Today’s business world exists due to the availability of their networks, applications and online services. Availability is as fundamental to business operations as electricity. When availability is taken from a business, the impact is felt immediately.
Online sites and services disappear. Customers, partners and employees are stopped in their tracks. If this problem persists, it becomes an issue for the brand, and its relationships with customers. It can lead to not only lost sales, but lost customers and increased marketing costs to win them back.
The first step to protection is to understand the threat, its frequency and complexity. Without that baseline, you cannot measure or appreciate the risk DDoS attacks present to your organisation.
Our ATLAS infrastructure collects anonymous traffic data from 400 service providers globally, giving us insight into approximately 1/3 of all internet traffic. From this vantage point, we have seen the following DDoS attack activity in Australia throughout October 2017.
The increase in DDoS activity is related to the emergence of for-hire services that will launch DDoS attacks for very little money. These attack services, known as booter/stressers, make their money on volume, launching thousands of attacks leveraging a botnet infrastructure. Botnets are remotely controlled computers, and increasingly, IoT devices. With this infrastructure a botmaster can aggregate 10,000, 50,000, sometimes hundreds of thousands of devices to launch attacks.
Key Requirements for DDoS Protection
Detection: Speed of DDoS attack detection is the first and most fundamental capability required to initiate swift mitigation. The choice of solution here matters a great deal to your risk profile. Do you go with the cloud-based approach that’s now offered by your CDN provider? Do you check the box and go with a newly added feature to your firewall? Or, do you opt for purpose-built DDoS protection?
What are the differences and why does it matter?
In the past year, we have seen these botnets become increasingly sophisticated, launching not only high-volume attacks that grab headlines, but millions of attacks targeting Layer-7 applications.
Today, DDoS attacks strike multiple targets simultaneously, from bandwidth to applications to existing infrastructure, including network firewalls, web application firewalls (WAFs) and intrusion prevention systems (IPS). And attacks are becoming increasingly multi-layered, employing a combination of attack methodologies and diversionary tactics to overwhelm defences. The ability to defend your business and maintain availability of your services is directly dependent on how fast you can respond to these multi-pronged threats.
DDoS attacks are often thought of high volume attacks that attempt to saturate available bandwidth. While that is certainly true, it is only a piece of the story. The reality is that millions of smaller, stealthier and complex attacks are targeting Layer-7 applications and existing infrastructure, often simultaneously. These stealthy and multi-vector attacks are best mitigated on-premise. The cloud is only a partial solution, ideal for those large attacks. The real action in DDoS defence is on-premise.
IPS devices, firewalls and other security products are essential elements of a layered-defence strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, firewalls act as policy enforcer to prevent unauthorised access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks, which is “network availability.”
The limitations in firewalls and IPS devices reveal the key benefits of an Intelligent DDoS Mitigation Solution (IDMS).
Automation: Automation is the holy grail in security these days. It helps with the staffing challenges and can be critical to speed of response. The good news is that it’s possible with the right IDMS to detect attacks and initiate mitigation automatically, often before security operators are aware of the attack.
In a hybrid DDoS defence deployment, which combines an on-premise with cloud-based mitigation protection, a signal can be sent from an IDMS to activate cloud-based countermeasures instantly and automatically when attack volume reaches a specified threshold. This is especially important as attacks become not only larger in size, but also increasingly multi-layered in their methodologies.
Response: Successfully dealing with DDoS attacks starts with having the right technology solutions in place, however, that is not the end of the story. At some point, even with multiple aspects of DDoS defence being automated, from pre-installed countermeasures to the connection with cloud-based mitigation, humans play a key role in the response and overall defence.
Three Key Questions:
It is difficult to perform under the pressure of an attack if you aren’t prepared. Incident response practice is essential to quick and effective threat mitigation. Ignoring the critical human aspect of DDoS defence can be just as catastrophic to your business as choosing the wrong solution.
Article by Tim Murphy, Australian country manager, Arbor Networks.