Time is Your Foe and Automation is Your Friend during DDoS Attacks

By Tim Murphy, Australian Country Manager at NETSCOUT Arbor

During a DDoS attack, time can be your biggest enemy. Lost seconds can have a huge impact on whether you are successful in mitigating an attack in time, or failure could mean costly network downtime. Anything that accelerates your Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to an attack provides you with a clear advantage. 

This issue has been amplified due to today’s cloud and enterprise environments, where the combination of greater dependence on internet connectivity and a wider range of security threats can overwhelm network and security operations teams.  They are under increasing pressure to make critical, on-the-fly judgements about which threats are real and which mitigation measures to deploy, all while the clock is ticking.

Automation, therefore becomes a high priority in the selection of your DDoS defences. An intelligent solution can buy you precious time by detecting attacks early and automatically deploying the appropriate countermeasures.  But automation must fundamentally block attacks while not blocking legitimate traffic and it must inform the operator what was blocked and why.  In other words, to be effective it must lead users to the right answer, provide context and supporting analytics and, most importantly, be human-guided – not ‘black box’.

Intelligent DDoS mitigation automation works in three ways:

1. Built-in Countermeasures 

It is essential to have a variety of in-built automated countermeasures, each designed to detect and automatically engage on specific types of attacks based on the intelligence you have about the current attack landscape. When an Automation Protection System (APS) detects an attack, such as a TCP Syn flood, blacklisted hosts or multiple connection attempts from a single host, it will automatically enable/disable the right countermeasures to mitigate those attack types and provide detailed analytics and reporting on the events. 

If an attack happens to be in progress when the APS is initially deployed, its countermeasures can still activate immediately because it doesn’t require learning times and baselining. Although these built-in countermeasures are designed to work effectively right out of the box, many can also be custom-configured to trigger based on user security policies and risk thresholds.

2. Threat Intelligence Feed

Without an intelligence feed providing you with real-time visibility into threat activity across the internet worldwide, you are not able to act on the threats that could affect your organisation. More than simply collecting and analysing data, you need to curate and operationalise this threat intelligence into threat policies and countermeasures. Your APS needs to detect suspicious traffic flows that match your active threat policies, so it can automatically block the traffic and indicate what it blocked and why in real-time reports.

3. Cloud Signalling

Security experts are increasingly recommending a layered or hybrid DDoS strategy combining on-premise and cloud-based mitigation capabilities for maximum effectiveness. This gives organisations a scalable defence solution that can adapt to different types and sizes of attacks: the on-premise device can immediately detect and mitigate the majority of smaller-scale, ‘low and slow’ attacks that typically target firewalls, IPS systems and network perimeter devices, whereas larger-scale volumetric attacks are best mitigated at the service provider level in the cloud. However, thwarting these multi-layer attacks requires the two defensive components to work in synchronisation.

Cloud Signalling is the mechanism by which the on-premises component, the APS communicates in real-time with the service provider’s cloud defences to synchronise this mitigation action. If an attack volume at the premise level escalates to a user-specified threshold, Cloud Signalling can automatically trigger the cloud mitigation countermeasures and share attack data such as blocked IP addresses. Security operators can also initiate Cloud Signalling manually when they see a growing threat. Network and security teams need to use a hybrid approach to give them enough flexibility to configure and fine-tune their Cloud Signalling policies.

Tags cloud securityDDoS attacksDDoS mitigationNetscout Arbor

Show Comments