Infosec expert viewpoint: DDoS attacks
DDoS attacks have become more extensive and are testing the limits of existing DDoS mitigation tools and practices, as well as affecting online businesses globally.
Organizations are experiencing an increase in the magnitude of DDoS attacks, with the average size of attacks over 50 Gbps quadrupling in just two years. What presents a particular risk for organizations is the barrage of short, low volume attacks that mask more serious network intrusions.
Frost & Sullivan found that the DDoS mitigation market generated a revenue of $816 million in 2016 and is expected to register a CAGR of 17.1 percent through 2021.
Here’s what infosec experts think about the threat of modern DDoS attacks, their evolution, as well as DDoS protection mechanisms.
Darren Anstee, CTO at Arbor Networks
DDoS attacks have become a much more significant business risk to a much broader range of organisations in the past few years. This is partly due to the way in which attacks have increased in size, complexity and frequency, but also due to the increased dependency on internet services in most businesses, as well as the greater cloud, SaaS and mobility adoption. DDoS attacks have just as much potential to damage a business as a data-breach, as the impact is not just confined to lost revenue – loss of customer trust and brand damage are also key issues in both cases.
DDoS attacks will continue to evolve. More complex and very large attacks will become more common due to the proliferation of weaponised DDoS services – such as those utilising compromised IoT devices of the kind we saw hit DYN last year. DDoS will continue to be a key route for bad-actors to impact an organisation, whatever their motivation, given our ever increasing dependence on the connected world. Unfortunately the threat isn’t going away, but we can defend ourselves if we deploy the right services, solutions and processes.
When it comes to investing in DDoS protection, the top priority should be to work with a DDoS mitigation vendor who has proven solutions. Vendors who treat DDoS as an add-on are likely to have very limited capabilities that cannot withstand today’s attacks. The question is no longer if, but when, will an attack happen. So organisations must prepare for the worst case scenario, and implement best current practices for DDoS defence.
Best current practice for DDoS defence involves the use of a layered or hybrid approach. A cloud or ISP DDoS protection is used to defend against high-volume attacks. This is combined with an enterprise / data-centre / cloud edge DDoS protection capability which can react much more quickly to all forms of attacks, including the more stealthy application layer attack vectors. The best defensive solutions integrate these two layers, so that they can work together to provide complete protection from the risk of attack.
Ashley Stephenson, CEO at Corero Network Security
2016 marked a turning point for DDoS, as attacks reached new heights in terms of both size and complexity. The Mirai botnet showed us just how powerful an Internet of Things-powered DDoS attack could really be. In 2017 we saw the increase in DDoS ransom threats, targeting enterprises across the globe in extortion campaigns. We’ve seen Mirai variants, the onslaught of multi-vector attacks and evidence that DDoS may be a precursor to data exfiltration attempts.
Regardless of the motivation, attack type or vehicle used to launch an attack; DDoS attacks are a common occurrence for many organizations. In fact, low volume, short duration attacks occur more frequently than one would expect. These events don’t shake the Internet, or make the headline news, but they disrupt business operations, service availability and send network and security teams into a frenzy of reactive countermeasures.
The future of DDoS will prove to be even more volatile than ever before with the proliferation of IoT devices, accessibility of attack tools and DDoS for hire services. Enterprises who pride themselves in service availability, customer satisfaction and protecting revenues in the face of cyber-attacks look to proactive defense measures to protect their business. Organizations must look to DDoS protection that is always-on and works in real-time to automatically address the majority of DDoS threats, fast sub-saturating attacks.
These automated and real-time solutions can be delivered as-a-service from upstream ISPs, or procured as an on premises device, deployed at the network edge to eliminate attacks almost instantaneously. The need for a dedicated layer of DDoS defense has never been more necessary.
Dan Ellis, CTO at Kentik
For most enterprises, DDoS attacks probably pose less risk than other cyber threats like a significant data breach, which can cause both immediate financial loss, as well as long term reputational damage. Risk needs to be evaluated on a case-by-case basis however. Enterprises that derive a substantial portion of their revenue from their online presence (think online shopping, airlines, hotels) have more at stake in a DDoS-related outage.
Aside from the fact that more and more business is conducted online, DDoS attacks are probably not more damaging than they were 5, 10, or 15 years ago. Yes, attack sizes have grown substantially, but so has the Internet infrastructure as a whole. Pipes are larger, networks are substantially more interconnected, and network operators are more proficient at DDoS defense. All of those trends will continue.
We’ve also seen attack sources move from compromised home PCs, to compromised (or fraudulently procured) high-bandwidth servers, and now to compromised Internet-connected consumer devices (IoT) and we expect attackers to continue to find creative ways to leverage whatever network-connected devices they can infiltrate. I wouldn’t be surprised to see a future attack sourced from an army of compromised mobile handsets.
Enterprises who choose to operate their own DDoS mitigation infrastructure will need to couple it with robust processes, run books, training, and red team exercises to ensure they are proficient when a real attack arrives. Outsourcing mitigation to a 3rd party service may be a better option for many enterprises, unless they are regularly attacked (i.e. hosting, online gaming, and gambling). Alternately, consider deploying all Internet-facing services within infrastructure that includes robust, built-in DDoS defense. Systems that provide fast, accurate detection and notification of attacks are a good investment in any scenario, to minimize response time.
Ron Winward, Security Evangelist at Radware
Like other cyber threats, DDoS attacks are constantly evolving to stay ahead of modern protections and pose as much of a risk to any business.
Remember that DDoS attacks don’t always translate to simply flooding a pipe with traffic. Some of the most effective DDoS attacks remain under the radar as sub-rate attacks.
In the next five years, we will of course see the IoT landscape continue to be exploited. We will also see targeted API attacks, which are designed to completely disrupt services by exploiting publicly exposed APIs. Netflix recently highlighted this in their network at the most recent DEF CON Conference.
When looking for DDoS protection, remember that you can fight most attacks on premise. When I was a network operator, I wanted control over all of the traffic in my network rather than diverting it to someone else to handle attacks. I recommend handling traffic on site if you can, and then diverting to an upstream resource if the attack exceeds your local capacity or resources.
Another thing that businesses need to start thinking about is a Web Application Firewall (WAF). A WAF can help block application layer DDoS attacks and can improve data breach prevention efforts. By detecting and blocking application misuse or attempted break-ins, a WAF helps you both detect and block application layer DDoS attacks to improve security and help prevent breaches.
As we continue to see new attacks grow in complexity, behavioral detection and mitigation mechanisms can help companies stay ahead of future threats.
Reno Zenere, Security Consultant for SpiderLabs at Trustwave
DDoS attacks are just as dangerous as any other type of attack. DDoS’ can cause major revenue loss due to production services being unavailable. Furthermore, DDoS attacks have the potential to permanently disrupt hardware. For example, if a firewall appliance freezes up due to processing an enormous amount of traffic and a hard reboot is performed to try to get it back in a working state, it’s possible that the firewall may not come back up and will need to be replaced.
DDoS attacks are evolving right before our eyes in that they will become more prevalent, just like ransomware. More and more devices are connecting to the internet that are capable of being victim to a compromise, and succumbing to become part of an attacker’s evil botnet army. This will allow DDoS attacks to be a more convenient means to attack an organisation.
Further this will allow attackers to simply use a DDoS attack as a decoy to penetrate a network. This is a great attack vector as so much noise will be generated that an intrusion into the corporate network will be extremely difficult to detect since the IT staff will be slammed with containing the DDoS attack.
One thing that would help organizations is to put everything in HA (High Availability) mode. Meaning if you have a firewall in place, make sure that there is a secondary firewall running side by side and can take over in case the primary firewall fails. This concept of HA should be in as many places as possible. HA with your ISP, HA with any critical servers, HA with routers, basically remove any single point of failure.
In addition, working closely with your ISP will be an effective way to help mitigate DDoS attacks. This is beneficial as ISP’s can help drop traffic before it hits any appliances within the enterprise environment. Security firms like Trustwave also offer DDoS protection that may be easier to implement rather than working with a variety of different ISPs and being in the dark on how they will assist if an attack occurs. This level of protection will identify high volume traffic that’s intended for the publicly available application and drop that traffic so it never reaches the application taking it offline. Newer DDoS mitigation services are offered in a managed security model, which means support staff availability 24/7 to respond and assist along with protection that can quickly scale based on immediate needs.