Defense Against Rapidly Morphing DDOS

In June 2018 ProtonMail suffered rapidly morphing sustained DDOS attacks that included Syn Floods, TCP handshake violations, TCP Zero Sequence, ACK floods, NTP non-standard port floods, reflection attacks on SSDP, NTP, Chargen, LDAP and Memcache protocols[1].

We created an attack toolkit that mimics the ProtonMail attacks, and used it to study the efficacy of various defenses against an attack like ProtonMail suffered. We discovered that using standard techniques to fight off rapidly changing bursting attacks is near impossible for SOC operators, as speed of human action to understand the attack and apply well known mitigation is too slow.

We found that a combination of an unsupervised Machine Learning algorithm to determine a baseline, perform anomaly detection and mitigation, and another Machine Learning algorithm to tune the performance of the first, yielded the most effective defense. With this scheme in place, the SOC operator did not have to react at machine speed but simply monitored the findings and the actions of the machine.

References : https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/

Presented by