The rise of DDoS attacks is becoming increasingly worrying for businesses and organizations as they face threats from easily accessible and cheap attack tools found on the Dark Web. The number of victims in 2022 has been significant, from the Port of London Authority to Ukraine’s national postal service.
Security leaders are already taking measures to tackle DDoS attacks by monitoring network traffic patterns, implementing firewalls, and using content delivery networks (CDNs) to distribute traffic across multiple servers. However, these security measures can also lead to more false positives – legitimate traffic that’s not part of an attack but can still cause service disruptions and brand damage if mitigated.
Rate limiting is considered the best method for efficient DDoS mitigation. URL-specific rate limiting, in particular, can prevent 47% of DDoS attacks, according to Indusface’s State of Application Security Q4 2022 report. However, few engineering leaders know how to use it effectively. In this article, we will explore how to deploy rate limiting productively while avoiding false positives.
Setting Network Thresholds
The first step to implementing rate limiting as a DDoS mitigation tool is to understand the expected network traffic and vulnerabilities. Engineering leaders often struggle to implement rate limiters effectively because they don’t know what thresholds to set.
To gain insight, several questions need to be answered, such as how many users visit an application every minute, how many report/dashboard actions, or a reset password page can be handled. It is critical to know the threshold of network traffic for each URL within each application. Having granular details on IP, host, domain, and URI vulnerabilities can also help teams act more quickly to thwart DDoS attacks.
To reduce false alarms, it is vital to be aware of all potential applications targeted by DDoS attacks, not just customer-facing business websites. Numerous security teams have received alerts about attacks targeting their human resource management systems. Network monitoring tools, log files, and buffer capacity can help teams develop accurate baseline network traffic models and manage incoming and outgoing data flow.
Customize Rate Limits on Various Parameters
In-built DDoS scrubbers can help security leaders go beyond static rate limits and customize rules based on the behavior of inbound traffic received by host, IP, URL, and geography. However, there are several things to keep in mind when setting rate limits:
– Never do rate limits on the domain level (e.g., acme.com). Lowering the per-page requests needed to trigger the rate limit could cause unnecessary blocking of legitimate requests or allow too many malicious requests to pass through.
– Set rate limits on the URL (e.g., acme.com/login) to control which customers can access a particular URL or set of URLs. Cybersecurity teams can set rate limits differently for each URL, and a server may block requests if the limit is exceeded.
– Customize the rate of requests on a session level (the time logged in) to detect unusual behavior that may indicate malicious activity and thus prevent servers from being overwhelmed.
– Monitor rate limits at an IP level to limit the number of requests or connections from a particular IP address. IP blacklisting makes it easier for website owners to block traffic from IP addresses known to be involved in DDoS attacks.
– Implement geographical rate limiting. Security leaders need to quickly examine IP address reputations and geolocation data to verify the source of traffic.
By using these methods, application owners can set more granular rate limits based on user behavior. Combining DDoS mitigation mechanisms, such as tarpitting and CAPTCHA, before blocking requests can minimize false positives to the maximum extent possible.
Conclusion
Cybersecurity decision-makers must take a multi-layered approach to protection and have a clear understanding of network traffic patterns while using fully managed platforms to set rate limits for threat intelligence. DDoS attacks will continue to remain a problem for businesses and organizations around the world, and it’s essential to stay ahead of criminals’ evolving tactics and techniques to avoid disruptions and keep networks secure.