Imagine someone sitting in their parent’s basement, spending $10 to bring down your million dollar online business. Pretty shocking, right? Unfortunately, this scenario plays out regularly. According to Verizon’s Data Breach Investigations Report (2014), attackers can rent a botnet to mount distributed denial of service (DDoS) attacks for less than $10 an hour. And a study by Kaspersky Lab found that just one DDoS attack can cause losses ranging from $52,000 to $400,000.
DDoS attacks are launched using many, often hundreds of globally distributed devices to send a large volume of malicious traffic to a website. These attacks can overwhelm a website’s servers, exhaust the available network bandwidth and make the website inaccessible to legitimate users. DDoS attacks can also expose other vulnerabilities in your website and leave it open to unauthorized access or data breaches.
Verizon Digital Media Services’ content delivery network (CDN) has built-in protection against DDoS attacks targeted at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model. As a CDN we don’t just accelerate content delivery for our customers, we also handle DDoS attacks on their behalf. The extensive global network capacity and scale of our network allows it to absorb a lot of DDoS attacks that could easily overwhelm a website’s origin servers. Verizon’s network only serves HTTP/HTTPS, DNS and media streaming traffic; requests for all other kinds of traffic are blocked by default, reducing the entry points for DDoS attacks.
Additionally, our intelligent and real-time DDoS mitigation system continuously monitors network level traffic in each Verizon PoP. It can detect anomalies in traffic patterns that could indicate DDoS attacks. These anomalies may include unusual spikes in volume of SYN or UDP packets being received, or significant increases in network connections. The system blocks the DDoS attacks promptly, within an average of sixty seconds of detection, and alerts our 24 x 7 x 365 monitoring staff for further analysis or action.
Our HTTP Rate Limiting feature (currently in beta) helps stop DDoS attacks on the Layer 7 (Application Layer). These attacks are often mounted in the form of HTTP GET or POST floods. Rate Limiting allows you to define maximum acceptable rate of HTTP requests that individual clients can send to your website. This helps mitigate attacks mounted by distributed botnets. You can also define total rate of requests that your website can accept. If the rate limit is violated, the system takes automatic enforcement actions, such as to block or redirect HTTP requests, keeping the request rate under the limit.
DDoS attacks are easy to mount and can cause significant damage. Protect your website: Make sure to include DDoS attack mitigation in your website security plan.
Vikas Phonsa, Senior Product Manager – Security Solutions
For more posts in our security series please read: