SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
How to ensure the availability of your network before DDoS strikes
Mon, 13th Nov 2017
FYI, this story is more than a year old

Today's business world exists due to the availability of their networks, applications and online services. Availability is as fundamental to business operations as electricity. When availability is taken from a business, the impact is felt immediately.

Online sites and services disappear. Customers, partners and employees are stopped in their tracks. If this problem persists, it becomes an issue for the brand, and its relationships with customers. It can lead to not only lost sales, but lost customers and increased marketing costs to win them back.

The first step to protection is to understand the threat, its frequency and complexity. Without that baseline, you cannot measure or appreciate the risk DDoS attacks present to your organisation.

Our ATLAS infrastructure collects anonymous traffic data from 400 service providers globally, giving us insight into approximately 1/3 of all internet traffic. From this vantage point, we have seen the following DDoS attack activity in Australia throughout October 2017.

  • 9300 attacks
  • 300/day
  • 12.5/hour
  • Top source countries for attacks: US, China, UK and India
  • Largest attack size was 108 Gbps
  • Largest PPS (Packet Per Second – or throughput into Firewalls, IPS and Load Balancers) was 19.7 MPPS

The increase in DDoS activity is related to the emergence of for-hire services that will launch DDoS attacks for very little money. These attack services, known as booter/stressers, make their money on volume, launching thousands of attacks leveraging a botnet infrastructure. Botnets are remotely controlled computers, and increasingly, IoT devices. With this infrastructure a botmaster can aggregate 10,000, 50,000, sometimes hundreds of thousands of devices to launch attacks.

Key Requirements for DDoS Protection

Detection: Speed of DDoS attack detection is the first and most fundamental capability required to initiate swift mitigation. The choice of solution here matters a great deal to your risk profile. Do you go with the cloud-based approach that's now offered by your CDN provider? Do you check the box and go with a newly added feature to your firewall? Or, do you opt for purpose-built DDoS protection?

What are the differences and why does it matter?

In the past year, we have seen these botnets become increasingly sophisticated, launching not only high-volume attacks that grab headlines, but millions of attacks targeting Layer-7 applications.

Today, DDoS attacks strike multiple targets simultaneously, from bandwidth to applications to existing infrastructure, including network firewalls, web application firewalls (WAFs) and intrusion prevention systems (IPS). And attacks are becoming increasingly multi-layered, employing a combination of attack methodologies and diversionary tactics to overwhelm defences. The ability to defend your business and maintain availability of your services is directly dependent on how fast you can respond to these multi-pronged threats.

DDoS attacks are often thought of high volume attacks that attempt to saturate available bandwidth. While that is certainly true, it is only a piece of the story. The reality is that millions of smaller, stealthier and complex attacks are targeting Layer-7 applications and existing infrastructure, often simultaneously. These stealthy and multi-vector attacks are best mitigated on-premise. The cloud is only a partial solution, ideal for those large attacks. The real action in DDoS defence is on-premise.

IPS devices, firewalls and other security products are essential elements of a layered-defence strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, firewalls act as policy enforcer to prevent unauthorised access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks, which is “network availability.

The limitations in firewalls and IPS devices reveal the key benefits of an Intelligent DDoS Mitigation Solution (IDMS).

  • An IDMS is “stateless,” in other words, it does not track state for all connections. A stateful device, like a firewall or IPS, is vulnerable to DDoS and will only add to the problem.
  • An IDMS solution does not depend on signatures created after the attack has been unleashed on the targets; rather, it supports multiple attack countermeasures. This enables about of the box protection against most attack types.
  • The IDMS solution supports various deployment configurations; most importantly, it allows for out-of-band deployments when needed. This flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.
  • To truly address “distributed” DoS attacks, an IDMS is a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks. 

Automation: Automation is the holy grail in security these days. It helps with the staffing challenges and can be critical to speed of response. The good news is that it's possible with the right IDMS to detect attacks and initiate mitigation automatically, often before security operators are aware of the attack.

In a hybrid DDoS defence deployment, which combines an on-premise with cloud-based mitigation protection, a signal can be sent from an IDMS to activate cloud-based countermeasures instantly and automatically when attack volume reaches a specified threshold. This is especially important as attacks become not only larger in size, but also increasingly multi-layered in their methodologies.

Response: Successfully dealing with DDoS attacks starts with having the right technology solutions in place, however, that is not the end of the story. At some point, even with multiple aspects of DDoS defence being automated, from pre-installed countermeasures to the connection with cloud-based mitigation, humans play a key role in the response and overall defence.

Three Key Questions:

  • Do you have a DDoS incident response plan?
  • Do you know how to escalate across the organisation, with network, applications and services teams who may be impacted by an attack?
  • Do you have a communications plan for regulatory or compliance issues, customers, investors and partners?

It is difficult to perform under the pressure of an attack if you aren't prepared. Incident response practice is essential to quick and effective threat mitigation. Ignoring the critical human aspect of DDoS defence can be just as catastrophic to your business as choosing the wrong solution.