Despite being an old threat, DDoS attacks are still an important part of a cybercriminal’s arsenal. How are these attacks evolving, and why are they still so destructive?
DDoS attacks are a very important part of attackers’ arsenals and they are evolving all the time. Some of the latest DDoS attacks are really old in essence but are being generated in new ways. The latest craze is the NTP attacks, instead of a few hacked servers sending a mass UDP flood, we have thousands of different servers sending a UDP flood using NTP as the vector. At the end of the day it’s still a UDP flood, which has been around since the 90’s. These are what we call the “Big and Dumb attacks”. It doesn’t mean they can’t be problematic, if your upstream provider lets 10Gb/Sec of UDP to flood your network. Stopping them is fairly straightforward, given that 99% of websites only require TCP ports 80/443, we leverage our upstream provider’s network to do this.
The hardest attacks to stop effectively are a combination of many different attack types, I refer to it as a “salad bowl”. You can add as many different ingredients as you like or have available. A combination of a 2Gb/Sec TCP SYN attack, sprinkled with some malformed packets and throw in a 5,000 unique IP based Slowloris (JS LOIC) type HTTP get attack and for good measure harness 2,000 zombies infected with “headless browsers”. All this happens at once on a website that has 2,000 or more legitimate users, and it can prove to be a difficult task to figure out without the proper tools and experience. Most website operators just don’t have these resources available 24/7.
What options do organizations have when it comes to protecting against DDoS attacks?
There are two basic categories of DDoS protection: hardware-based solutions and cloud-based solutions.
Hardware DDoS solutions involve a physical appliance that usually looks like a small server, and are engineered to perform a certain task under a certain set of circumstances. They are shipped to the client who then installs, monitors, and troubleshoots it themselves, or pays a fee to the provider to do so.
Cloud-based DDoS solutions use a global network of interconnected hardware and software solutions augmented by manual monitoring and mitigation by security engineers. These techniques are deployed in a layered manner that is constantly adapted as the DDoS environment evolves, creating a virtual filter for each client. Cloud-based DDoS protection is usually much less expensive in the long run, easier to deploy and manage, and doesn’t burn up network capacity in the same way hardware options do. But the biggest benefit of using a cloud DDoS protection service is that it allows organizations to focus on their core business and leaves DDoS problems to the experts that manage them.
Unless you belong to a large corporate entity, with tons of technical people, lots of money, and a very robust network infrastructure, you should go with a cloud based DDoS protection service. This can be supplied by your hosting provider or a third party service that specializes in DDoS protection services. It’s the experience part that usually is the missing component for most organizations. You can go out and spend 150K on DDoS protection hardware, but if you don’t know how to use it, it won’t do much. DDoS mitigation hardware can be very difficult to operate on sophisticated layer 7 attacks.
What is the most significant DDoS attack you’ve mitigated so far?
DOSarrest has special agreements in place with our upstream providers to filter out all traffic except TCP ports 80 and 443. We leverage our upstream providers backbone to stop 100’s of Gb/Sec. of UDP flood traffic. This allows us to concentrate our DDoS protection layers on more sophisticated attacks.
Attacks using headless browsers are very difficult to mitigate. Botnets that have this type of capability are able to setup a TCP session, process javascript, fill in forms, and pretty much do anything a human could do for the most part. With this type of attack, it’s targeted on a CPU intensive part of a website, and 25Mb/sec will kill most sites. In fact, we’ve seen as little as 2Mb/sec kill some websites.
How do you expect DDoS attacks to evolve in the near future? Will we ever be able to completely eradicate this threat?
Attacks will get more sophisticated, just as they have up to where we are today and will continue on this path. Why stop now! It’s a cat and mouse game and always has been, you just have to have solid protection in place, so you stay a step ahead of the bad guys. For most websites a cloud based solution makes the most sense.
Source: http://www.net-security.org/article.php?id=1991&p=1
http://www.net-security.org/article.php?id=1991&p=2