Massive distributed denial of service (DDoS) attacks have been grabbing headlines recently, with cyber security reporter Brian Krebbs being forced to temporarily take his site down after his service provider couldn’t handle a 620 Gbps attack, followed a few days later by a 1 Tbps attack on French hosting provider OVH.
The incidents have some worried that DDoS attacks can now scale so high that current mitigation technology renders targeted organizations defenceless.
Not so, says a Toronto security firm. In a report issued Tuesday DDoS Strike concludes CISOs worry too much about high volume network layer attacks and not enough about application layer attacks, which can take down a site with as little as 4.3 Gpbs of traffic.
“Most organizations are only part way to understanding DDoS attacks and therefore having the capacity to defend against them with full effectiveness,” the report concludes.
The report is based on an analysis of data gathered by DDoS Strike, which offers a service for testing enterprise infrastructures on their layer 3-7 denial of service mitigation techniques. DDoS Strike is a division of Security Compass, which makes application development security tools.
What the company found after looking at its data from test attacks on 21 systems of Canadian and U.S.-based customers (some companies had more than one system) was that 95 per cent of targets tested suffered service degradation close to knocking a site offline — suggesting their DDoS mitigation efforts were useless. Of attacks at the application layer 75 per cent would have been successful.
But, Sahba Kazerooni, vice-president DDoS Strike, said in an interview, network scrubbing techniques are largely effective. with service generally being denied only for a few hours until mitigation can either be tuned or turned on. More importantly, he added, is that application layer attacks are harder to defend, needing multiple tiers of defence, more expertise among IT staff trying to block them and fine controls. The result is more downtime for a successful app layer attack.
“Our customers have a skewed way of looking at DdoS as a threat,” he said, “because they were being warned by the industry to worry about major ( network) attacks “and they’re forgetting about high level attacks on the app layer.”
“We have this tendency to over-focus on technology when it comes to DDoS. We’re very quick to deploy on-site mitigation devices or to buy a scrubbing service. The piece that’s missing is to focus on the process and the training of staff to handle DDoS attacks.” Some of the customers tested brought their systems back from the brink in an average of 25 minutes, he said. (DDoS Strikes thinks that’s too long.)
But of the successful test attacks his company carried out, over 70 per cent had some kind of process or people gap that resulted in longer than necessary downtime, he said.
“A lot of companies can benefit not only from buying services and product but also training their employees,” Kazerooni concludes focusing more on their own processes with the goal of ultimately reducing downtime.”
The report concludes that
• businesses should stop thinking of DDoS attacks as crude acts of brute force, and start thinking of them as sophisticated, incisive attacks as complex as any other major hacking threat;
• DDoS mitigation is incomplete out of the box, and can only be effective with proper DDoS simulation testing at all levels;
• and DDoS mitigation should be viewed as a multifaceted strategy, involving people, process, and technology, rather than solely a technical fix.