This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
Unless you’ve taken the necessary steps to protect your websites, they’re highly vulnerable to DDoS attacks. Now you might think of a DDoS attack as the attack that knocked out French news sites after the country’s election in May. Or you may think of the attack in October 2016 when subscribers couldn’t access the New York Times or Wired because hackers used DDoS to attack the DNS provider. In those cases, the system was hit with so many requests from bots around the globe that they couldn’t handle legitimate requests. And that, in a nutshell, is a DDoS attack. It’s flooding the service with so many requests that the system grinds to a halt.
But today DDoS attacks comes in many flavors. They have evolved from simply flooding the firewall or DNS servers with noise, to targeting an enterprise’s infrastructure and web applications. It’s actually attacking you from inside your enterprise.
A Surge in Application DDoS Attacks
Unlike network layer DDoS attacks like the one on the New York Times, application layer DDoS attacks typically needs less volume of traffic to do their damage. Application layer campaigns repeatedly making calls to applications, such as websites, web apps, servers and plugins, slowing or stopping the applications altogether by taxing the resources of the server it resides on.
Internet facing web applications are vulnerable to a myriad of attacks such as cross-site scripting (XSS) and SQL injection. An application attack also differs from a perimeter – or Layer 3 attack in because a hacker uses targeted commands to take an application down and ties up the server’s resources.
On the whole, DDoS attacks are on the rise, and the kind that attacked French newspapers is not the where the surge is coming from. The largest increase increase in DDoS attacks is hitting servers that host web applications.
For example, for four quarters in a row, Incapsula recorded a decrease in the number of network layer assaults, which it says fell to 269 per week compared to 568 in the second quarter 2015. In contrast, it saw yet another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.
Security experts predict that Internet facing enterprises will experience DDoS attacks more than once a year. “It’s not a question of if, but rather when you will be attacked,” Tim Matthews, Imperva’s vice president of marketing told Dark Reading.
The reason for the surge in DDoS attacks on applications is two fold.
First, the number of application is on the rise. In 2016, half of the organizations surveyed indicated that they are looking to releasing and maintaining custom applications.
The other reason for the rise in DDoS attacks is due mainly to the abundance of resources available to hackers — and wannabe hackers. Not long ago it was quite difficult to build a force of bots to attack a given resource. Now, for little to no money, anyone could acquire the hacking software on the dark web, or for as little as $5 they can hire someone to do it for them. In 2015, a high school student paid for a DDoS attack on his school.
Any DDoS attack costs the business’ reputation and eventually customers, because the customer really doesn’t care what kind of DDoS was invoked, whether it was a network layer or application layer attack; they only know they cannot complete a transaction. For example, a DDoS attack on an application brought down an undisclosed U.S. college in February. The attack created a network outage for more than two days preventing students, parents and staff from logging in. The school was effectively shut down in that time.
In the case of a school, the monetary loss is difficult to quantify, but for a business that sells widgets, it gets expensive very fast. In terms of dollars, a single hour of downtime can cost a business as much as $20,000. And that doesn’t factor the soft costs attributed to the loss of reputation and future sales. After all, users might wonder how well the business is protecting client data when it can’t even protect itself.
DevOps Needs a Secure Environment for Their Apps
Coupling the spike in DDoS attacks on applications, and the low cost and ease of creating an attack as well as the results from a business impact analysis, it’s clear that developers need to prepare for an attack.
But like most of IT, DevOps have viewed security as an obstacle to delivery targets. According to Gartner, implementing information security policies and teams creates a perception that it prevents developers from delivering value. What’s worse, most developers didn’t learn secure coding in school, and if they’re not coding with security in mind, it leaves applications open to attacks.
Garner also reports that developers need to change their practice. It says, “Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.”
So while developers are improving their skills and are reminded nearly every day that they need to build security into their code, there are a lot of apps in the wild right now which are ripe for attack. The fastest way to mitigate this vulnerability is to buy a service that provides a web application firewall (WAF). It’s an appliance or cloud-based service or combination of both that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules, many types of web attacks can be identified and blocked. It’s a matter of routing traffic through the WAF before it hits your application servers.
How to Choose a DDoS Protection Service for Your Website
It’s time to go shopping for a web application firewall but there are far too many options. Not all WAF and support staff are same. Some make big claims but struggle with various attack complexities. Most are cloud based and the better ones can be set up in a just a few minutes.
Here is a set of questions that you should ask your WAF sales rep:
Does the DDoS Solution Use Crowdsourcing?
Using crowdsourcing techniques allows immediate protection to the entire customer base. Using the collective knowledge about the current threat landscape builds a database of threat information that can be aggregated across the community using big data analytics.
What is Their Market Share?
Biggest isn’t always best, but it is important when we’re valuing crowdsourcing. A small customer base won’t be much help to reduce the risk of attacks.
Is the Web Application Firewall certified by the PCI SSC?
Payment Card Industry (PCI) Security Standards Council is a vendor-agnostic body that certifies vendors that demonstrate compliance with its twelve PCI Data Security Standards.
Is the DDoS on Prem Only?
While dedicated DDoS security appliances prevent application DDoS attacks, they cannot handle massive volumetric attacks – attacks that top 200 Gbps of throughput and surpass customers’ Internet bandwidth limits. To eliminate downtime, organizations must block volumetric attacks before they reach the network. While it may be useful in some cases to have an on prem box, see if the provider has a cloud solution to complement it.
Does Your WAF perform Behavioral Anomaly Detection?
Anomaly detection is the science of using intelligence to detect items and events which do not conform to an expected pattern or other items in a dataset. In this case anomaly detection checks for behavioral patterns that don’t appear to be human.
Is Your WAF Set and Forget?
That’s a trick question. Given enough time and persistence any attacker will find a way into a network. It takes people to recognize the shift in strategy and adjust accordingly. Artificial intelligence is good, but it’s better when backed by human intelligence.
Look for a provider that has all of the above. Incapsula, for example has what the company calls a Five Ring Approach to Application Layer DDoS protection. In fact Incapsula was the solution provider that helped that U.S. college mentioned above to quickly mitigate the attack. Engineers noticed that the attackers modified their attack when they noticed the mitigation and adjusted to quickly bring the attack under control, while allow legitimate traffic through.
The business of DDoS attacks is a booming. DDoS is used for extortion, ransom, revenge, vigilantes, or just for kicks. Those site developers that choose not to protect themselves are sitting ducks for criminals with the tools and a desire. Like Tim Matthews of Incapsula said, “It’s not a question of if, but rather when you will be attacked.”
Dino works for a multinational law firm as an information security engineer. He writes for Dice, and has written for Information Week and Dark Reading.