Enterprise Businesses have been facing rising DDOS attacks in terms of size, complexity and frequency which calls for a multi-layered approach
Distributed denial-of-service (DDoS) attacks, is seen as a frequently used strategy by cyber criminals in disrupting Businesses. The impact of a DDoS attack can be quite disastrous for a company’s Business. It is executed through all possible devices with an IP address to send a traffic overload to a targeted network. The targeted network’s system are unable to accommodate the web traffic that is being directed to it and goes down. As one of the prominent areas of an ever evolving landscape of cyber security threats, the need for Advanced detection and mitigation solutions for DDoS is quite critical.
Mahmoud Samy, Regional Director, ME R CIS at Arbor, the security division of NETSCOUT says, “When you talk to CIOs, CTOs etc, they are unanimous that DDOS is one aspect they cannot compromise with. That is because DDOS attack affects company’s financials, reputation, credibility of service etc. While there may still be time taken to mull over other security aspects and strategies, as far as DDOS protection is concerned, you have to be ready to thwart potential DDOS attacks from day one. Hence there cannot be any compromise. It has to be top of the list priority.”
Global DDoS attack data for the first six months of 2016 shows a continuing escalation in the both the size and frequency of attacks, according to data gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas.
In recent years, enterprise Businesses have been facing rising DDOS attacks in terms of size, complexity and frequency. With DDoS tools that are available for free downloads or purchase online, almost anyone with least technical skills can pull off an attack on a target’s web assets. However, there could in fact be a variety of reasons behind a DDoS attack and could also include diversionary tactics.
Mahmoud says, “Success could be 100% from a DDoS attack on an organization that doesn’t have the protection. Protection has to be in place before an event. Attackers can reach their objectives in no time, if there is no protection. There are also simple do it yourself DDoS attacks available on Internet which makes it is easier to launch DDoS attacks.”
He adds, “The attacks could come in different look and feel. They could be volumetric attacks, application attacks or exhausting attacks. Volumetric attack is a flood of traffic targeted to a destination whereas application attacks target a specific application to take it down. Exhausting attacks target security devices – they try and convert the devices that are meant to defend to launch attacks or be the gateway of attacks. Some attacks can be a combination of the three.”
Chris Gale, EMEA Partner Director at A10 Networks at A10 Networks opines these attacks could arise from hit and run strategies orchestrated by untrained individuals or hackers.
According to him, “Considering these attacks are typically the least organized, and pulled off by the least technical individuals, they are the easiest to prevent. Unskilled troublemakers typically will use a paid service to pull off the attacks, making it costly to sustain long-term. By optimizing your network configuration, and utilizing technology with robust load balancing capabilities, the risks posed by these attacks are greatly minimized.”
The attacks could also have origins in political protests or could be traced to even competitors looking to hurt the financials of the company. It may also be a diversionary tactic to sustain the attention of IT staff to the DDoS related mitigation while the cyber criminals execute a more serious incursion into the network.
Chris opines that the fact that a DDoS attack is being used as a smokescreen for a larger security incident is not realized until it’s too late. The best defense therefore is to ensure that all normal cybersecurity processes are continued in the wake of an attack and never assuming the worst is over. Finally, the origin of the attack may also lie in an effort at extracting ransom from Businesses that can’t afford downtime on their systems for protracted periods.
In the era of IoT devices, the threat factor is manifold. The most recent instance is the DDoS attack last month against Dyn, a New Hampshire-based company that hosts DNS zones for many companies. The DDoS attack used the Mirai botnet, which consists of thousands of compromised “Internet of Things” devices, including IP cameras and digital video recorders. The DDoS attack sent enormous volumes of traffic-most of it not DNS-to Dyn’s name servers, overwhelming them and rendering them unable to respond to legitimate queries. The result was that many of Dyn’s customers were unreachable from the Internet, including high-profile companies such as Twitter, Amazon, Netflix and Reddit.
Providing an insight into what enterprises in the Middle East can do to withstand such an attack, Cherif Sleiman, Managing Director, Middle East and Africa at Infoblox says, “Infoblox’s best practices recommend using a combination of on-premises appliances and a DNS hosting provider to support external authoritative name service. A customer following this recommendation would have withstood the attack against Dyn, as their on-premises authoritative name servers would have been accessible throughout the attack. ”
Cherif adds, “Infoblox provides the instrumentation and capabilities underneath the network intelligence where we can uncover insights across your network, security, datacenter layers and the cloud. We are trying to reduce the latency between the time it takes to discover something is amiss and the action that solves the issue.”
In the region, Telecom providers are also playing a significant role in ensuring DDoS protection and driving awareness in their role as MSSPs.
“Service providers are also helping promote the role of DDOS security and they are selling it as a managed service. They have to ensure that their major customers are protected; otherwise the problems could multiply. We have partnered with service providers including Etisalat, STC and du who use our solutions and they are in turn providing DDOS solutions as managed services to the enterprise market, including key verticals such as Financial sector, oil & gas, government sector etc, “says Arbor’s Mahmoud.
Research Team (ASERT) and reportedly, LizardStresser, an IoT botnet was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions. In this case, according to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP (User Datagram Protocol) based amplification protocols such as NTP (Network Time Protocol) or SNMP were used.
The ASERT report documented that a majority of recent large attacks leverage the Reflection amplification technique using DNS servers, NTP, Chargen and Simple Service Discovery Protocol (SSDP). DNS is currently seen as the most prevalent protocol used in 2016 and adding more cause for concern, the average size of DNS reflection amplification attacks has been growing. Further, while even a 1 Gbps DDoS attack is arguably enough to take most organizations completely off line, the average attack size in 1H 2016 had reached 986Mbps, showing a 30% increase over 2015 and is projected to be 1.15Gbps by end of 2016.
Since the range of attacks is quite varied, from high bandwidth to as low as 1 Gbps, the need is for a hybrid, or multi-layer DDoS defense. According to Darren Anstee, Arbor Networks Chief Security Technologist, high bandwidth attacks are best mitigated in the cloud, away from the intended target. However, 80% of all attacks are still less than 1Gbps and 90% last less than one hour and therefore on-premise protection provides the rapid reaction needed and is key against “low and slow” application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS.
Offering protection against volumetric flood of data, a key identifier of a DDoS attack, A10 Networks offers Threat Protect System (TPS) appliances and has recently unveiled the latest edition products.
According to Adil Baghir, Sr. Systems Engineer at A10 Networks, many of the available solutions are arguably limited in terms of DDoS mitigation performance and A10 Networks is seeking to address these shortcomings with its latest TPS. The manufacturer’s new group of TPS appliances unveiled in October, provides up to 300 Gbps of DDoS protection in a single box. The top-end device is the new Thunder 14045, which is a 3 RU (rack unit) appliance powered by four 18-core Intel Xeon processors.
Adil adds, “Many existing solutions introduce high latency into the networks and also offer very limited deployment options. We are addressing these issues with our latest launch October of the new TPS appliances which offer the fastest DDoS mitigation solution offering from 1 Gbps to 300 Gbps throughput DDoS mitigation.”
While more awareness is building up in the market about the evolving nature of DDoS threats, more companies in the region could look into having the right solutions in place. The role of the channel in driving awareness goes hand in hand with vendors who have been at the forefront of DDoS technologies.
Mahmoud adds, “The awareness in the market about DDoS is getting better compared to 4-5 years. Arbor has been educating the market regarding DDoS threats for nearly 15 years now. In the early years, no one else was talking of DDoS but that has changed in the past few years. Almost every CIO is talking about it which goes to prove that the awareness is now a lot better.”
Finally, a multi-layered approach is key to having the best chance against staving off such attacks. A no-compromise approach should be the mantra towards securing effectively against DDoS attacks.