Mitigating DDoS attacks in mobile Networks

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

They achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices which include smart watches, home security systems and even refrigerators.

DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.

It is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.

How a DDoS attack works

they are carried out with networks of internet-connected machines.

These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker.

These individual devices are referred to as bots, and a group of bots is called a botnet. 

When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic.

Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

DDoS attacks have grown in sophistication and complexity from its first targeting layer 3⁄4 to now even layer 7

How to identify a DDoS attack

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable, others include:

• suspicious amounts of traffic originating from a single IP address or IP range.

• a flood of traffic from users who share a single behavioral profile, such as device type,

geolocation, or web browser version.

• An unexplained surge in requests to a single page or endpoint.

• Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be

unnatural (e.g. a spike every 10 minutes)

• resource depletion. DDoS attacks can target specific server resources such as CPU or memory. Monitor resource utilization- if it’s consistently high, this could signify an ongoing attack. Resource-hungry business processes such as ERP or advanced analytics/computing processes can take significant hits when CPU or memory are depleted. 

Common types of DDoS attacks

While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may use one or more different attack vectors, or cycle attack vectors in response to counter measures taken by the target.

Application layer attacks

The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is computationally cheap to execute on the client side, but it can be expensive for the target server to respond to, as the server often loads multiple files and runs database queries in order to create a web page.

Layer 7 attacks are difficult to defend against, since it can be hard to differentiate malicious traffic from legitimate traffic.

Protocol attacks

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by over- consuming server resources and/or the resources of network equipment like firewalls and load balancers.

Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.

Volumetric attacks

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Forecasting a possible DDoS attack

Best practices to help identify potential risks.

Historical data analysis

Analysis of attack patterns from previous attacks can help identify trends that suggest which industries or organizations are more likely to be targeted.

Monitoring and Anomaly Detection

employing network monitoring and anomaly detection system can help identify unusual traffic patterns or spiked that might indicate an ongoing or imminent DDoS attack.

Process for mitigating a DDoS attack.

Having discussed what a DDoS attack is, there have been several measures that have been put in place to detect,mitigate and prevent these attacks.

The key concerning mitigating a DDoS attack is differentiating between attack traffic and normal traffic.

For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known attackers, efforts to alleviate an attack are probably necessary.

The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi- vector attacks.

A multi-vector DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one trajectory. 

In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit.

Blackhole routing

One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route, or blackhole, and dropped from the network.

If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense. This is not an ideal solution, as it effectively gives the attacker their desired goal: it makes the network inaccessible.

Rate limiting

Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks.

It alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy.

Web application firewall

A Web Application Firewall(WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.

By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.

Anycast network diffusion

This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network. Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability.

IP Filtering

It deals with blocking traffic from known malicious IP addresses or network ranges. Identifies and stops traffic from sources with a history of malicious activity.

Bot mitigation techniques

Using challenges like CAPTCHAs or device fingerprinting to distinguish legitimate users from bots.

Prevents automated bot attacks, maintaining service availability for real users.

Resource prioritisation

Ensuring critical resources are available for legitimate users during a DDoS attack. Allocates resources strategically, minimizing disruption to essential functions. 

Increase bandwidth

Ensure the network has sufficient bandwidth to handle unexpected traffic spikes, making it harder for attackers to overwhelm the resources.