Break the DDoS Attack Loop With Rate Limiting

We Keep you Connected

Break the DDoS Attack Loop With Rate Limiting

Tech News and Analysis
Distributed denial-of-service (DDoS) attacks are growing in frequency and sophistication, thanks to the number of attack tools available for a couple of dollars on the Dark Web and criminal marketplaces. Numerous organizations became victims in 2022, from the Port of London Authority to Ukraine’s national postal service.
Security leaders are already combating DDoS attacks by monitoring network traffic patterns, implementing firewalls, and using content delivery networks (CDNs) to distribute traffic across multiple servers. But putting more security controls in place can also result in more DDoS false positives — legitimate traffic that’s not part of an attack but still requires analysts to take steps to mitigate before it causes service disruptions and brand damage.
Rate limiting is often considered the best method for efficient DDoS mitigation: URL-specific rate limiting prevents 47% of DDoS attacks, according to Indusface’s “State of Application Security Q4 2022” report. However, the reality is that few engineering leaders know how to use it effectively. Here’s how to employ rate limiting effectively while avoiding false positives.
Engineering leaders often find it difficult to implement rate limiting as a DDoS mitigation tool because they don’t know what thresholds to set. The first step is to answer the following questions:
Going over 100 requests in one minute on a login page could be enough to take the server down, while a product page might have no trouble handling 300 requests in a minute. That’s why it is useful to know the threshold of network traffic for each URL within each application.
Network monitoring tools, log files, and buffer capacity can help teams develop accurate baseline network traffic models and manage incoming and outgoing data flow. Suppose you ran a Christmas holiday campaign over 30 days, and the request limit was 300 per minute. To clearly understand the expected network traffic, the security and DevOps teams need to know two things: How many requests were made each minute on average? And if there were 480 requests in one minute, does the team get an alert to check that it was legitimate traffic?
Having granular details on IP, host, domain, and URI vulnerabilities means teams can act more quickly to thwart DDoS attacks.
Numerous security teams have been surprised to receive alerts about attacks targeting their human resource management systems, not just consumer-facing business websites. It is vital to be aware of all the potential applications targeted by DDoS attacks to reduce false alarms.
Security teams want around-the-clock application availability and are relying on managed services to get more value from DDoS mitigation software. In-built DDoS scrubbers help security leaders go beyond static rate limits and customize rules based on the behavior of inbound traffic received by host, IP, URL, and geography.
So what should cybersecurity teams know about rate limits?
By using the above methods, application owners end up setting more granular rate limits by using system recommendations based on user behavior. This in conjunction with using DDoS mitigation mechanisms, such as tarpitting and CAPTCHA, before blocking requests can minimize false positives to the maximum extent possible.
Cybersecurity decision-makers must take a multilayered approach to protection by having a clear understanding of network traffic patterns and using fully managed platforms to set rate limits for threat intelligence.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.