The most critical component in any DDoS mitigation strategy is naturally the detection of attacks. WIthout effective detection, other countermeasures cannot kick in. Current methods of detection can be categorized as follows:
Rate-/flow-based detection is especially effective for detecting volumetric attacks. By reading TCP/IP traces for source IP, destination IP, TCP flags, HTTP requests and other data, most volumetric attacks can be detected.
However, today’s botnets are usually massive, globally distributed and highly robust—an attacker can launch a low-bandwidth attack, where hundreds of thousands of bots send a small amount of traffic, allowing the attack to fly under the radar. For example, if each bot sends 10 kbps, a rate-/flow-based detection mechanism may never be triggered.
Protocol-based detection identifies signatures in a layer 7 attack and drops traffic that fits known anomalies in the network protocols. In the case of the Apache Killer, the length of the HTTP field is usually abnormal, so the attack traffic can be dropped easily once the protocol pattern is detected.
However, today’s clever attackers can mimic normal traffic so that the attack traffic is difficult to differentiate from normal traffic, effectively nullifying this line of defense. Even if the attack traffic is detected, not being able to differentiate it apart from normal traffic means that normal traffic will have to be dropped as well.
As I’ve explained above, a good number of DDoS attacks today are sophisticated ones that exploit protocol technicalities or even application-specific behaviors. Attackers are getting cleverer by the day—they are already able to design attacks that bypass all the aforementioned detection methods.
In real-world scenarios, blanket detection is the most effective way to detect DDoS attacks. What it means is to combine all the detection methods together and use big data analysis to find patterns in traffic statistics and behavior. This makes it possible to detect potential Layer 7 attacks.
However, while big data analysis boosts the effectiveness of post-attack analysis and helps prevent future attacks, its true potential lies in real-time analysis. Unfortunately, real-time big data analysis is difficult because of the vast amount of traffic volume incurred during a DDoS attack—it is difficult to collect data, analyze it, create the attack signature, and finally detect and mitigate the attack in such a short time. While it is possible, there are challenges to overcome before real-time big data analysis of DDoS attacks becomes viable.