The Darkening World of DDoS
By Matt Mahvi, CEO, Staminus Communications
Imagine a new financial technology company with media coverage and solid traction. The CTO has built amazing engineering and operations teams that have learned to scale the company infrastructure with the company’s viral growth. Clients are satisfied and enjoy their services, and speak nothing but praise for the technology.
At 2 AM, the CTO receives a frantic call from a senior network engineer. The mobile application, website, and API systems are all down. The team checks their hosting environment – it seems up but all company-specific resources are down. It’s a distributed denial of service attack targeting their application. The contingency plans for mitigating an attack are not working; they’re not prepared for the size and type of DDoS attack. After what feels like, endless hours of spinning up new virtual machines to handle the load, the attack seems to subside for a time, but clients are furious as access to their services remained impossible for the entirety of this scenario.
A Widespread Problem
DDoS was historically limited to e-commerce and gaming companies, but has more recently spread to encompass a wider range of industries including financial, aviation, media, education, and governments. As recent as this June, we’ve seen some new targets, as well as old tactics. A DDoS attack against a Polish airline in Warsaw prevented pilots from accessing flight plans so the airline lot was grounded. In Canada, the “hacktivist” collective, Anonymous, released a video taking credit for attacks on Canadian government operated websites in response to the passing of an anti-terrorism bill. “DD4BC” (DDoS For Bitcoin) have been targeting companies for ransoms in exchange for stopping DDoS attacks they’ve perpetuated against the company.
“Tap-based on-premises DDoS protection should be paired with in-the-cloud scalable network based DDoS detection and mitigation”
Governments are also steadily increasing their participation in this area. It was recently speculated that the Golden Shield Project of China, also known as the Great Firewall or in this case, the Great Cannon, was launching a DDoS attack against the popular online source code repository, Github. The US federal government has begun steppinginto this arena with new programs to pursue cyber criminals and make it easier for the FBI to shut down botnets in hopes of curbing the problem.
The Problem Just Gets Wider
In the modern world of the Internet of Things (IoT), every device is going to become an unlikely DDoS originator. Vulnerabilities that have affected hundreds of thousands of smartphones, internet-connected appliances, servers and home routers already have created tens of thousands of zombies for botnets.
The growth of these botnets, amongst other methods of launching DDoS attacks, has helped lead to the popularization of DDoS-as-a-Service tools called “booters”, masquerading as an online stress tools. They are conveniently available to anyone with a credit card for as little as $5 per attack. It’s technically legal, and some of them even have phone support in case the attacker runs into trouble.
This has culminated in a technical shift in the landscape of DDoS. A few years ago, most attacks were volumetric in nature, but modern attackers have become more intelligent, targeting the application layer instead. Across a sample set of millions of attacks over the past six months, we’ve seen that application layer attacks now represent 42% of all DDoS attacks, up from 4% back in December of 2014. This means attackers are more organized, sophisticated, need to launch fewer attacks, and often fly under the radar of traditional DDoS detection and mitigation systems.
The growing sophistication of DDoS needs to be solved on multiple fronts and through a comprehensive approach. Technology companies increasingly have multiple forms of Internet presence with different Internet applications. Some will have a web presence on shared cloud, while others will lease data center space, transit capacity, and use their own server farms for their customer applications. DDoS is not limited to websites, shared cloud environments, or data centers. A broad spectrum solution is required which protects all applications from all DDoS attacks, in all environments.
At the core, DDoS needs to be solved through application level scale and high speed granular tap based detection. The traditional hardware appliance model of detection using flows like sFlow or NetFlow is outdated and prone to error because they involve sampling traffic with no payload or application data. On the other hand, tap-based systems monitor every packet and every byte, every time. This gives them tremendous visibility and an inherent advantage in attack detection and mitigation.
Tap-based on-premises DDoS protection should be paired with in-the-cloud scalable network based DDoS detection and mitigation. The scale of this network should be such that it can handle the largest volumetric attacks and the most complex application attacks. Networks built with Juniper MX routers are ideally suited for this task as they provide performance, future upgradability, and stability. These networks should be distributed with multiple nodes around the world to reduce latency to end users and support effective volumetric mitigation.
Through traffic tapping, application layer detection, and widespread network visibility, complex DDoS protection systems can build up effective threat intelligence on attacks. When an attack is launched against a network, the same attack should then be instantly stopped when it’s seen anywhere else again within the ecosystem. This intelligence should then serve to enhance the effectiveness of customer’s on-premises appliances as well as cloud network.
The Future of Intuitive Solutions
The advancement of technology has as a strong tendency to lean towards automation and simplicity. As we transition into an ever-more interconnected world of ‘things’, we will see the deployment of these devices simplified and made mostly automatic. These items will be potentially vulnerable in our haste to connect them to the web. The problem of DDoS will organically grow and the mitigation industry will need a paradigm shift to keep pace with threats. The old, tried, and true methods will slowly be replaced by more automated and intelligent systems that leverage defense in depth, delivering a comprehensive solution.