As can be attested by anyone who has ever took in a guard dog that eats four pounds of food every day, sometimes security measures can feel like more trouble than they’re worth.
Every website or business owner who has invested in encryption is probably nodding knowingly right now. When it comes to protecting users’ data, encryption is an absolute must. Unfortunately, it’s also becoming an absolute headache as DDoS attackers are taking aim at encrypted services and even hiding behind encryption themselves.
How DDoS Attacks Works & Some Of Its Implications
Server struggles
Encryption is a process that obscures data exchanged between users and websites. Whether it’s usernames and passwords, credit card numbers, home addresses, or even just the answer to the question what’s your favorite flavor of cupcakes, the expectation is that anything a user inputs to a website is secure. Without encryption, attackers could position themselves between a user’s browser and a website as the so-called man in the middle and intercept sensitive information. With encryption, all an attacker will see is long strings of unintelligible characters.
Overall, encryption is obviously a beneficial and necessary thing. However, in order to secure connections through encryption, a website’s server needs to work much harder than it would for unencrypted connections.
An unencrypted connection essentially requires three steps, known as the TCP handshake: the browser sends a request, the server receives it and sends an acknowledgment, and the browser acknowledges the acknowledgment. Boom, connection. An encrypted connection, or an SSL handshake, requires the three steps listed above as well as steps that allow the browser and server to agree on a method of encryption, a verification process, and the generation of the keys that will encrypt and then decrypt all data exchanged. Only after that heavy lifting is the connection made. This is where the problems with encryption begin.
Distributed denial of encrypted service
Distributed denial of service or DDoS attacks are attacks designed to render a website unavailable to its users by overwhelming the website’s server or network with more requests or traffic than it can handle. Many attacks that target the server are asymmetric, meaning it takes the victim server a lot more resources to deal with the attack than it does for the attackers to launch it. This is the precisely the scenario DDoS attacks on encrypted servers put the victim SSL server in as a result of the extra work a server has to do in order to encrypt communications.
DDoS attackers are taking advantage of already-stressed servers by targeting the SSL handshake protocol to tie up even more resources with illegitimate requests or by sending garbage data to the server. Attackers are also using distributed denial of service attacks to exploit SSL vulnerabilities by targeting SSL ports with protocol attacks, and aiming application layer attacks at the underlying service. Attackers even use volumetric attacks on servers using encryption, targeting ports with high volume floods of traffic.
Further complications
For a while there, the solution to DDoS attacks was somewhat simple: get professional DDoS protection. Leading DDoS mitigation was a good solution for even high-value targets that require constant uptime or that are oft-targeted due to their competitive industries.
Things are a little more complicated now and it’s because of, yes, encryption. Attackers are now encrypting attack traffic in order to hide it amongst legitimate encrypted traffic, making it harder for many security solutions to detect attack traffic quickly since doing so requires unencrypting it to allow traffic analysis to scan for suspicious or malicious activity.
While encryption has undoubtedly saved untold millions of internet users from data theft, it’s also forcing an upgrade in DDoS protection. Always-on detection, a time to mitigation under ten seconds, processing power that can handle even the largest volumetric attacks, and leading granular traffic analysis that includes decryption and then re-encryption for legitimate traffic is what’s quickly becoming a necessity for websites and businesses that need to maintain uptime, protect their reputation, and protect their users. Upgrading your mitigation might be a hassle in the short term, just like throwing yet another steak bone on the floor for Brutus might be, but it’s well worth it in the end.
Do you own a website or blog with a decent amount of traffic with an occurrence of a DDoS attack? Would you mind sharing your experience on how you mitigate the DDoS attacks from destroying your business?