Overcoming the DDoS Challenge in 2015
From the years of working in the world of IT security, many IT or networking professionals, including myself have experienced the dilemma many organizations face when it comes to implementing an effective Distributed Denial of Service (DDoS) defense strategy. Whether to deploy on-premises DDoS appliances or subscribe to a cloud based anti-DDoS provider, is a decision every Internet-dependent organization faces today. As we see in the headlines every day, organizations that benefit from the Internet can easily lose those privileges with any time of outage or downtime.
Most security professionals understand the well-recognized volumetric attacks designed to saturate Internet pipes taking services and infrastructure offline. Also many are familiar with application layer attacks that are ‘low and slow’, difficult to detect, pass right though firewalls, and are designed to consume resources not necessarily bandwidth.
“Unfortunately infiltration-related security alerts get lost in the chaos of reacting to the DDoS attack”
Recently I’ve observed some unique trends within the DDoS attack landscape— the concept of a mid-sized, partially saturating volumetric attack is becoming more common than not. In this scenario attackers utilize multi-vector DDoS attacks against a target site for the purpose of negating existing human and technological defenses— without filling the pipes.
This is accomplished by stressing on existing security infrastructure (with the attack) and as a result distracting security personnel during the attack. These DDoS attacks consume time, attention, resources, and log storage. The attacks cause some level of latency and alarm, but attackers also reserve just enough bandwidth for the purpose of infiltration. Unfortunately infiltration-related security alerts get lost in the chaos of reacting to the DDoS attack; this attack recipe is used for financial gain and the breach of sensitive customer information.
When weighing the most appropriate strategy to defend against the implications of this type of DDoS attack, the solutions available are not an apples-to-apples comparison. However, there is a recommended approach to protect against the entire spectrum of DDoS attacks.
Cloud Anti-DDoS solution
Cloud based protection, typically provisioned as a service, and is most often utilized in a non-demand fashion for defeating large scale attacks. These link saturation attacks are widely publicized and most commonly associated with DDoS, because they are the most obvious and glaring examples of an increasingly nuanced attack vector.
With this on-demand approach, human intervention plays a key factor. When an attack is detected, most often after traditional security devices become overwhelmed and outages begin to occur, a human must make the decision to enable the cut-over to the cloud anti-DDoS provider. This process also involves adjusting routing tables—a calculated risk for any business requiring 100 percent uptime.
A recent study published by market intelligence firm Megabuyte indicates that, “Customer complaints about service issues remain one of the main indicators that a DDoS attack is underway. Nearly half of participants experiencing an attack in the last year cited this as the primary means of notification.” In other words their customers are the first indicator that an attack is underway, which is not an ideal alerting system for attack detection.
From the time of detection, to the time that the attack has been mitigated could range to upwards of thirty minutes to one hour with a cloud based approach. One hour of service degradation and outages before the cloud provider can engage and begin to take control is something most organizations cannot tolerate. In addition, the majority of volumetric, high bandwidth consuming attacks often last less than 30 minutes and by the time your on-demand defenses are in place, the attack has subsided, and the damage has been done.
With out-of-band Cloud anti-DDoS solutions visibility into the attack and corresponding analytics begin only after the traffic has been re-routed to the scrubbing service; allowing for little if any insight into the attack source or the vectors utilized before the reroute.
On-Premises Real-Time Defense
A first line of defense approach prevents network and service outages due to DDoS attacks by inspecting traffic at line-rate and blocking attacks in real time, while allowing all good traffic to flow uninterrupted. On-premises DDoS defense enables complete and sophisticated visibility when deployed at the network edge for actionable security intelligence related to DDoS attacks and other cyber threats targeting Internet-facing services.
Comprehensive visibility becomes a competitive advantage so to speak against the attackers. When the concept of DDoS is utilized as a distraction for high value breaches, as previously mentioned, sophisticated visibility becomes paramount for understanding what is really happening in the network, beyond the Denial of Service itself and identifying and omitting the malicious activity.
Given the nature of the deployment, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premises technology is designed to handle volumetric network-based DDoS attacks or floods, reflective and amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks—such as Slowloris, SlowRead etc—that typically require very little bandwidth to execute and are therefore nearly impossible to detect with out-of -band DDoS mitigation solutions.
A Possible Silver Bullet—The Hybrid Approach
As reported by the SANS Institute in early 2014, “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”
The concept of utilizing on-demand cloud DDoS defense in the event of a pipe saturation attack coupled with always on, on-premises DDoS defense completes the picture for defeating the broad spectrum of DDoS attacks.
The main benefit of a hybrid approach is that the on-premises device dramatically reduces the number of times an organization needs to switchover to cloud-based mitigation. This not only lowers the costs and saves time associated with those switchovers but also provides organizations with real time protection against all forms of DDoS attacks and other cyber threats.