Smarter DDoS attacks require smarter DDoS defence
- 29 April, 2015 11:59
You may have once thought distributed denial of service (DDoS) attacks only happened to companies big enough or important enough that someone would bother disrupting their services. But with DDoS frequency and intensity increasing, a security expert has warned, it's now imperative that every CSO consider how it would handle a DDoS – and introduce pre-emptive measures to deal with them.
DDoS attacks have evolved rapidly over the years. While early efforts were used mainly by hackers seeking to spoof a target system – using the DDoS to bring down the real system while the second site took its place.
Today's DDoS landscape targets a broader range of targets. DDoS capabilities are more casually available through the use of DDoS-as-a-service offerings that allow attackers to rent networks of compromised systems. Their intensity has increased dramatically over the past year due to widespread adoption of reflected and amplified attack techniques that exploit weaknesses in ubiquitous Internet protocols to unleash an avalanche of useless data at targets.
These changes, warns F5 networks worldwide security evangelist Preston Hogue, reflect the new threats inherent in a DDoS landscape that is getting “much more sophisticated” even as faster broadband services increase the scale and intensity of DDoS attacks.
Broadband in developing countries, in particular, was driving growth in DDoS attacks sourced from those regions.
“A lot of these countries didn't have the capacity to be able to launch those attacks,” Hogue says, “but emerging countries are adding more computers and more capabilities on a daily basis. And in developed countries, we are now doing 10Gbps to households in some downtown areas. Imagine the future, where an attacker could take over 10 houses close to a company and own the pipes of almost any company in the downtown area.”
Even with today's broadband services, the sheer volume and length of many attacks can eventually prove overwhelming even to large organisations with incoming traffic filtering in place, he warned.
Attackers are sending repeated enquiries modelled after traditional HTTP requests “so none of these devices have a clue”, Hogue warns, noting that others utilise SSL encryption that is likewise carried through network defences and defence platforms are none the wiser.
“DDoS has always been a way to manipulate and take advantage of the way a protocol was written, and to abuse it,” he explains, “and the attackers have become smarter in the way they do the attacks.”
“Some attacks,” he continues, “are in such a prolonged state that even with the traditional defence mechanisms that companies had on premises and in the cloud, all their applications were down. And who knows how many protocols in applications have been created out there that have these flaws?”
The hybrid defence
Cloud-based DDoS defences are redefining conventional security defences, offering ways of detecting, intercepting and blocking DDoS attacks before they get out of control. Yet while there is value in moving DDoS protection away from the enterprise, it is also important to tie it to conventional on-premises defences.
The result of this conflicting requirement, Hogue says, will increasingly be the emergence of hybrid security solutions that combine on-premises tools for endpoint, access control and other security tools with cloud-based services such as those for blocking DDoS attacks.
“You clearly don't want to handle everything on premise, but don't want to handle everything off premise either,” he says. “If it's a volumetric based attack, the further outside the data centre and closest to the attacker that you can handle it, the better.”
Yet while a hybrid model can satisfy both requirements, it must also offer a unified reporting capability that allows organisations to readily see what kinds of threats they are facing and how those threats have been handled.
This is difficult enough with two different solutions, but as cloud-based security services continue to gain currency organisations will face the very real threat of co-ordinating their protections with those of other systems as well. This reporting will also need to be tied back to clear metrics around usage of managed security services and the effectiveness of their defences.
Such capabilities will, Hogue says, come in time as DDoS and other cloud-hosted protections come into more common usage and vendors develop increasingly flexible, common platforms addressing both on-premises and cloud-hosted solutions.
“Long term, you're going to see a consumption model in the full hybrid environment,” he explains. “Customers only want to pay for the full solution, and business models are already getting developed to ensure that these can be reasonably affordable to customers.”
Those models will necessarily extend beyond just covering security solutions, instead wrapping DDoS and other security into the rosters of solutions that are available to support deployment of hybrid computing and security environments.
The easy availability of such solutions will be particularly important as a growing number of organisations come to realise that DDoS protection has become an essential part of the modern enterprise defence. Yet many, Hogue says, are still learning this lesson the hard way.
“You wouldn't believe how many calls I've been to where customers aren't listening,” he explains. “Then they get hit by a DDoS attack and I'm back in front of them talking to them again. We're at the point where DDoS is a well known, established risk – and people are starting to build it into their risk profiles. DDoS is the new spam.”