Why Automation and AI are Critical in DDoS Mitigation

  • Katrin Graewe
  • April 28, 2020


Why Automation and AI are Critical in DDoS Mitigation

In recent years, the volume and severity of Distributed Denial of Service (DDoS) attacks have risen exponentially. The potential business consequences of a successful attack are huge — even existential. And many organizations are simply unprepared to cope with modern DDoS attacks.

By harnessing modern technologies such as Artificial Intelligence and Machine Learning, it’s possible to protect digital assets from even the most deadly DDoS attacks with zero impact on legitimate users. In this article, we’ll explore the risk posed by sophisticated DDoS attacks, and explain how organizations can fight back against this advanced threat.

Clearing Up DDoS Misconceptions

First up, let’s clear up a few misconceptions.

Misconception #1: All DDoS attacks are flooding attacks.

It’s true that flooding attacks are the most common problem. However, a DDoS attack is any attack from distributed resources that prevents legitimate users from accessing a resource. Depending on the DDoS technique used, an attack can be successful even with a relatively small throughput.

Misconception #2 DDoS attacks only target websites.

Notice that we used the word ‘resource’ above. DDoS attacks don’t just target websites — they can also target email servers, databases, phone systems, and any other network-connected endpoint.

Misconception #3: Attacks are designed to disrupt.

Threat actors of all types use DDoS attacks from time to time purely to cause damage and disruption. However, that’s not the only motivation. Many DDoS attacks are actually profit-motivated. Criminals conduct a temporary DDoS attack against an organization to show they can disable a targeted asset. Then, they threaten to unleash a more devastating attack unless a ransom is paid.

What’s the Big Deal with DDoS Attacks?

In the last three years, the number of attacks observed annually has grown drastically. Meanwhile, the average bandwidth of flooding attacks has grown 600% from 1 Gbps in 2016 to 5 Gbps in 2019.

Last year, the largest individual attacks within the Link11 network reached over 700 Gbps.

Modern organizations are increasingly dependent on their digital infrastructure, and disruption of critical assets can be devastating. The consequences of a DDoS attack can include:

  • Direct financial loss. Attacks can cost millions of dollars in terms of damage and remediation.
  • Damage to reputation. This is hard to quantify but is potentially disastrous.
  • Lost productivity. The opportunity cost of remediating a DDoS attack is often significant.
  • Data theft. DDoS attacks are sometimes used to distract security resources while data is stolen.
  • Regulatory scrutiny. Some regulatory frameworks require certain levels of data availability, so an attack could lead to non-compliance.

For organizations that rely on the permanent availability of their IT systems, DDoS attacks can even prove to be an existential threat.

Why Traditional Defenses Aren’t Enough

Traditionally, firewalls and hardware-based Intrusion Detection Systems (IDS) have been the main defenses against DDoS attacks. However, against modern, sophisticated attacks, these tools aren’t enough.

Firewalls and IDS devices use a set of rules to determine which outside connections to allow, and which to block. Conventional firewalls are easily overloaded by flooding attacks, which create a sudden, exponential (10,000X or more) increase in requests. Checking each request for violations would consume far more resources than these solutions have available, so they fail.

IDS devices, on the other hand, are designed to monitor data traffic. When an unusual spike in activity occurs, the device limits or blocks traffic deemed to be malicious. However, there are two major problems with relying on an IDS device for DDoS mitigation:

1. Configuration and maintenance of IDS devices is a specialized field, and most organizations don’t have those skills in-house.

2. IDS devices are only effective when attacks are aimed at the application level (e.g., web servers) or IT infrastructure (e.g., routers and firewalls). When an attack reaches a volume so high that it exceeds an organization’s Internet bandwidth, all internal safeguards are rendered useless.

And there’s one more reason why traditional security defenses aren’t enough to cope with modern DDoS attacks: detection is far from easy.

Not all DDoS attacks have obvious ‘tells’ to make them easy to detect. Since traditional security solutions are often unable to detect DDoS attack patterns, they are almost useless for DDoS mitigation.


Watch the webinar recordings from NimbusDDoS and Link11 to learn how to avoid the most common DDoS incident response mistakes.

Watch the webinar now

Intelligent DDoS Attacks

Artificial Intelligence (AI), Machine Learning (ML), and the Internet of Things (IoT) are all being used to increase the destructive power of DDoS attacks

The IoT consists of billions of devices worldwide — from CCTV cameras to smart fridges — that share two characteristics:

1. They all have Internet connections.

2. Most are highly insecure.

This makes them easy prey to be enlisted into botnets. If you follow the media, you’re likely aware that IoT botnets have been used to conduct flooding attacks on an unprecedented scale. The Mirai botnet was estimated to include as many as 2.5 million unique devices — enough to flood any asset on the planet.

Meanwhile, AI and ML are being used to design more intelligent DDoS attacks. Using self-learning algorithms, these automated attacks analyze the behavior of a target system, ‘guess’ which security solutions are in use, and choose methods of attack accordingly.

Simply, the threat posed by ‘intelligent’ DDoS attacks goes far beyond anything we’ve seen in the past.

Smart Attacks Require Smart Security

On-premise solutions fail to stop modern attacks because by the time an attack reaches an organization’s IT systems, it’s too late. On the other hand, cloud-based solutions can filter, analyze, and even block traffic before it reaches an organization’s IT systems.

For this reason, comprehensive mitigation of DDoS attacks is only possible with cloud-based solutions.

Take Link11’s Cloud Security Platform as an example. The platform takes a three-step approach to identify and mitigate DDoS attacks:

Step #1: Fingerprinting

Incoming traffic is analyzed, and a unique ‘fingerprint’ is assigned to each client. Each fingerprint is made up of hundreds of unique properties and is far more nuanced than an IP address. This ensures legitimate users are able to access assets at all times while blocking fingerprints that include known attack patterns.

Step #2: AI Analysis

Blocking known attacks isn’t enough. The platform’s self-learning AI module analyzes traffic for malicious activity and is even able to identify AI-driven attacks.

The module also actively disrupts attacks by sending false information to attackers. For example, signalling to attackers that an asset has been ‘taken down’, when in fact it remains accessible for legitimate users.

Step #3: Cross-Checking Traffic Using Threat Intelligence

Finally, the platform cross-checks all traffic against real-time threat intelligence to see whether it matches known malicious activity. This enables the platform to block malicious activity while accepting legitimate requests.

Critically, each time the platform identifies a new threat, the attack sequence is stored in a database for future reference. If the same attack sequence is detected again, it’s blocked instantly.

Manual vs. Automated DDoS Mitigation

Historically, DDoS mitigation services relied on human intervention — either by in-house security personnel or a security service provider.

A typical manual workflow looks like this:

1. Event detection, e.g., through an email to SOC.

2. SOC initiates incident response.

3. SOC validation completed and mitigation enabled.

On average, this process takes around 35 mins from end-to-end. The top 5% of security teams could complete it in 20 minutes, while the bottom 5% took over 100 minutes.

And that’s just to reach the point of validation. Manual mitigation can take around 15 minutes to complete, and often requires several iterations to avoid blocking legitimate traffic. It’s also open to human error.

Now, compare that to an automated workflow:

1. Event detected automatically.

2. Mitigation solution activated.

3. Retro-active attack validation.

For an industry-leading DDoS mitigation solution like Link11’s Cloud Security Platform, the entire process from detection to full mitigation is completed in seconds — even for unknown threats.

Protect Your Assets from DDoS Attacks

To protect your organization from DDoS attacks, you need a solution that incorporates AI and automation.

Link11’s Cloud Security Platform uses proprietary AI and ML algorithms to identify even brand-new threats in real-time, with zero human intervention.

As a result, your organization gets:

  • Instant, seamless mitigation of known attacks, with no impact on legitimate users.
  • Never-seen-before DDoS attacks mitigated in under 10 seconds.
  • Full protection against DDoS attacks, with guaranteed availability of 99.99%
  • A huge reduction in cyber risk and potentially millions saved on DDoS attack damages.

To find out more about our industry-leading DDoS mitigation services, visit our product website.

Link11 Named as a Representative Vendor in Gartner’s Latest Market Guide for DDoS Mitigation Services
DDoS Attacks on E-commerce Providers Ramp Up over 70% on Black Friday, and by 109% on Cyber Monday, shows Link11 Data
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.