How to Mitigate DDoS Attacks with Log Analytics

400

Thomas Hazel

 

Is your organization prepared to mitigate Distributed Denial of Service (DDoS) attacks against mission-critical cloud-based applications?

A DDoS attack is a cyber attack that uses bots to flood the targeted server or application with junk traffic, exhausting its resources and disrupting service for real human users. DDoS attacks are on the rise, with over 4.83 million attacks reported in the first half of 2020 – an increase of more than 250% compared to the same period in 2019. Data from Kaspersky Lab found that the average cost of responding to a DDoS attack was over $2 million for enterprises and $120,000 for SMBs.

Mitigating against DDoS attacks in cloud-based environments can be a challenge, but current technologies make it possible for organizations to efficiently monitor their entire networks, analyze security logs at scale, and rapidly detect and respond to DDoS attacks before they impact user experience.

In this week’s blog post, we’ll take a deeper look at the recent growth in DDoS attacks and the threat they could pose for your organization.

We’ll also explain why early detection is the key to effectively mitigating DDoS attacks, and how you can combat DDoS attacks with security log analysis powered by Chaos Search.

What is a DDoS Attack?

A DDoS attack is a cyber attack whose goal is to disrupt the availability of a host, network, server, application, or website by overwhelming it with a large volume of traffic from many sources. DDoS attacks are among the most potent tools utilized by cyber criminals, hacktivists, and other malicious actors to disrupt service availability and damage the operations of a target organization.

How Do DDoS Attacks Work?

A DDoS attack works by flooding a website, application, server, or network with junk traffic or excess data, exhausting its resources and creating slow-downs or service interruptions for human users.

DDoS attacks are often executed using botnets – global networks of Internet-connected, malware-infected devices controlled by hackers. Cyber criminals distribute malware or engage in security hacking to gain remote access and control of private computers and networks, then install bots that can be remotely controlled and configured to carry out cyber attacks at scale, including email spamming, identify theft, targeted intrusions, and DDoS attacks.

DDoS Attack Types

Source: Testbytes

Cyber criminals have discovered more than 20 distinct methodologies for launching DDoS attacks with the goal of overwhelming a target server or network. We won’t detail every single method here, but our readers should at least be aware of the three main types of DDoS attacks they’re likely to encounter: volume-basedprotocol, and application layer attacks.

Volume-based attacks are the most common type of DDoS attack. A volume-based attack uses a globally distributed botnet to flood the target website or server with a high volume of requests. As more of these requests are received and answered, the website’s available bandwidth is exhausted and legitimate traffic is either interrupted or significantly slowed.

Protocol attacks are also known as TCP state-exhaustion attacks because they frequently target the stateful traffic inspection services of publicly-exposed devices, including servers, edge load balancers, firewalls, and intrusion detection or prevention systems.

Stateful devices use tables with limited memory to collect and store information about active connections, including IP addresses, ports, and time stamps. By transmitting slow or incomplete pings, or partial packets to the target device, hackers can manipulate or break traffic inspection services, exhausting the available  network resources, and preventing real users from connecting to the network.

Application layer attacks try to disrupt specific features of a website or application by transmitting a high volume of HTTP requests, usually from multiple sources. These requests may strongly resemble genuine user traffic, making application layer attacks potentially more difficult to identify and mitigate.

5 DDoS Attack Risks

DDoS attacks are a substantial business risk, especially for organizations who lack the capabilities to detect and mitigate attacks on cloud-based infrastructure. Some of the major consequences include:

  1. Unplanned service downtime – A DDoS attack may result in unplanned service outages, creating an emergency situation for your IT security and operations teams.
  2. Loss of revenue – Unplanned service downtime often results in loss of revenue, especially for organizations who monetize through eCommerce or digital advertisement.
  3. Poor customer experience – A DDoS attack that negatively impacts service availability results in a poor customer experience.
  4. Security breaches – A successful DDoS attack that overwhelms resources on your network may expose security vulnerabilities, resulting in an escalated attack or data breach that becomes more time-consuming and costly to remedy.
  5. Damaged brand reputation – A highly-publicized DDoS attack could damage your brand’s reputation, especially if you fail to mitigate effectively while protecting consumer data.

Early Detection: The Key to Quickly Mitigating DDoS Attacks

Effective mitigation of DDoS attacks depends on the organization’s ability to detect suspicious network activity as it happens, identify the suspicious activity as a possible DDoS attack, and respond with appropriate countermeasures that preserve the functioning of applications and services.

Early detection is a critical success factor in mitigating a DDoS attack. So organizations are increasingly reliant on security log analysis to support the rapid identification of DDoS attacks – particularly in cloud computing environments of growing complexity.

Security log analysis is a set of capabilities for capturing application and event data from across the network, then analyzing the data at scale to detect the warning signals of a DDoS attack before critical systems are disrupted.

Let’s take a closer look at how DevOps engineering and IT security teams can use log analysis to mitigate DDoS attacks.

DDoS Mitigation Methods

How to Mitigate DDoS Attacks with Security Log Analytics

Centralize & Aggregate Log Data

Early symptoms of a DDoS attack-in-progress can include your server returning a 503 “Service Unavailable” error or an unexpected spike in network traffic. Detecting these early warning signs and responding appropriately requires a high level of visibility into activity on the network.

To gain this visibility, IT organizations depend on software solutions with log aggregation capabilities.

Log aggregator software captures machine and event data from throughout cloud-based environments, then centralizes the data in a single platform that supports real-time analysis and the detection of anomalous traffic patterns.

Understand Typical Network Traffic Patterns

To achieve early detection of DDoS attacks, DevOps teams should develop a baseline understanding of traffic patterns on the network.

Engineers establish a baseline expectation for network performance by leveraging software-based tools that monitor network traffic, capturing data on network utilization, traffic components and sources, key server information, average packet length and packet sizes, plus more.

Engineers can also measure traffic patterns for a given application via the total number of DNS queries, DNS replies, HTTP requests received, or HTTP connections established on a per-hour basis.

The process of network baselining sets expectations for how websites, applications, and other components on the network behave during normal operation, allowing for the detection of anomalies that could indicate a DDoS attack.

Configure Monitoring, Alerts, and Automated Responses

Once an IT organization has implemented log aggregation and established a network baseline, the next step is to configure security monitoring, alerting, and automated responses to rapidly detect abnormal network activity.

Network security monitoring involves the detection of potential security threats through the analysis of centralized log files from across the IT environment. Alerting is a feature of virtually all cloud-based security tools that allows IT security teams to be rapidly notified of anomalous network events as they are detected.

IT organizations may also choose to configure automated responses to certain types of events, ensuring an immediate reaction to suspicious network activity. Automated responses can be programmed to instantly detect anomalous traffic, redirect malicious traffic to prevent service outages, escalate mitigation protocols according to a defined strategy, and more.

Establish a DDoS Rapid Response Protocol

While automated responses can work to isolate and counteract a DDoS attack in the cloud, rapid intervention by IT security is necessary to assess the true nature of the attack and fully implement countermeasures to avoid network/application downtime and secure organizational data.

A rapid response protocol for DDoS attacks may allow IT SecOps to implement network modifications or traffic control to limit the scale of the attack. Other techniques like bandwidth prioritization, traffic-scrubbing, or sinkholing may also be implemented to avoid the negative impacts of a DDoS attack.

Once a DDoS attack has been effectively mitigated, security teams can verify that the network has returned to baseline before re-launching any suspended services and initiating a rollback of any mitigation measures that were implemented.

Use Logs to Discover and Eliminate Vulnerabilities

Beyond enabling early threat detection, security log analysis allows IT security teams to identify systems that were impacted by the DDoS attack, isolate possible attack vectors, and eliminate any security vulnerabilities that may have been exploited during the attack.

Centralized logging is critical to detection, mitigation, and effective post mortem analysis of the organization’s response to a DDOS attack, as well as underpinning a needs-analysis for additional safeguards, countermeasures, or updates to the overall DDoS response strategy.

Rapidly Detect DDoS Attacks with ChaosSearch

The ChaosSearch data platform is changing how organizations harness the power of centralized logging to create a security data lake to fight DDoS attacks in the cloud and more, and there’s no better example than a recent case study with HubSpot.

Prior to adopting ChaosSearch, HubSpot relied on the Cloudflare Content Delivery Network (CDN) for DDoS defense and ran its own ELK cluster to analyze Cloudflare log data for over 78,000 customers.

As the company grew its operations, IT leaders at HubSpot were continuously challenged to keep the ELK stack working, even while ingesting more than 10 TB of data each day. This left HubSpot with a difficult choice: continuously allocating more compute resources to the ELK stack at significant cost, or keep shortening data retention cycles, a process which negatively impacts data utility.

Eventually, HubSpot dropped its ELK cluster entirely.

With ChaosSearch, HubSpot can aggregate its security logs from Cloudflare and other sources directly into Amazon S3 buckets, creating a security data lake, while benefiting from the cost-effective scalability of data storage.

Analyzing security log data directly in S3, HubSpot reduced overall time-to-insights and lowered costly data egress fees. Using ChaosSearch’s proprietary system for highly-compressed data formatting, HubSpot can utilize more of its security log data without having to shorten data retention cycles.

DDoS attacks come in a variety of forms and can result in unplanned downtime, lost revenue, and security incidents that damage your brand and negatively impact customer experiences.

The key to effectively mitigating DDoS attacks is early identification, facilitated by log analytics software solutions with features like network security monitoring, customizable alerts, and advanced threat detection. These capabilities accelerate the process of detecting and responding to DDoS attacks in the cloud.

When IT SecOps teams can rapidly detect anomalous network activity, they can utilize automated responses and follow rapid response protocols to prevent service interruptions, defuse the incoming DDoS attack, and secure the cloud environment.