In an attempt to define the modern-day DDoS attack, one must understand – there is more than one type of attack. Starting with the simplest first, network level DDoS attacks are the easiest to launch. They are fundamentally designed to crush networks and melt down firewalls. Aimed at filling state tables and consuming the available resources of network gear, today hackers require larger and larger botnets to be successful. As organizations install bigger pipes and improve their router, firewall, and switch capacity, this type of attack is becoming less effective. Also, due to law enforcement taking notice of the larger botnets required to be successful, attackers had to devise a better tactic. Hence, the birth of the reflective/amplified attack.
Using open DNS, NTP, and now UPnP devices located all over the Internet, attackers have learned how to amplify their attacks, and today they’re capable of filling large numbers of 10 Gbps pipes; using botnets of only a few-thousand machines. Firewall state tables and network resources are often not consumed in this case. Instead, pipes are filled with more traffic than they can forward. Packets can only travel so fast down a wire and when they backup, outages and latency ensue. It’s not the case of more packets; it’s the case of bigger packets.
As a result of the amplification factor achieved, these attacks are now being fragmented as well. Too many fragmented packets are often a death sentence for devices performing deep packet inspection, like next-generation firewalls and IPS. Attackers can flood them with an excessive amount of fragments, consuming vast amounts of CPU, and these devices often melt down in no time at all. Even the highest performing next-generation firewalls and IPS will feel the effects of this type of attack.
From an attacker perspective, interweave repetitive application-layer attacks designed to consume resources on servers, and you’ve got a recipe for success. Pound the final nail in the coffin by adding specially crafted packet attacks designed to take advantage of weak coding, and simply put – anyone will go offline without the right defenses. Attackers today use all five categories simultaneously, making it even harder to defeat without blocking vast amounts of good traffic.
However, DDoS attacks are not always about bringing organizations offline. Today’s attackers are launching short-duration, partially saturating attacks that are intended to NOT take the victim offline. Instead, they’re designed to consume time, attention, “people” resources, and log storage. If the average enterprise had to choose between suffering from a DDoS attack or a data breach – they’d likely choose a DDoS attack – taking comfort in the fact that their most valuable information would remain intact, and out of the hands of a hacker. However, DDoS is all about hiding other attacks, and your data is the true target.
DDoS is a serious threat – one that has vastly evolved from the simple, easily resolved attacks of the past. Often overlooked as a nuisance, any DDoS activity should raise a red flag for IT departments. When an attack lasts for a few hours (or even a few minutes), most organizations believe the attacker got tired, gave up, or the victim’s defenses withstood the onslaught. The misconception here is a sense of invincibility. However, the real reason the DDoS attack may have subsided is because the attacker achieved their objective – access to your data. Often attackers are targeting your data the whole time, while leading many to believe they’re trying to take organizations offline. Frequently, this is not their intention at all.
This is emphasized by the recent rise in Dark DDoS attacks that act as a distraction to the IT department – while a damaging hack is enacted and data is stolen. If businesses are too complacent about DDoS protection, they can be financially ruined due to brand damage and the immediate decrease in customer confidence they often experience – as a result of an attack. This leads some to the point of no return. Often hidden by the Dark DDoS attack, the losses associated with the compromise of proprietary data ends up costing more to mitigate, than the attack itself. It is quite the vicious cycle.
The most targeted organizations are obviously those who thrive on Internet availability, or gain the attention of hacking groups like Anonymous. Finance, news, social networks, e-retail, hospitality, education, gaming, insurance, government services, etc. are all seriously impacted by an outage. These organizations almost always make the news when downtime occurs, which in turn leads to a loss of customer confidence. In addition, any organization that has sellable data often finds themselves in the cross hairs of a Dark DDoS attack. Remember, attackers in this case want access to your data, and will do just about anything to get it.
Attackers also love notoriety. News-making attacks are often like winning a professional game of chess. Their strategies, skills, and perseverance are all tested and honed. Hacker undergrounds take notice of highly skilled attackers. Often job agreements or an offer for “a piece of the action” is the reward for those with notable skills. While all of this activity may be considered illegal in just about every country, the reward seems to outweigh the punishment. As long as that is the case, attackers will continue their activities for the foreseeable future.
So, what’s the solution? Put the right defenses in place and eliminate this problem – once and for all. It begins with understanding the importance of cloud-based DDoS defenses. These defenses are designed to defeat pipe-saturating attacks closest to their source. They also reduce latency involved with DDoS mitigation, and help eliminate the needs to backhaul traffic around the globe to be cleansed or null routed. Selecting a cloud provider with the highest number of strategically located DDoS defense centers that they operate themselves, makes the absolute best sense.
In addition, selecting a cloud provider who can offer direct connectivity to your organization where applicable is also the recommendation. Diverting incoming traffic to the cloud to be cleansed is normally done via BGP. It’s simple, fast, and effective. However, returning the “clean” traffic back to the customer represents a new set of challenges. Most cloud providers recommend GRE tunnels, but that approach is not always the best. If you can connect “directly” to your cloud provider, it will eliminate the need for GRE and the problems that accompany that approach. The result of a direct connection is quicker mitigation and more efficient traffic reinjection.
Are cloud-based DDoS defenses the end-all? Not really. The industry recognizes a better method called the hybrid-approach. The thought process here is that smaller, shorter DDoS attacks are more effectively defeated by on-premises technology, while larger and longer attacks are more efficiently defeated in the cloud. The combination of the two approaches will stop all DDoS attacks in their tracks. In addition, volumetric attacks are easily defeated in the cloud, closest to the source of attack. Low-and-slow attacks are more effectively defeated closer to the devices under attack. This combined approach provides the best of both worlds.
Complete visibility is another benefit of the hybrid approach. Cloud-based DDoS defense providers who have no on-premises defense technology are blind to the attacks against their own customers. Many cloud providers attempt to monitor firewall logs and SNMP traps at the customer’s premises to help detect an attack. However, that’s comparable to using a magnifying glass to study the surface of the moon – from earth. The magnifying glass is not powerful enough, nor does it offer enough granularity to detect the subtleties of the moon’s surface. Purpose-built, on-premises DDoS defense technologies are the eyes and ears for the cloud provider.
The goal here is to detect the attack before a customer actually knows they’re under attack. This equates to immediate DDoS detection and defense. Detection is actually the hardest part of the DDoS equation. Once an attack is detected, mitigation approaches for the most part are similar from one vendor to another. Using a set of well-defined mechanisms can eliminate nearly every attack. Most defenses are based upon a thorough understanding of the way protocols work and the behaviors of abnormal visitors. Finding a vendor who has the most tools and features in their defensive arsenal is the best practice.
The final recommendation is to select a vendor who has both cloud-based and on-premises defenses, especially if those defenses use the same underlying technologies. On-premises hardware manufacturers who also offer cloud-based services are the way to go. The reasoning is simple. If the cloud defenses are quite effective, adding on-premises defenses of the same pedigree will become even more effective. In addition, the integration of the two approaches becomes streamlined when working with a single vendor. Incompatibilities will never be an issue.
If the recommendations in this article are followed, DDoS will never be an issue for you again. The vulnerability is addressed, the risk is mitigated, and the network is protected. That’s what IT professionals are looking for – a complete solution.