Q&A: Examining the new breed of DDoS attacks

Distributed Denial of Service (DDoS) attacks have long been a threat for businesses of all shapes and sizes and, like all other types of cyber attacks, they are developing fast.

To delve a bit deeper into the new breed of DDoS attacks doing the rounds, we spoke to Dave Larson, COO at Corero Network Security.

  1. How has the threat landscape developed in recent months, particularly in relation to DDoS attacks?

Today, DDoS attack techniques are intended to do a lot more than deny service. These attack strategies now include short bursts of sub-saturating DDoS attack activity, rather than the massive link saturating attacks that define the concept of “Denial of Service”. These short duration, smaller attacks do not necessarily pose a threat to service availability, but rather a threat to your existing security tier.

For organisations that don’t take advantage of in-line DDoS protection positioned at the network edge, these partial link saturation attacks that occur in short bursts, enter the network unimpeded and begin overwhelming traditional security infrastructure. In turn, this activity stimulates unnecessary logging of DDoS event data, which may prevent the logging of more important security events and may even cause the layers of the security infrastructure to reboot or enter a fall back mode where they essentially pass all traffic.

These attacks are sophisticated enough to leave just enough bandwidth available for other multi-vector attacks to make their way into the network and past weakened network security layers undetected. There would be little to no trace of these additional attack vectors infiltrating the compromised network, as the initial DDoS had done its job: to distract all security resources – both human and machine - from performing their intended functions.

  1. What new challenges are businesses facing when trying to defend against the new breed of DDoS attacks?

These kinds of threats are only going to increase as DDoS attacks become more sophisticated and automated, allowing cyber criminals to enact hybrid, multi-vector attacks and expand their reach on an industrial scale. In these situations, attackers leverage one attack technique, such as a DNS flood, and if unsuccessful, automatically enact a second technique, such as an UDP flood, and keep leveraging different attack vectors automatically until their target’s Internet service is successfully denied or their security tier is sufficiently degraded. This level of automation works considerably faster than humans and requires in-line visibility coupled with a high-performance mitigation solution to respond effectively.

The weaknesses of out-of-band defence tools, being slow to react, expensive to maintain and unable to keep up with shifting and progressive threats – tell us that solutions appropriate for today need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future DDoS threat landscape – however it may evolve.

  1. Are there any trends you're seeing across different industries?

There is one Industry where we see DDoS attacks (more often than not) as having a major impact to their business, and bottom line. Hosting providers are victims of damaging DDoS attacks because the number of customers they service and the aggregate Internet peering bandwidth they utilise greatly increases their attack surface. An attack on a single client of the provider - such as a high-traffic gaming service - can create major collateral damage to other hosted customers.

These innocent bystanders are placed in the unfortunate situation of suffering from second-hand DDoS damage because they are hosted on the same shared facilities as the intended victim, and the results can be devastating for both the provider and their customers. For over a decade, the traditional approach to DDoS mitigation in a hosting environment has been a combination of null-routing, human intervention and data analysis to try and stop DDoS from interrupting availability.

Unfortunately, this approach is slow to respond to events and creates unhappy customers on a regular basis. Today, hosting providers are very well positioned to take advantage of a new approach to DDoS protection, by way of in-line and real-time mitigation. With this methodology, the DDoS threat is eliminated from their network, and their hosted customers are not impacted either directly, or indirectly.

  1. What does the future of DDoS attacks look like?

Industry research, as well as our own detection technology, shows that cyber criminals are increasingly launching low-level, small DDoS attacks, the problem with such attacks is two-fold: small, short-duration DDoS attacks still negatively impact network performance while evading legacy detection thresholds, and - more importantly - such attacks often act as a smokescreen for more malicious attacks.

While the network security defences are degraded, logging tools are overwhelmed and IT teams are distracted, the hackers may be exploiting other vulnerabilities and infecting the environment with various forms of malware. We foresee this form of “Dark DDoS” being more of the norm in the months and years to come.

  1. How can the industry ensure it keeps up with the continued industrialisation of cyber criminals?

In order to keep up with the shifting and progressive range of threats, solutions appropriate for today need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future evolution of DDoS threats.

The most effective method to bridge this gap is to utilise in-line DDoS mitigation that is economically scalable to meet the needs of the business. With this technique, an in-line DDoS mitigation solution delivers full edge protection for locations in the network that are most affected by DDoS, at a fraction of the cost of traditional scrubbing centre solutions. The clear differentiator of these tools is due to the fact that they can be constantly on, with no need for human intervention, and they provide instantaneous, non-stop threat visibility, attack mitigation and DDoS forensics.

  1. Are there any big myths floating around the industry at the moment that need to be quashed?

The big myth or perhaps it is a mind-set more than anything, is that utilising scrubbing centre solutions - either cloud based or on premises - is the most effective way to eliminate DDoS from a network environment. The industry has been trained for over a decade now to identify DDoS with various visibility tools, manually re-route traffic to a scrubbing centre solution, and wait for the clean traffic to return. This approach has produced a best effort result, at a significant cost and requires significant human capital. As the DDoS threat landscape has evolved over the years, so has the technology to defeat the threat.

Automatic detection and mitigation solutions are available to today - deployed at your network edge, or procured as a service from your Internet Service Provider to create a barrier of defense against this growing threat. With this modern approach to DDoS protection, the attack is cleanly eliminated in an automatic fashion while allowing all your good user traffic to flow as intended.

For the first time, there is a real-time, economically viable approach to defeating DDoS before it can impact your network operations and security tier.

Image source: Shutterstock/Profit_Image