As the latest record DDoS attack hit GitHub and threatened to overwhelm its edge network, the popular Git-repository hosting service quickly switched to routing the attack traffic to their DDoS mitigation service.
In the end, GitHub ended up completely unavailable for five minutes and intermittently unavailable for four. But while the effect of the attack could have been worse, GitHub’s engineering team aims to do better next time they are hit.
Robert Hamilton, Director of Product Marketing at Imperva, believes that nine minutes of outage is definitely way too much. Paying a sizeable amount of money for DDoS mitigation services should come with a promise that attacks will be thwarted within seconds, he says, and that’s what Imperva is doing.
The company’s services come with a guarantee – written into the service level agreement (SLA) – to detect and block all attacks in under ten seconds.
The offer is unique in the DDoS mitigation market, and Hamilton says that they expected some of their competitors to follow suit and offer a similar deal. None did, though, which makes him believe they are not capable of mitigating a DDoS attack in less than ten to twenty minutes.
Granted, Imperva is the de-facto leader on the DDoS mitigation market at the moment and has a high-capacity global network that spans the globe. If anyone should be able to mitigate new, massive attacks, it’s them.
The company’s Incapsula DDoS mitigation services are part of its cloud security and content delivery network (CDN) portfolio, and are used by a large customer base, something that helps them keep on top of the DDoS threat landscape.
“Because we have so many customers, we’ll see any new type of DDoS attack very quickly. We saw the memcached-based amplification attack about a week before GitHub got hit, and introduced protections against it,” he notes.
That’s also part of the reason why he believes Akamai should have been able to mitigate the GitHub attack much more quickly than they have.
“We have a relatively large internal security research team in Israel, and one of the things that they do continuously is monitor the network for known and new types of attacks. The latter are identified very quickly, typically within hours or even minutes, and a filter for them is then applied on our network so that similar future attacks are easily mitigated,” he says.
Keeping an eye on the threat landscape
In 2016, the threat of IoT botnets engaging in DDoS attacks loomed large, especially after Mirai caused massive outages when it hit Internet performance management company Dyn.
But the promise of crippling botnet-based attacks did not materialize in 2017. Hamilton believes that that was the result of the effectiveness of subsequent DDoS mitigation efforts.
Attackers were forced to figure out how DDoS mitigation services and products work and to come up with new approaches.
Memcached-based attacks are one of these. Another inventive approach that has become increasingly popular was first spotted in the spring of 2017. Dubbed “pulse wave,” the attacks consisted of a series of short-lived, packet-intensive bursts occurring in clockwork-like succession, aimed at five to ten organizations at practically the same time.
Botnets are made to deliver these peak-intensity bursts as the attackers are switching between targets on-the-fly.
These attacks are particularly harmful to solutions having an “appliance first, cloud second” hybrid approach to DDoS mitigation, as the bursts of traffic make on-premises DDoS mitigation appliances unable to communicate with the cloud-based scrubbing platform and “ask” for its aid in handling this large packet volume.
Each attack/pulse lasts for a few seconds, but is highly disruptive. “What you have is a very short attack that will lead to a certain period of downtime before the on-premises devices can call on the cloud service to mitigate this huge burst of packets,” Hamilton explains.
In addition to this, the lack of communication makes it impossible for the appliance to provide information required to quickly create an attack signature, and this leads to further mitigation delays.
“Pulse wave attacks can be aimed at a larger number of targets. Instead of attacking one organization for ten minutes, the attackers can hit ten organizations continuously for a few seconds at a time, maximizing efficiency,” Hamilton notes. “Packet-intensive attacks such as these are designed to overwhelm edge routers and bring the whole network down, and are unfortunately increasing in size and frequency.”
Application-level attack are also a rising problem – they used to be a minority of DDoS attacks, and now they are almost two-thirds of all attacks, he says.
“What’s interesting about them is you have to use completely different techniques to mitigate them. The attack comes from what appear to be real web clients, but you can’t block all traffic to the website as legitimate traffic must be able to pass through to the site. So you need technology to identify which bots are attack bots and which sessions are real human beings trying to perform an action on the website.”
Making the right choice
DDoS mitigation options come in form of standalone, on-premises appliances; hybrid solutions that combine appliances and protection services in the cloud; and “as-a-Service.”
Imperva offers a pure, cloud-based DDoS mitigation-as-a-Service and it offers something that all organizations should look for: guaranteed attack mitigation in under ten seconds, regardless of the attack’s size and without getting in the way of legitimate traffic.