Comprehensive, dynamic DDoS protection is critical for combating adaptive DDoS attacks. Credit: NETSCOUT The other night I rented a movie called “The Biggest Little Farm.” The movie depicted a couple who were new to farming but attempting to regenerate a farm that had fallen into disrepair. In the process, they continually ran into challenges regarding how to protect the crops and animals on the farm. Initially, they brought in goats to eat some of the overgrown vegetation, which in turn attracted the initial threat, which was coyotes, who were killing the goats and some of their chickens, so they put up a fence. Then birds of prey became a threat, so the farmers installed roofs on the cages. Then it was rabbits and gophers eating the vegetables, and so on. Each time they encountered a new challenge, the farmers had to adapt and build a new defense. In some cases, they didn’t know what was coming next or how to fight it, so they talked to neighbors to understand how they did it. I started thinking that although this was taking place on a farm, it was the typical approach to perimeter protection whether on a farm, a castle, a fort, or — in today’s world — your network.This movie was particularly thought-provoking to me as I began reading the current NETSCOUT DDoS Threat Intelligence Report in preparation for a project regarding today’s networks and how customers manage DDoS attacks. The report highlights that distributed denial-of-service (DDoS) attacks are again evolving. This year, reflection/amplification attacks, which have been the preferred attack vector over the past couple of years, took a back seat to TCP state exhaustion attacks. What this indicates is the bad actors are attempting to execute attacks that are increasingly difficult to detect because they mimic legitimate traffic and require defenders to have some level of expertise and technology to recognize them as attacks. Adaptive DDoS attacks on the riseThe threat report also reveals that one of the ways attackers are becoming more effective in the destruction of network availability is by using adaptive DDoS. In an adaptive DDoS attack, adversaries perform extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target — for example, state exhaustion attacks, which made up four of the top five attack vectors this year, target stateful devices that are an integral part of the security stack such as firewalls and VPN concentrators. These targets are attractive because the attacks against them can be smaller in size and designed to evade defenses meant for other threats. Think of the fence designed for the coyotes that won’t stop weasels because the openings are too big. These types of preparations are calculated to minimize the number of administrative boundaries; DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack. Figure 1 lists some of the characteristics of adaptive DDoS attacks. NETSCOUTNETSCOUFigure 1: Five characteristics of adaptive DDoS attacksBecause of these advances in attack methods, network operators must adapt their defenses to meet the new challenges. In our experience, and primarily due to the nature of ever-changing attacks, the required defense needs to be able to not only manage volumetric attacks but also identify the many attacks currently designed to elude known defense measures. And in most cases, this is not a situation where there is a one-size-fits-all solution. As in “The Biggest Little Farm,” the ever-changing threat landscape we are currently experiencing requires an agile defense model — in this case, one that works inside and outside the network and adapts to changing attack vectors and methods.Why you need a hybrid defense strategyThe best practice for protecting your network in today’s ever-changing DDoS attack landscape is a hybrid approach. Protection strategies of the past will suffice in some situations, such as in an attack designed to overwhelm your internet circuit before traffic arrives on your site. However, attacks specifically designed to evade those protections, such as TCP state exhaustion and application-layer attacks, are the basis for the new attack landscape. Furthermore, the ability to respond quickly to attacks that dodge the cloud solution and hit the network edge, or an internet-facing service is imperative, and having the agility to change defenses rapidly to adapt to subtle changes in adaptive DDoS onsite is crucial. NETSCOUTFigure 2: NETSCOUT Omnis AED provides hybrid DDoS defenseBy implementing adaptive DDoS defenses such as NETSCOUT’s Omnis Adaptive Edge Defense (AED) at all edges of their networks, network operators can overpower DDoS attack traffic as it enters the network edge — or before it ever unites into a large-scale attack. With edge-based attack detection combined with cloud-scrubbing capacity, automated bilayer communication, indicators of compromise (IoC) analysis, command-and-control (C2) communication blocking, and current actionable threat intelligence (think of the farmers talking to their neighbors), operators can tackle any DDoS attack before it can cause damage (see Figure 2).As the movie ended, the farmers were getting management of the constantly evolving threats nature could throw at them under control. The underlying reason for that control was because they began to understand the developing threats and were proactive in their actions to block them. This could be a valuable lesson in our approach to new methods behind DDoS attacks.For more information on hybrid, dynamic, comprehensive DDoS protection, download the white paper “An On-Premises Defense Is the Cornerstone for Multilayer DDoS Protection.” Related content brandpost Sponsored by Netscout How to Avoid Getting Crushed Under a Tidal Wave of Traffic Systems with resilience, scale, and a multilayered defense can stop multipurpose application-layer DDoS attacks. By NETSCOUT Mar 09, 2023 4 mins DDoS brandpost Sponsored by Netscout Is Your XDR Strategy Incomplete? Why you can’t have XDR without NDR. By NETSCOUT Mar 07, 2023 5 mins Security brandpost Sponsored by Netscout How 3 Tools Can Revitalize Your Security Strategy Focus on visibility to improve your security posture. By NETSCOUT Mar 07, 2023 4 mins Security brandpost Sponsored by Netscout Protecting the Edge Is More Important Than Ever NETSCOUT’s Omnis Arbor Edge Defense Earns Security Today’s 2022 CyberSecured Award By NETSCOUT Mar 07, 2023 2 mins DDoS PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe