Behavioral DDoS Attack Mitigation

In a recent post we explored the Myths about DDoS. Despite their infamy, many misconceptions surround the world of DDoS but now that you know the facts let’s go one step further. Typical internet security appliances come prepackaged with signatures and rules that help identify attacks as simple as they come. This works in many cases but does not make any distinction between the attack traffic and legitimate users who are just trying to view your website. There is also the ever looming threat of zero-day attacks that signature based approaches are often not prepared for. FortiDDoS uses 100% heuristic/behavior-based detection methods. Despite the “buzz-wordy” nature of behavior based mitigation, it is worth taking a closer look.

Let’s take a closer look at what behavioral based DDoS mitigation is all about:

1. Intent vs. Content

A distinction needs to be made; there is a difference between what an attacker wants to achieve through their DDoS attack and what they actually attack you with. Attackers want to be stealthy.

In order to keep a certain level of sleuth, attackers will try to hide themselves from the known signature based methods of detection. The behavior based approach is not as easily debunked.

For example, a large number of /index.html requests to your site might not seem strange to a set of predefined rules but if those requests have a volume that your servers have never seen, the behavioral approach could recognize that as a potential attack.

In a similar way, a slow build-up of TCP connections using an attack such as Slowloris is legitimate in terms of content, but it can only be discerned using behavioral techniques.

2. Hardcoded vs Custom

Another distinction worth mentioning is between custom and hardcoded rule sets. You can tell your DDoS appliance to stop all traffic that contains certain attributes, e.g. firewalls have a rule policy which allows or denies ICMP pings. A behavioral mitigation appliance allows you to limit the number of pings per second thus allowing pings only if they are below a certain rate. This kind of contextual information makes for more accurate attack mitigation.

Another type of hardcoded policy relates to rates themselves and is not behavioral. For example, a small credit union may have a typical flow of traffic at 10 Mbps for its online banking application. On the other side of that coin there is a large tier-1 bank that may have a typical flow of traffic at 10 Gbps. For the smaller credit union if the traffic suddenly grows to 110 Mbps, it can bring down servers while an increase of 100 Mbps on the tier-1 bank’s servers is nothing more than a blip. Having the ability to know what is an attack and what is just a blip (or not just a blip) is where behavioral mitigation really shines.

3. Coarse vs Granular

How can you tell if you are experiencing a DDoS attack and what kind? Is it just the total number packets or something more?

With application layer attacks being blended with network and transport layer attacks, granularity refers to being able to pin-point the attack’s dimensions. Is it the same user-agent in web access, or is it a specific URL, or just fragmented packets, or so on? The more granular your attack mitigation system is, the more is will be able to slice and dice the traffic into accurate dimensions, thereby avoiding false positives during an attack.

4. Fixed vs Adaptive

Internet traffic for a business is never static and neither should mitigation policies. Traffic to any Internet property has its daily, weekly, monthly and annual seasonality. Traffic also has intentional increases due to marketing activity etc. An adaptive system is able to have behavioral traffic thresholds which adjust over time so that any drastic change is quickly identified as an attack or not. The image above shows just how much difference the behavioral mitigation method is from the standard signature based method.