This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
Unless you’ve taken the necessary steps to protect your websites, they’re highly vulnerable to DDoS attacks. Now you might think of a DDoS attack as the attack that knocked out French news sites after the country’s election in May. Or you may think of the attack in October 2016 when subscribers couldn’t access the New York Times or Wired because hackers used DDoS to attack the DNS provider. In those cases, the system was hit with so many requests from bots around the globe that they couldn’t handle legitimate requests. And that, in a nutshell, is a DDoS attack. It’s flooding the service with so many requests that the system grinds to a halt.
But today DDoS attacks comes in many flavors. They have evolved from simply flooding the firewall or DNS servers with noise, to targeting an enterprise’s infrastructure and web applications. It’s actually attacking you from inside your enterprise.
A Surge in Application DDoS Attacks
Unlike network layer DDoS attacks like the one on the New York Times, application layer DDoS attacks typically needs less volume of traffic to do their damage. Application layer campaigns repeatedly making calls to applications, such as websites, web apps, servers and plugins, slowing or stopping the applications altogether by taxing the resources of the server it resides on.
Internet facing web applications are vulnerable to a myriad of attacks such as cross-site scripting (XSS) and SQL injection. An application attack also differs from a perimeter – or Layer 3 attack in because a hacker uses targeted commands to take an application down and ties up the server’s resources.
On the whole, DDoS attacks are on the rise, and the kind that attacked French newspapers is not the where the surge is coming from. The largest increase increase in DDoS attacks is hitting servers that host web applications.
For example, for four quarters in a row, Incapsula recorded a decrease in the number of network layer assaults, which it says fell to 269 per week compared to 568 in the second quarter 2015. In contrast, it saw yet another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.
Security experts predict that Internet facing enterprises will experience DDoS attacks more than once a year. “It’s not a question of if, but rather when you will be attacked,” Tim Matthews, Imperva’s vice president of marketing told Dark Reading.
The reason for the surge in DDoS attacks on applications is two fold.
First, the number of application is on the rise. In 2016, half of the organizations surveyed indicated that they are looking to releasing and maintaining custom applications.
The other reason for the rise in DDoS attacks is due mainly to the abundance of resources available to hackers — and wannabe hackers. Not long ago it was quite difficult to build a force of bots to attack a given resource. Now, for little to no money, anyone could acquire the hacking software on the dark web, or for as little as $5 they can hire someone to do it for them. In 2015, a high school student paid for a DDoS attack on his school.
Any DDoS attack costs the business’ reputation and eventually customers, because the customer really doesn’t care what kind of DDoS was invoked, whether it was a network layer or application layer attack; they only know they cannot complete a transaction. For example, a DDoS attack on an application brought down an undisclosed U.S. college in February. The attack created a network outage for more than two days preventing students, parents and staff from logging in. The school was effectively shut down in that time.
In the case of a school, the monetary loss is difficult to quantify, but for a business that sells widgets, it gets expensive very fast. In terms of dollars, a single hour of downtime can cost a business as much as $20,000. And that doesn’t factor the soft costs attributed to the loss of reputation and future sales. After all, users might wonder how well the business is protecting client data when it can’t even protect itself.
DevOps Needs a Secure Environment for Their Apps
Coupling the spike in DDoS attacks on applications, and the low cost and ease of creating an attack as well as the results from a business impact analysis, it’s clear that developers need to prepare for an attack.
But like most of IT, DevOps have viewed security as an obstacle to delivery targets. According to Gartner, implementing information security policies and teams creates a perception that it prevents developers from delivering value. What’s worse, most developers didn’t learn secure coding in school, and if they’re not coding with security in mind, it leaves applications open to attacks.
Garner also reports that developers need to change their practice. It says, “Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.”
So while developers are improving their skills and are reminded nearly every day that they need to build security into their code, there are a lot of apps in the wild right now which are ripe for attack. The fastest way to mitigate this vulnerability is to buy a service that provides a web application firewall (WAF). It’s an appliance or cloud-based service or combination of both that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules, many types of web attacks can be identified and blocked. It’s a matter of routing traffic through the WAF before it hits your application servers.
How to Choose a DDoS Protection Service for Your Website
It’s time to go shopping for a web application firewall but there are far too many options. Not all WAF and support staff are same. Some make big claims but struggle with various attack complexities. Most are cloud based and the better ones can be set up in a just a few minutes.
Here is a set of questions that you should ask your WAF sales rep:
Continue reading %How to Choose a DDoS Protection Service for Your Websites%