very little bandwidth. These attacks attempt to disrupt regular service by keeping victim resources occupied as long as possible without triggering DDoS defenses.
  • UDP Flood attacks force victims’ servers to repeatedly check random ports, sapping their resources until the servers no longer respond to legitimate requests. The victims’ servers must send back a “destination unreachable” packet to every single request, making it easy for an attacker to overwhelm the system.
  • Ping of Death attacks send malicious pings to victims’ servers. Attackers manipulate IP packets in a way that causes victims’ systems to assemble IP pings much larger than their normal size, causing memory buffer overflows and disrupting service.
  • SYN floods exploit a weakness in the three-way handshake process used in TCP connections. This attack causes the victims’ system to wait for TCP handshake responses that will never come, eventually making it impossible for the server to form new connections, resulting in disruption.

All of these attacks work by disrupting normal public facing services, but they can have a wide range of motivations and end goals. Some cybercriminals try to exhort victims into paying Bitcoin ransoms to stop attacks in progress. Others are motivated purely by ideology or personal revenge. Others are in the employ of hostile nation-states, looking to damage their opponents’ economies to gain political or military advantage.

All DDoS attacks follow a basic three-step process:

  1. Cybercriminals take control of network-attached computers called handlers, which will control the devices that ultimately carry out the attack. This is an automated process that can quickly yield a very large army of controlled devices.
  2. The army of compromised machines is then consolidated into a botnet. The commands and instructions for launching the attack are loaded into each device in the botnet.
  3. In the final stage, the cybercriminal executes the attack, launching millions of requests to the victim’s servers at once while using spoofed or fake IP addresses to hide their tracks.

This is the dominant threat that most service providers face. The entire cybersecurity industry is going to have to commit to constantly improving its defenses against these attacks, and Imperva technology is already playing a key role. 

How Imperva Mitigates DDoS Attacks

Imperva DDoS Mitigation platform protects from any type of DDoS attack, including both network (Layer 3 and 4) and application (Layer 7). At the core of Imperva’s Infrastructure Protection service is its proprietary DDoS scrubbing appliance named Behemoth. The Behemoth performs all Layer 3 and Layer 4 DDoS scrubbing and then tunnels clean traffic over a GRE tunnel to the origin network. Each of Imperva’s data centers is equipped with one or more Behemoth appliances. In addition to scrubbing any DDoS attack, Behemoth provides packet level visibility and packet flow control to our 24x7 Operations Center teams. Imperva Threat Intelligence Team is constantly collecting data on the attacks it mitigates, and analyzing those data to establish statistical correlations between attack vectors and sources. This approach has enabled our team to identify new, never-before-seen attacks solely using the information we’ve gathered from previous attack signatures.

Our Global DDoS Threat Landscape Report contains the insights we’ve gleaned over the last 12 months of attacks across our entire service. By comparing the data of over 1 trillion traffic requests, 3.5 million blocked requests, and 40,000 identified attacks, we are able to match user behaviors to our database of known attack signatures in real-time.

We then distribute this data to 44 DDoS-resilient global scrubbing centers where the millions of web applications and IP addresses protected by our global network are actively protected against bad traffic requests. These scrubbing centers are strategically located for optimal performance, giving Imperva less than 50-millisecond latency for 95% of the globe.

Our fully automated detection and mitigation services are empowered by advanced rules and self-adaptive policies that can respond to novel attacks with incredible speed.  This enables Imperva to deliver a three-second mitigation service-level agreement to its customers.

Learn More with Imperva Community 

The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like On-Prem WAF, Cloud WAF, DDoS, Advanced Bot Protection and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 


#DDoSProtectionforWebsites
0 comments
413 views

Permalink