Arbor Networks: Beware of headline risk with DDoS attacks
A term you will frequently hear in the stock markets is "headline risk" and it occurs when a news story adversely affects a stock's price. Tesla knows this only too well, as its stock was impacted by headline risk after there was a fatal crash with a Tesla in autopilot mode in the US last year.
Its outspoken CEO Elon Musk subsequently warned journalists about negative coverage of Tesla crashes, as he believes that the headline risk of AV crashes could have negative long term consequences to the adoption of self-driving cars.
Headline risk can also impact the performance of the world's stock markets, such as when banks and markets across the globe were caught off guard after the shock "Brexit" win, and this uncertainty will continue as negotiations with the EU get uglier.
When you consider headline risk in the context of distributed denial-of-service (DDoS) threats today, headlines pose a risk of a different sort. They can alter an organisation's perception of the real issue and limit the options available to protect their business.
Since first emerging in the late 1990s, DDoS attacks have had the reputation of being a basic flood attack that tries to overwhelm a connection with traffic. Recent headlines about DDoS attacks haven't helped change that perception.
This trend towards very large attacks has been driven using reflection and amplification techniques that can magnify the amount of traffic at the hands of the attacker. For example, DNS resolvers are often used by attackers to spoof victim IP addresses.
By sending DNS queries to open resolvers the response sent to the victim's server may be 50X the size of the original query. In fact, this year's Worldwide Infrastructure Security Report showed increased attack activity on all reflection/amplification protocols with DNS remaining the most commonly used, with NTP close behind.
We're now seeing a new way for attackers to launch massive attacks, with the emergence of IoT botnets like Mirai and LizardStresser. Embedded IoT devices are highly vulnerable, almost always turned on and the networks they reside on have very high-speed connections, making each compromised device the perfect conduit for a relatively large amount of DDoS attack traffic. Against this backdrop, it's easy to see why massive attack size is dominating the debate around DDoS currently.
In this scenario, believing that the headlines tell the full story poses a serious risk to network operators. Yes, massive attacks are here to stay and yes, they're getting large enough where they could become a national security issue for Australia. However, it is important for enterprise network operators to understand that a DDoS attack only has to be as large as your internet facing circuit.
Arbor's ATLAS threat intelligence infrastructure gathers anonymised traffic data from more than 300 internet service providers, equalling approximately one-third of all internet traffic. Here are a few stats that show why DDoS is about more than very large attacks.
- ATLAS recorded a DDoS attack every 6.3 seconds last year
- 88% were less than 2Gbps
- 80% were less than 1Gbps.
In fact, DDoS today is a series of attacks that target, not just connection bandwidth, but multiple devices that make up an existing security infrastructure, such as stateful Firewall/IPS devices, as well wide variety of applications that the business relies on, like HTTP, HTTPS, VoIP, DNS and SMTP.
DDoS attacks that target business-critical applications are often referred to as "low and slow" attacks. They target applications with what look like legitimate requests until they can no longer respond. High volumes are not required to cause serious operational damage to an unprepared organisation.
The hottest trend right now in DDoS is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a single, sustained attack. These attacks are popular as they are difficult to defend against and are often highly effective.
All of this calls for on-premise DDoS protection. It provides the first line of defence against volumetric attacks while protecting Layer 7 applications from "low and slow" attacks that cannot be effectively mitigated from the cloud. By deploying Intelligent DDoS Mitigation Systems on-premise in front of the firewall/IPS, you protect the existing security infrastructure, while maintaining availability of critical business applications.
Effective DDoS defence calls for agile protection from the cloud to the data center. Without a tightly integrated, multi-layered mitigation infrastructure, Australian organisations will only be partially protected. What our enterprises need to do is to look beyond the headlines on DDoS attacks if they don't want to become one.