The evolving nature of DDoS attacks: separating the wheat from the chaff
- Published: Thursday, 29 October 2015 15:51
In most cases DDoS attacks are merely a smokescreen, designed not to deny service but to detract attention from the real motive – usually data theft and network infiltration. But what is the best way to respond to attacks of this nature? Dave Larson offers some advice…
We have seen a meteoric rise in the numbers of DDoS attacks in recent years. In the last quarter alone, DDoS attacks against Corero customers grew by almost a third (32 percent), with organizations reporting an average of 4.5 attacks every day. But while this may sound like an enormous rise, it is hardly surprising given the proliferation of cheap and easy-to-launch attack tools. Today’s DDoS attacks are almost unrecognisable from the attacks which coined the term. Once the sole preserve of bad actors coding in their bedrooms to carry out protests and cause mischief, DDoS attacks have now evolved into a cheap method of attack that just about anyone can launch. The rise of DDoS-for-hire botnets has caused an explosion of attacks, partly due to their cheap price point - they can be launched for just a few dozen dollars - and also because they require virtually no knowledge of coding.
But what do these attacks achieve? In many cases they are merely a smokescreen, designed not to deny service but to detract attention from the real motive – usually data theft and network infiltration. But how can network and security teams respond to the debilitating impact of these chronic, sub-saturating attacks and see through the noise to the real assaults taking place below the surface? And what is the best way to respond to attacks of this nature – whether it is on-premise or in the cloud?
According to the Corero Network Security mid-year report, in the first half of 2015, the vast majority of DDoS attacks experienced by Corero customers were less than 1 Gbps. Additionally, more than 95 percent of these attacks lasted 30 minutes or less. As attackers look for new ways to leverage DDoS attacks, they have realized that short duration sub-saturating attacks are more difficult to defeat, because they evade traditional cloud-based scrubbing centres. In many cases, re-routing traffic through a scrubbing solution – most often after an outage or service degradation has occurred – devolves into a game of cat and mouse. This is because the time between detection to mitigation can be upwards of one hour, meaning that the damage has usually been done before on-demand defences are engaged. In addition, switching to the cloud in each instance of a short duration, sub-saturating attack will quickly break the bank.
In order to keep up with the shifting and progressive range of threats, solutions appropriate for today need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences / defenses can be quickly and affordably updated to respond to the future evolution of DDoS threats: whatever that may entail.
The most effective method of fulfilling these aims is to utilise in-line DDoS mitigation, coupled with industry disruptive, economically viable bandwidth licensing. With this technique, an in-line DDoS mitigation engine is employed but the operator only pays for the bandwidth of attacks actually mitigated. The benefit of this approach is that it delivers full edge protection for locations in the network that are most affected by DDoS, at a fraction of the cost of traditional scrubbing centre solutions. The desirability of these tools is due to the fact that they can be constantly on, with no need for human intervention, and they provide non-stop threat visibility, attack mitigation and DDoS forensics.
Another aspect of effective DDoS mitigation is security event reporting. One of the Achilles Heels of traditional DDoS scrubbing centre solutions is that they rely on coarse sampling of flows at the edge of the network in order to determine whether an attack is taking place. DDoS attackers are well aware of the shortcomings of this approach and have modified many of their techniques to ride under the radar, below the detection threshold, in order to evade ever being redirected to a scrubbing centre. Your security posture will only be as good as your ability to visualize the security events in your environment, and a solution that relies on coarse sampling will be unable to even detect, let alone act on, the vast majority of the modern DDoS attack landscape. A robust modern DDoS solution will provide both instantaneous visibility into DDoS events as well as long-term trend analysis to identify adaptations in the DDoS landscape and deliver corresponding proactive detection and mitigation techniques.
Real-time responses are possible with new, high-performance, in-line DDoS defence solutions. DDoS attacks generally have a bell-shaped barrage of traffic. This is to throw off sample-based anomaly detectors – however it plays into the hands of DDoS mitigation solutions that utilize modern data analytics platforms that are optimized for detecting that a DDoS attack is underway before the system has reached a critical threshold. This is something that is simply not possible with legacy scrubbing-centre approaches.
Effective DDoS defence can be deployed either as an on-site solution or provided as a premium defence-as-a-service offering from an upstream Internet provider. Carriers are in a unique position to effectively eliminate the impact of DDoS attacks against their customers by surgically removing the attack traffic transiting their networks. In a recent survey, Corero asked enterprise IT teams about the role that ISPs should play in defending against DDoS attacks. Around 75 percent of respondents indicated that they would like their ISP to provide additional security services to eliminate DDoS traffic from entering their network, and more than half would be prepared to pay for this type of premium service.
But on a day to day level, how can IT managers deal with such an avalanche of attacks? My main piece of advice is the following: Just because you have not suffered a major outage, do not be lulled into a false sense of security thinking that DDoS is not a problem for your organization. Invest some time familiarizing yourself with the trends in the DDoS landscape and start looking more closely at lower level activity within your environment. When a breach does happen, claiming you had never had an outage before and so you thought your protections were just fine is not going to be very convincing to your management. The online enterprise requires a proactive and real-time approach to dealing with the onslaught of DDoS attacks targeting their networks.
In short, there’s no reason that companies should resign themselves to eventually getting DDoS’ed. The technology exists to provide an effective defence, and this type of in-line, always-on protection can come in various forms – either on-premise, or purchased as a security service from an upstream provider. A robust solution cannot be found in the cloud alone, but rather through a hybrid solution of on-site technology and system-wide visibility, to gauge long-term trends and deliver proactive detection and mitigation techniques. It is only through deploying these real-time solutions that IT teams will really be able to separate the wheat from the chaff and identify the most serious attacks on their networks.