There have been two notable evolutions made by hackers recently in the DDoS arena. First, there’s been an expansion of botnets. They’ve moved beyond PCs to compromised Internet of things (IoT) devices and cloud services. That’s vastly expanded the possible sources of attacks.
The second has been the use of highly distributed attack patterns, commonly referred to as carpet-bombing. The two are connected and reflect a sophisticated understanding by the attackers of the limitations of current DDoS defensive technologies.
Most DDoS defenses rely on a simple baseline model to identify ‘abnormal’ surges in traffic towards a specific target. This is an imprecise identification that lacks context, resulting in a lot of false positives. Suspect traffic is routed by a backhaul link to a mitigation appliance; however, much of the re-routed traffic can actually be legitimate. Thus, the process is resource intensive and costly
It also lacks the network-wide visibility to map attacks back to actual user experience, making it difficult to keep affected (and poor quality-intolerant) customers appraised of the situation.
In the age of IoT and cloud, it’s getting worse for these traditional defenses. Because the botnets that carry out the attacks have vastly expanded, it is now possible to carry out terabit-level attacks from hundreds of thousands and — not too far off — even millions of compromised devices. Traditional defenses have a harder time dealing with so many flows coming from so many different directions. They are not good at multi-vector attacks.
For example, the attack on the DNS provider DYN, back in October 2016, caused the entire network that DYN was on to suffer massive slow-down. Carried out by the Mirai botnet, which had hundreds of thousands of badly secured IoT devices and compromised cloud servers enslaved, it affected thousands of users. Although it had been initiated by a single attacker, the attack took down the entire infrastructure for a number of hours.
The challenge, if you’re a DNS provider like DYN, is that this DNS-based attack traffic looks like all the other traffic on your network — the perfect diversion. So while you struggle to find out what’s going on with your DNS service, the hijacked cloud servers come into play delivering a high impact, high-bandwidth TCP attack that takes the servers out altogether.
This combination of different attack sources and different attack vectors created the most impactful attack that we have ever seen.
An example of the other side of the coin is a carpet-bomb attack that often results in false negatives. As a method of attack, it evades the “big surge” method of detection. It doesn’t just affect a single target, although a single organization may, in the end, be the target. It affects tens of thousands of users and makes it harder to see who the target actually is.
Fortunately, as we’ve said, there are innovations on the defensive side that can help. We have identified five principles of the new approach to fighting DDoS:
- Global-level monitoring: use information about the entire internet and network to understand the context of what is occurring. For instance, is the surge just an AWS file transfer or an attack? If you have an accurate, global database of IP endpoints, you can know what the source is and whether it’s reliable, thus minimizing false positives.
- Ratio-based detection: as opposed to big surge detection, this method of identification takes a holistic view of the network. It looks for patterns of attack or signatures. For instance, an imbalance between SYN and SYN ACK, which is the telling signature of a SYN flood attack, will trigger an alert, even if no baseline trigger caused an alert.
- Use your routers: mitigation appliances or scrubbers are expensive solutions and inherently limited; routers are already in place and can easily block multiple attack vectors without taking a performance hit. If through global detection you understand all the endpoints from which the attack is coming, you simply create ACLs to drop this traffic at your peering routers.
- Protect your network out of the box: most DDoS defense solutions today are an afterthought. Layer in a defensive approach from the beginning. Build holistic network intelligence into your architecture and then use your routers to provide the first layer of blocking or re-routing. This will deal with a majority of the nuisance traffic and reserve the scrubbers for the attacks that require more stateful analysis.
- Map it back to quality of experience (QoE): The key point for network operators is that there is no reasonable amount of poor quality streaming, according to the customer. They don’t care why they have been receiving SD video for 40 minutes, they just want it to improve or they’ll complain.
Quality issues like this are a large driver for customer churn, so visualizing and remediating the attack quickly is of utmost importance.
These are some of the principles that can help prepare us for the next level of battle with the ever-imaginative hacker communities. The costs of DDoS attacks are many. Make sure you’re fully prepared with a multi-dimensional, holistic approach to security.