sb-au logo
Story image

Network intelligence is stopping a wave of DDoS misdiagnosis

04 Aug 2020

Article by ThousandEyes principal solutions analyst Mike Hicks.

The role and value of the internet is substantially elevated, courtesy of COVID-19. 

Its strength and resiliency has helped organisations adapt to new fully remote ways of work, keeping staff connected while ensuring business-critical applications could be accessed and remained performant.

But as organisations face a rising number of security threats that seek to exploit post-COVID organisational – and specifically network – structures, it’s more important than ever that there is close cooperation between network and security to ward off threats.

This strategy is especially important in the fight against the rise of distributed denial-of-service (DDoS) attacks in recent months. In some cases, these attacks are now so big and complex that they can be hard to diagnose using security monitoring tools alone.


DDoS is (unfortunately) back

DDoS stumbled as an attack vector for a period, courtesy of law enforcement intervention.

When the FBI moved on the 15 largest DDoS-for-hire services in late 2018, the impact was swift - fewer attacks worldwide, an 85% decline in average size, and a 24% drop in the maximum size.

By mid last year, however, DDoS attacks were rising again, and come 2020, the records started to tumble once more. 

In mid-June, Amazon Web Services said it had defended a DDoS attack with “a previously unseen [peak traffic] volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS,” it said.

Just days later, Akamai reported mitigating “the largest packet per second DDoS attack ever recorded on [its] platform … well over double the size of the previous high-water mark.”


Not everything is a DDoS

One of the complicating factors is that other problems are sometimes misdiagnosed or mislabelled as being DDoS-related.

Around the same time as AWS and Akamai reported massive DDoS attacks, US mobile users started to experience widespread outages. Internet sleuthing linked the outages to what appeared to be a large active DDoS attack. 

Except that in this case, it wasn’t. T-Mobile made network configuration changes that caused a series of cascading failures. It was only analysis of traffic through major internet exchanges – and the lack of anything anomalous – that led to the DDoS theory being overturned.

In Australia, an outage of the federal one-stop-shop myGov portal in late March was initially attributed to DDoS. However, upon closer examination, the flood of traffic was not malicious but entirely legitimate, caused by an unprecedented number of people looking for government services as Australia began to lock down due to the COVID-19 pandemic. 

Once again, network traffic analysis was key to understanding the root cause.


Composite intelligence

There’s an emerging pattern here. 

There are many security monitoring tools aimed at DDoS mitigation, and if you have any web-facing service, it’s more than likely you have one or more of these tools in place already.

But security is all about layering. Defence-in-depth or layered security, for example, relies on multiple layers of mitigating security controls to improve assurance and reduce the risk of an attack being successful. If one layer fails to detect and/or mitigate a threat, it is still likely to be caught by other defensive layers.

Against a backdrop of huge, debilitating DDoS attacks and the challenge of diagnosing them correctly, it makes sense to have a layered understanding of the attack surface. 

The network team and their tools are a valuable input to this process. They are capable of bringing a layer of intelligence and visibility that can augment what organisations think they know about an incident courtesy of their security monitoring tools and operations. 

Overall network visibility should address all the elements that impact performance to uncover a root cause when performance breaks down. It should include digital experience monitoring (DEM) network performance metrics like server availability and response time, jitter, packet loss, page load and web transaction data, while providing insight into the root cause of the issue. 

All of this is useful as an input to help security and IT teams resolve an underlying problem.

Just like elsewhere in security, a layered approach that involves the networks team is likely to be a more rounded way of dealing with the threat of DDoS attacks.