SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Secure the NEXT – Mitigate DDOS attacks
Mon, 27th Jun 2016
FYI, this story is more than a year old

There are more than 3.4 billion internet users globally with an estimated 6.4 billion IoT devices being connected to it, making the ecosystem a burgeoning exchange where information and transactions flow every other second. By 2020, Gartner estimates there will be 20 billion devices. IOT will be part and parcel of our lives, from utilities to transportation to citizen services. While all this offers an unprecedented level of convenience, it also attracts unwanted attention from cybercriminals who have evolved their capabilities over time. Devices in the connected IOT world bring all sorts of convenient new features, but people often forget these devices are also network-connected. From primitive worms and spyware in the past, people and businesses today face complex threats like cyber espionage, ransomware, sophisticated malware, and the ever ubiquitous DDoS attacks.

Distributed Denial of Service (DDoS) is a form of multi-source cyberattack that aims to disrupt network resource/services to their intended users. It has evolved in sophistication to become capable of wreaking all sorts of damage, such as fraud and extortion. DDoS attacks typically overwhelm network resources using sheer traffic volume from multiple compromised systems or devices posing as bots. DDoS attacks can be further classified into the following types:

  • Volumetric: denies access to legitimate user traffic by flooding network resources, especially crippling ability to handle connections per second (CPS)
  • Asymmetric: a small amount of malicious data designed to consume memory to slow the network down to a crawl
  • Computational: designed to consume CPU resources and memory
  • Vulnerability: exploits vulnerabilities
  • Hybrid: a combination of one or more different DDoS attack types

A Bigger Threat Than Ever

While DDoS attacks have been common since the late 2000s, attack sizes have increased significantly in the past few years. New protocol exploits and amplification attacks have become too large for most organisations to combat without the support of a cloud-based DDoS scrubbing service. In 2013, it was reported that SpamHaus services were brought down as a result of a 300 Gbps attack, while in 2014, an attack peaking at 400 Gbps was recorded. However, the world's largest DDoS attack in history was captured in 2015 with a peak of 500 Gbps. And with bandwidth costs getting cheaper, it has become more affordable to launch attacks with scale, and we can expect to soon see terabyte-sized attacks moving forward.

Modern denial of service attacks are not only interrupting or bringing down services, but distracting security operations teams with a mix of threats that have varying effects on the infrastructure. Such attacks are increasing in frequency, volume and sophistication. Attackers combine volumetric, partial saturation, authentication based and application level attacks until they find the weakest link in the chain of command. These threats, which are becoming more difficult to defend against, are often a precursor for advanced persistent threats (APT). How quickly an organisation can discover and stop these threats is key to ensuring service continuity. Also, the pervasiveness of volumetric DDoS, along with the potential increase in BOTs, requires a hybrid DDoS strategy that combines on-premise WAF with cloud-based scrubbing services.

Mitigating a DDoS Attack

When a company detects that it is under DDoS attack from its on-premise WAF, it switches the incoming traffic to a cloud-based DDOS scrubbing service like that offered by F5 Silverline to detect and scrub the traffic. Once traffic is scrubbed clean, they are sent from Silverline to the company. While this is going on, the company continues to operate as per normal. The scrubbing service effectively mitigates DDoS attacks which aim to bring down services, while enabling the company to continue to operate.

It is pertinent for businesses to protect their infrastructure from large-scale and incessant attacks, yet not compromise performance. This can be achieved with granular DDoS rules and policies coupled with contextual knowledge of identity and user access to applications and data, enabled by the automatic collection and analysis of data across deployment environments — data that includes SSL inspection, behavioral analytics, bandwidth usage, health monitoring and other statistics.

This ensures that attacks, for examples HTTP/S, SMTP, FTP, DNS and SIP can be detected sooner and mitigation activated swiftly and accurately via hardware, upstream or across cloud-based services. Businesses can thus be assured of a smooth and immediate transition back on service once attack traffic has subsided to manageable levels.

Introducing F5 DDoS Hybrid Defender

F5 DDoS Hybrid Defender provides comprehensive DDoS protection in a single appliance aiming to offer DDoS defense that combines layer 3 to 7 protection with behavioural analysis to identify and mitigate attacks, and machine-learning to detect evasive threats or traffic anomalies. The appliance also enables on-demand cloud-based scrubbing (F5 Silverline) in a hybrid model, redirecting volumetric attack traffic seamlessly to reduce overhead and greatly improve network bandwidth usage. Infrastructure is protected by combining multi-layered DDoS defense across network, session, and application layers to intelligently integrate offsite cloud scrubbing in a convenient, all-in-one form factor.

At the application level, businesses will benefit from application inspection for layer 7 attacks, with in-depth application threat discovery based on data stream logic, aggregative signals from HTTP, and the characteristics of TCP requests, transactions, and overall server health. A full-proxy solution offers DDoS protection at all layers, protecting protocols (including those employing
SSL and TLS encryption) as well as stopping DDoS bursts, randomized HTTP floods, cache bypass and other attacks that can disrupt application behavior.

Conclusion

DDoS attacks will continue to increase in sophistication and capacity, potentially aided by the numerous IoT devices coming online. A hybrid mitigation approach is needed now more than ever. The ability to amplify vastly and scale quickly makes it easy for an attack to easily cripple an organisation's operations, render their applications useless and gain access to critical data. That is why security solutions must be comprehensive enough to address the issue of ability, as well as hybrid environments while mitigating DDoS threats even as they strike the network.

Article by F5 Networks