You know there’s a risk of DDoS attacks targeting your organization. You know you have appropriate protection technology in place. But do you know if there are any holes in your defense that can be exploited by hackers? A recent survey pointed out that only 25% of respondents felt their organization is fully equipped to effectively respond to DDoS attacks. In large part, this uncertainty is likely due to a lack of clear, actionable data from DDoS testing.
Simply put, until you actually test, you won’t know. But to test effectively, you need to know what to look for. This may also require setting aside a few misconceptions.
Application-Layer Attacks
DDoS attacks are typically associated with large traffic volumes and a popular notion is that the larger the attack, the more potent it is. But this is not always true. Application-layer (L7) attacks like HTTP flood can be extremely effective in bringing down web and application servers using smaller traffic volumes, which are stealthy and difficult to detect.
Application-layer attacks are, in fact, the leading type of attack targeting financial services (41%). They pose a particular risk for such organizations due to the severe repercussions associated with downtime and regulatory penalties.
Another effective lower-traffic DDoS tactic is known as a Large File Download attack, which uses multiple continuous requests to download a large file found on the targeted website or server. The result is a network data pipeline clogged with outgoing traffic until it can no longer bear the load, leading to high latencies or even downtime.
Cloud DDoS Protection and Misconfigurations
If you are hosting your applications on a public cloud, then you probably have the basic DDoS protection package offered by your cloud provider. But cloud security is a shared responsibility.
The default DDoS protection settings included in cloud-based services are not appropriate for all cases. They must be adjusted, and often enhanced, to suit your particular network settings and components. For example, if you are hosted on AWS and your deployment includes CloudFront with ALB and EC2 behind it, then your DDoS protection configuration will be different than if you have an API Gateway and AWS Lambdas.
Team Skills
Experience shows that it takes more than technology to mitigate a DDoS attack.
Even with the best software, the human factor is still irreplaceable. Companies sometimes discover too late that their IT teams are woefully unprepared for an actual DDoS campaign. They need to be trained, and a DDoS response protocol should be written, followed and periodically updated. Otherwise, the ability to mitigate an attack of any sophistication will be severely compromised.
Do you know how quickly your NOC/SOC, security, network and management teams can identify an attack and take the correct mitigation measures?
How to Know – DDoS Testing
It is only through rigorous testing that you can accurately assess your DDoS security posture.
There are multiple options for running DDoS simulations to validate your protection measures. There are open-source attack tools, such as RUDY, MHDDoS , and many others. Or you can use commercial, self-service tools from different vendors, which will allow you to independently employ various DDoS attack vectors.
But here’s the catch. Your goal is not just to launch attacks and mark them with pass/fail. You want to ensure you run realistic DDoS simulation testing that will truly help you know more. This means challenging your defenses with sophisticated attacks that are as similar as possible to those that would be used by a real-world hacker. And more importantly, you need to be able to draw actionable conclusions from the results and improve your protection – with better attack identification, configuration tweaks, or changes to your core architecture.
