DDoS attacks, or what we aptly call Distributed Denial of Service attacks, are a growing problem that cybercrooks will wage against websites to ultimately bring them down. The costs for protection against DDoS attacks has surmounted to large sums for companies and businesses who are attempting to better safeguard their servers from being taken down by aggressive attacks. As many entities struggle to evade succumbing to DDoS attacks, cybercrooks are ramping up efforts to use application-layer DDoS attacks, which are defeating many new DDoS defenses put in place by Web application operators.
DDoS attacks are commonly aimed at network layers or the application layer. When it comes to network-layer attacks, the idea is for malicious packets of data to be sent to the server but through a different network protocol so all available bandwidth is used up, which then causes a server to cease normal operation. Application-layer attacks, or what some call HTTP floods, is aimed at utilizing up the CPU and RAM so the server can no longer process requests and is then brought down.
Through application-layer DDoS attacks, cybercrooks are making major headway in their success in bringing down servers. Because the HTTP floods don't necessarily rely on the size of the sent data packets to take down a server, the sheer number of the requests is what brings a server to its knees. Therefore, attacks that generate hundreds of thousands of requests per second don't consume much bandwidth.
Most times companies have a setup within their server and network to handle up to 100 requests per second. The protection agents on such setups will automatically filter bogus requests, but the issue lies with identifying the packets in an HTTP flood or application-layer DDoS attack. Fundamentally, such attacks will easily defeat the protection, which is how cybercrooks are making headway in successfully attacking companies that have multiple levels of server security and protection.
The task of warding off network-layer attacks will commonly involve routing traffic headed to a protected network through an infrastructure of a DDoS mitigation provider. Such a service will automatically scrub traffic that is detected as being malicious or having malicious packets. From there, a setup will only forward legitimate traffic and packets to the destined network. Unfortunately, DDoS mitigation provider services may be a local solution that can be defeated under the circumstance of a targeted application-layer attack.
The only method for having a chance that a DDoS mitigation can stop an application-layer attack is if the DDoS mitigation is run off-site, or a setup that does not allow malicious requests to go through your network. Network-layer DDoS mitigation services will eventually allow packets through to be inspected. Those that turn up as malicious will be stopped in their tracks and not be allowed to even reach the appliance because they generate so much traffic that the network pipes cannot transmit the data.
Possibly the ultimate solution in DDoS protection would be the use of a hybrid setup to detect and limit network-layer attacks and application-layer DDoS attacks. A cloud-based solution would be the ultimate prize in being effective when it comes to massive HTTP floods, which has proven to be quite an effective method for bringing down many companies and their servers in the past.
There is no easy method for fighting off DDoS attacks. With cybercrooks conjuring up new and sophisticated DDoS attack methods, organizations will need to come up with what is best for their own infrastructure to protect against DDoS attacks, such as advancing application-layer attacks. The opposition is busy, and our defense must be just as busy to ward off new DDoS attacks.