Smarter DDoS attacks require smarter DDoS defence

If you're not actively protecting against DDoS attacks, you're doing your IT security wrong

You may have once thought distributed denial of service (DDoS) attacks only happened to companies big enough or important enough that someone would bother disrupting their services. But with DDoS frequency and intensity increasing, a security expert has warned, it's now imperative that every CSO consider how it would handle a DDoS – and introduce pre-emptive measures to deal with them.

DDoS attacks have evolved rapidly over the years. While early efforts were used mainly by hackers seeking to spoof a target system – using the DDoS to bring down the real system while the second site took its place.

Today's DDoS landscape targets a broader range of targets. DDoS capabilities are more casually available through the use of DDoS-as-a-service offerings that allow attackers to rent networks of compromised systems. Their intensity has increased dramatically over the past year due to widespread adoption of reflected and amplified attack techniques that exploit weaknesses in ubiquitous Internet protocols to unleash an avalanche of useless data at targets.

These changes, warns F5 networks worldwide security evangelist Preston Hogue, reflect the new threats inherent in a DDoS landscape that is getting “much more sophisticated” even as faster broadband services increase the scale and intensity of DDoS attacks.

Broadband in developing countries, in particular, was driving growth in DDoS attacks sourced from those regions.

“A lot of these countries didn't have the capacity to be able to launch those attacks,” Hogue says, “but emerging countries are adding more computers and more capabilities on a daily basis. And in developed countries, we are now doing 10Gbps to households in some downtown areas. Imagine the future, where an attacker could take over 10 houses close to a company and own the pipes of almost any company in the downtown area.”

Even with today's broadband services, the sheer volume and length of many attacks can eventually prove overwhelming even to large organisations with incoming traffic filtering in place, he warned.

Attackers are sending repeated enquiries modelled after traditional HTTP requests “so none of these devices have a clue”, Hogue warns, noting that others utilise SSL encryption that is likewise carried through network defences and defence platforms are none the wiser.

“DDoS has always been a way to manipulate and take advantage of the way a protocol was written, and to abuse it,” he explains, “and the attackers have become smarter in the way they do the attacks.”

Read more: Do you know the “Three Cs” of web app security?

“Some attacks,” he continues, “are in such a prolonged state that even with the traditional defence mechanisms that companies had on premises and in the cloud, all their applications were down. And who knows how many protocols in applications have been created out there that have these flaws?”

The hybrid defence

Cloud-based DDoS defences are redefining conventional security defences, offering ways of detecting, intercepting and blocking DDoS attacks before they get out of control. Yet while there is value in moving DDoS protection away from the enterprise, it is also important to tie it to conventional on-premises defences.

The result of this conflicting requirement, Hogue says, will increasingly be the emergence of hybrid security solutions that combine on-premises tools for endpoint, access control and other security tools with cloud-based services such as those for blocking DDoS attacks.

Read more: Lower costs help NZ pip Australia for F5 Networks support centre

“You clearly don't want to handle everything on premise, but don't want to handle everything off premise either,” he says. “If it's a volumetric based attack, the further outside the data centre and closest to the attacker that you can handle it, the better.”

Yet while a hybrid model can satisfy both requirements, it must also offer a unified reporting capability that allows organisations to readily see what kinds of threats they are facing and how those threats have been handled.

This is difficult enough with two different solutions, but as cloud-based security services continue to gain currency organisations will face the very real threat of co-ordinating their protections with those of other systems as well. This reporting will also need to be tied back to clear metrics around usage of managed security services and the effectiveness of their defences.

Such capabilities will, Hogue says, come in time as DDoS and other cloud-hosted protections come into more common usage and vendors develop increasingly flexible, common platforms addressing both on-premises and cloud-hosted solutions.

Read more: Denial of service a key threat vector: Aura

“Long term, you're going to see a consumption model in the full hybrid environment,” he explains. “Customers only want to pay for the full solution, and business models are already getting developed to ensure that these can be reasonably affordable to customers.”

Those models will necessarily extend beyond just covering security solutions, instead wrapping DDoS and other security into the rosters of solutions that are available to support deployment of hybrid computing and security environments.

The easy availability of such solutions will be particularly important as a growing number of organisations come to realise that DDoS protection has become an essential part of the modern enterprise defence. Yet many, Hogue says, are still learning this lesson the hard way.

“You wouldn't believe how many calls I've been to where customers aren't listening,” he explains. “Then they get hit by a DDoS attack and I'm back in front of them talking to them again. We're at the point where DDoS is a well known, established risk – and people are starting to build it into their risk profiles. DDoS is the new spam.”

Join the CSO newsletter!

Error: Please check your email address.

Tags F5 Networkshybriddata at targetsPreston HogueSmarter DDoShackers seeking to spoof10GbpsDDoS attacksDDoS defence

More about CSOCustomersF5

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts