Distributed Denial of Service (DDoS)) attacks are unfortunately more common than we’d like. This is why organizations need to actively protect against them and other threats as well. And while these types of attacks can be nasty and have a major impact on your systems, they are also relatively easy to detect.
In this post, we’ll have a look at ways you can protect your assets against DDoS attacks and review some products that can help you with that.
We’ll begin by describing what DDoS attacks are. As you’re about to discover, their principle of operation is as simple as their potential impact is high. We’ll also explore how these attacks are often categorized and how various types of attacks actually differ. Next, we’ll discuss how to protect against DDoS attacks. We’ll see how content delivery networks can keep attackers away from your servers and how load balancers can detect an attack and steer attackers away. But for those rare attacks that manage to actually reach your servers, you need some local protection. This is where security information and event management (SIEM) systems can help so our next order of business will be to review some of the very best SIEM systems we could find.
A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to its legitimate end-users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. A Distributed Denial of Service (DDoS) attack is a specific type of DoS attack in which the attacker uses multiple compromised or controlled sources to generate the attack. DDoS attacks are often classified according to which layer of the OSI model they attack, with most attacks happening at the network layer (layer 3), the transport (layer 4), the presentation (layer 6), and the Application layer (layer 7).
Attacks at the lower layers (such as 3 and 4) are typically categorized as Infrastructure layer attacks. They are by far the most common type of DDoS attack and they include vectors such as SYN floods and other reflection attacks like UDP floods. These attacks are usually large in volume and aim to overload the capacity of the network or the application servers. The good thing (for as much as there’s anything good about being under attack) is that they are a type of attack that has clear signatures and they are easier to detect.
As for attacks at layers 6 and 7, they are often categorized as Application layer attacks. Although these attacks are less frequent, they also tend to be more sophisticated. These attacks are typically small in volume compared to the Infrastructure layer attacks, but they tend to focus on particular expensive parts of the application. Examples of these types of attacks include a flood of HTTP requests to a login page or an expensive search API, or even WordPress XML-RPC floods, which are also known as WordPress pingback attacks.
MUST READ: 7 Best Intrusion Prevention Systems (IPS)
Protecting Against DDoS Attacks
To effectively protect against a DDoS attack, time is of the essence. This is a real-time type of attack so it requires a real-time response. Or does it? In fact, one way to protect against DDoS attacks is to send attackers somewhere else that your servers.
One way this can be accomplished is by distributing your website through some type of content distribution network (CDN). Using a CDN, users of your website (both legitimate ones and potential attackers) never hit your web servers but those of the CDN, thereby protecting your servers and ensuring that any DDoS attack will only impact a relatively small subset of your clients.
Another way of preventing DDoS attacks from reaching your servers is through the use of load balancers. Load balancers are appliances that are typically used to steer incoming server connections to multiple servers. The main reason why they are used is to provide extra capacity. Let’s suppose that a single server can handle up to 500 connections per minute but your business has grown and you now have 700 connections per minute. You can add a second server with a load balancer and incoming connections will be automatically balanced between the two servers. But the more advanced load balancers also have security features that can, for instance, recognize the symptoms of a DDoS attack and send the request to a dummy server instead of potentially overloading your servers. While the efficiency of such technologies varies, they constitute a good first line of defense.
Security Information And Event Management To The Rescue
Security Information and Event Management (SIEM) systems are one of the best ways of protecting against DDoS attacks. They way they operate allows that to detect almost any kind of suspicious activity and their typical remediation processes can help stop attacks dead in their tracks. SIEM is often the last line of defense against DDoS attacks. They will trap any attack that actually makes it to your systems, those that have managed to bypass other means of protection.
The Main Elements Of SIEM
We’re about to explore in deeper detail each major component of a SIEM system. Not all SIEM systems include all these components and, even when they do, they could have different functionalities. However, they are the most basic components that one would typically find, in one form or another, in any SIEM system.
Log Collection And Management
Log collection and management is the main component of all SIEM systems. Without it, there is no SIEM. The SIEM system has to acquire log data from a variety of different sources. It can either pull it or different detection and protection systems can push it to the SIEM. Since each system has its own way of categorizing and recording data, it is up to the SIEM to normalize data and make it uniform, no matter what its source is.
After normalization, logged data will often be compared against known attack patterns in an attempt to recognize malicious behaviour as early as possible. Data will also often be compared to previously collected data to help build a baseline that will further enhance abnormal activity detection.
Once an event is detected, something must be done about it. This is what the event response module fo the SIEM system is all about. The event response can take different forms. In its most basic implementation, an alert message will be generated on the system’s console. Often email or SMS alerts can also be generated.
But the best SIEM systems go a step further and will often initiate some remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized to provide exactly the response you want. And as one would expect, incident response does not have to be uniform and different events can trigger different processes. The best systems will give you complete control over the incident response workflow. Keep in mind that when seeking protection against real-time events such as DDoS attacks, event response is probably the most important feature.
Once you have the log collection and management system and the response systems in place, the next important module is the dashboard. After all, it will be your window into the status of your SIEM system and, by extension, the status of your network’s security. They are such an important component hat many tools offer multiple dashboards. Because different people have different priorities and interests, the perfect dashboard for a network administrator will be different from that of a security administrator, and an executive will need a completely different one as well.
While we can’t evaluate a SIEM system by the number of dashboards it has, you need to pick one that has the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. Many of the best systems will let you adapt built-in dashboards or build customized dashboards to your liking.
The next important element of a SIEM system is reporting. You might not know it just yet—and they won’t help you prevent or stop DDoS attacks, but you will eventually need reports. The upper management will need them to see for themselves that their investment in a SIEM system is paying off. You might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX can be eased when your SIEM system can generate conformity reports.
While reports may not be at the core of a SIEM system, they are still essential components. And often, reporting will be a major differentiating factor between competing systems. Reports are like candies, you can never have too many. And of course, the best systems will let you adapt existing reports or create custom ones.
The Top Tools For Protecting Against DDoS Attacks
Although there are various types of tools that can help protect against DDoS attacks, none provide the same level of direct protection as security information and event management tools. This is what all the tools on our list are actually SIEM tools. Any of the tools on our list will provide some degree of protection against many different types of threats, including DDoS. We’re listing the tools in order of our personal preference but, despite their order, all six are excellent systems that we can only recommend you try them for yourself and see how they fit your environment.
You may have heard of SolarWinds before. The name is known by most network administrators and with reason. The company’s flagship product, the Network Performance Monitor is one of the best network bandwidth monitoring tools available. But that’s not all, the company is also famous for its numerous free tools such as its Advanced Subnet Calculator or its SFTP server.
SolarWinds has tools for pretty much every network management task and that includes SIEM. Although the SolarWinds Security Event Manager (also called SEM) is best described as an entry-level SIEM system, it is likely one of the most competitive entry-level SIEM systems on the market. The SolarWinds SEM has everything you’s come to expect from a SIEM system. It has excellent log management and correlation features, a great dashboard and an impressive reporting engine.
- FREE TRIAL: SolarWinds Security Event Manager
- Official Download Link: https://www.solarwinds.com/security-event-manager/registration
The SolarWinds Security Event Manager will alert you to the most suspicious behaviours, allowing you to focus more of your time and resources on other critical projects. The tool has hundreds of built-in correlation rules to watch your network and piece together data from the various log sources to identify potential threats in real-time. And you don’t only get out-of-the-box correlation rules to help get you started, the normalization of log data allows for an endless combination of rules to be created. Furthermore, the platform has a built-in threat intelligence feed that works to identify behaviours originating from known bad actors.
The potential damage caused by a DDoS attack is often determined by how quickly you identify the threat and start addressing it. The SolarWinds Security Event Manager can hasten your response by automating them whenever certain correlation rules are triggered. Responses can include blocking IP addresses, changing privileges, disabling accounts, blocking USB devices, killing applications, and more. The tool’s advanced, real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats. This feature alone makes it a great tool for DDoS protection.
The SolarWinds Security Event Manager is licensed by the number of nodes sending log and event information. In that context, a node is any device (server, network device, desktop, laptop, etc.) from which log and/or event data is collected. Pricing starts at $4 665 for 30 devices, including the first year of maintenance. Other licensing tiers are available for up to 2 500 devices. If you want to try the product before purchasing it, a free fully functional 30-day trial version is available for download.
2. RSA NetWitness
Since 2016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. The company’s history is a bit complex: After being acquired by EMC which then merged with Dell, the NetWitness business is now part of the RSA branch of Dell, which is great news as RSA enjoys a solid reputation in IT security.
RSA NetWitness is a great product for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioural analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid of threats before they impact your business.
One of the main drawbacks of RSA NetWitness is that it’s not the easiest product to use and configure. There is, however, lots of comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and you’ll need to contact RSA sales to get detailed pricing information.
3. ArcSight Enterprise Security Manager
ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. This is another product with a somewhat convoluted history. Formerly sold under the HP brand, it has now merged with Micro Focus, another HP subsidiary.
The ArcSight Enterprise Security Manager is another immensely popular SIEM tool that’s been around for more than fifteen years. The tool compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. And to make it easy to identify threats quickly, the tool lets you view the analysis results in real-time.
Feature-wise, this product doesn’t leave much to be desired. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The ArcSight Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is yet another enterprise-grade product that, like pretty much all quality SIEM tools, will require that you contact the sales team to get detailed pricing information.
4. Splunk Enterprise Security
Splunk Enterprise Security—or Splunk ES, as it is often called—is possibly one of the most popular SIEM systems and it is particularly famous for its analytics capabilities. The tool monitors your system’s data in real-time, looking for vulnerabilities and signs of abnormal activity.
Security response is another of Splunk ES’ strong suits and that is important when dealing with DDoS attacks. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF performs automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.
Splunk ES is an enterprise-grade product and, as such, it comes with an enterprise-sized price tag. As it is often the case with enterprise-grade systems, you can’t get pricing information from Splunk’s web site. You’ll need to contact the sales department to get a quote. But in spite of its price, this is a great product and you might want to contact Splunk and take advantage of an available free trial.
5. McAfee Enterprise Security Manager
McAfee is another household name in the IT security field and it probably requires no introduction. It is, however, better known for its virus protection products. The McAfee Enterprise Security Manager is not just software. It is actually an appliance that you can get in either virtual or physical form.
In terms of its analytics capabilities, many consider the McAfee Enterprise Security Manager to be one of the best SIEM tools. The system collects logs across a wide range of devices. As for its normalization capabilities, it is also top-notch. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen, an important feature when trying to protect against real-time events such as DDoS attacks.
There is, however, more to the McAfee solution than just its Enterprise Security Manager. To get a truly complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. The good news is that all three products can be packaged in a single appliance, making the acquisition and setup processes somewhat easier. For those of you who may want to try the product before you buy it, a free trial is available.