The term “best current practice” is used commonly in security applications as a representation of the most proven and effective techniques and practices used to protect against a type of cyber threat at that time. I stress the ‘at that time’ because cyber threats are continuously evolving so what works well today may not be completely effective in the future. It’s critical that you constantly evaluate the threat landscape and your security controls to ensure that there are not any new attack methods that would evade your defenses.
The DDoS threat landscape has undergone some changes over the last few years that are worth considering. The sheer number of attacks seen and the diversity of customers that are being attacked has been steadily on the rise, with Ransom DDoS (RDDoS) in particular, driving this to new levels. You inevitably have heard that attacks have increased in size and complexity in multiple industry and vendor reports. The size can be attributed to larger botnets enabled by IoT and mobile exploits along with the popularity and availability of reflection/amplification vectors. The complexity comes from strong technological advances in the tools available to attackers that allow them to control larger botnets, conduct surveillance on the victim to customize attacks, vary/combine attack techniques, and vary attack times and durations. SSL based attacks have also grown in frequency making it harder for defenders to analyze the traffic.
There have also been expansive changes to the attack surface for most companies. Over the past 2 years, most companies have had to accommodate a larger remote workforce, and many have accelerated plans to move some or all their workloads to the cloud. This has increased the number of applications that corporate users are accessing regularly and has broadened the number of places from which these apps are accessed. Productivity for companies now largely relies on this larger, more fragile, ecosystem, remaining operational, so tolerance is at an all-time low for any type of disruption of services and the demand for greater interoperability with existing customer processes and tools is at an all-time high.
This combination of factors has led to some changes in the best practices for protecting internet facing assets against DDoS attacks. The basics remain the same: implementing network level controls to only allow traffic for legitimate ports/protocols, implement enterprise level traffic visibility, control plane isolation, and utilizing intelligent DDoS mitigation both on-premises and upstream. The best current practice has included a hybrid approach for intelligent DDoS mitigation consisting of an in-line solution on premises, an on-demand based DDoS service from an upstream provider, and some form of orchestration between the two. The on-premises component remains very valuable in providing first and last line of defense in surgical mitigation, but it has now become a better practice to combine this with an always-on cloud-based mitigation solution.
Always-on means that your traffic will always be running through the mitigation infrastructure and will have some protections always enabled. When an attack is detected, more stringent protections can be instantly applied to just the victim’s traffic. This has several benefits over on-demand that lower the risk of disruption:
Zero second protection against the many common attacks.
Speed of reaction to other attacks. Traffic is already going through the mitigation environment so switching between levels of surgical protection can happen in seconds versus minutes.
Avoid any potential disruptions from network convergence during diversion and re-injection of traffic from the cloud mitigation service.
Always-on protection, particularly through a proxy, also gives the opportunity to unencrypt the traffic and apply stateful defenses to catch more subtle application layer attacks. Through a combination of stateless defenses against layer 3, 4 and some layer 7 attacks, and stateful defense against the balance of layer 7 attacks, the risk of DDoS affecting you goes down significantly.
It is important to constantly evaluate your cyber defenses to make sure that they still provide the level of protection you need given the changing environment and threat landscape. What may have been effective a few years ago may no longer protect you as well as you think. DDoS has certainly evolved and so has its best practices. In 2021, where applications are your company’s lifeblood, your leaders and customers expect 100% uptime, and everything is done over encrypted channels, you should really look into always-on DDoS protection, services that can analyze SSL, and a combination of stateless and stateful defenses.