Distributed Denial-of-Service (DDoS) attacks are becoming larger, more frequent, and more complex than ever before. According to Arbor Networks’ 12th Annual Worldwide Infrastructure Security Report (WISR), attack size has grown 7,900% since its initial report – a compound annual growth rate (CAGR) of 44%.
The most recent attacks are significantly larger than anything previously seen, and can now disrupt even the largest internet service providers. This data shows that DDoS attacks have become more than just a nuisance: they are rapidly increasing in size and now threaten to disrupt core Internet infrastructure.
Within the broader spectrum of risks for corporate security and IT decision makers, DDoS attacks present a nettlesome and growing challenge for several reasons. First, while the underlying technology behind DDoS attacks hasn't changed much, the number of internet-connected devices in the world that can be compromised has dramatically increased.
In addition, the level to which DDoS attacks have become automated and commoditized has also increased. The Mirai-enabled attacks showed off the former; they used an army of internet-connected IoT devices to generate unprecedented levels of traffic.
In the past, a connection to the internet required significant hardware and expense. These days, even light bulbs can be connected to a network, which provides a lot more sources for traffic.
Second, the amount of skill required to successfully run a DDoS attack has been lowered over the last twenty years. While large attacks such as Mirai take some amount of coordination and planning, in many cases a connection to the right forum and a small amount of money ($50-100) can buy you a short attack that can take down unprotected web services.
Why DDoS attacks are hard to prevent
The best way to think about the DDoS problem is to imagine a river system, like the Mississippi or Columbia. At the end of those systems, where they meet the ocean, it's very obvious that there's a lot of water moving through those rivers: but at the source of all that water -- at the little tiny creeks and streams and rivulets where the water first gathers -- those sources don't necessarily look like that much.
Volumetric-style DDoS attacks, whereby attackers simply flood a target with more data than their connection can handle, use a similar effect: each network only cares about sending IP packets to the “next hop”, without a holistic view or awareness of what the total, internet-wide traffic picture looks like.
So, at the source of a DDoS attack, it can be difficult to differentiate between someone uploading a file and someone perpetrating an attack. What actually matters is whether that one traffic flow joins together with a bunch of other traffic to form a giant river, or if the traffic flow is bounced off a server in such a way that it magnifies the size of the traffic many-fold. In either case, by the time you notice that you've got a really huge river of traffic coming at you, it may already be too late.
Emerging approaches to combat DDoS attacks
A promising approach to DDoS can be found with the DDoS Defense for a Community of Peers (3DCoP) project, which uses peer-to-peer collaboration so that like-minded organizations (such as a group of universities, government agencies, banks, or ISPs) act together to rapidly and effectively detect and mitigate DDoS attacks.
With a peer-to-peer collaborative approach, the target of a DDoS attack can send out distress calls to the origin of any traffic it sees. The receivers of these distress calls can then take a look at the traffic they're seeing, and either pass that message on appropriately or take local action.
Universities, for example, might learn that what looks like normal traffic coming out from one of their student labs looks like a big attack to a target, and use this information to shut off or rate-limit that lab.
Other approaches involve technologies like BGP FlowSpec, an improvement over conventional IP blacklisting. FlowSpec allows a victim of a DDoS to ask its upstream service providers and intermediate networks to block specific kinds of traffic, with a good level of granularity.
Organizations can also relocate services into the cloud, as some cloud operators deploy sensors that can detect and mitigate attacks earlier. Unfortunately, today’s largest attacks are too large for cloud operators to handle, and the attacks may impact geographic regions or critical internet infrastructure.
In the end, there are a variety of methods to filter and redirect traffic, especially for those systems housed in the cloud. However, for the biggest attacks, and for institutions that cannot create replicated versions of their systems in the cloud, techniques such as 3DCoP are key in mitigating DDoS risk.
Specifically, we believe that it is only through rapid, real-time collaboration that DDoS attacks can be correctly identified, sourced, and addressed; without such collaboration, institutions must rely on phone calls and manual router updates, while a river crashes down around them.