Skip to main content

Interview: Arbor Networks gives us the lowdown on DDoS attacks

As the number of DDoS attacks continues to rise, companies of all shapes and sizes are faced with the difficult challenge of protecting themselves in a threat-filled world and not becoming just another company to fall foul to hackers.

Having recently just released its latest ATLAS report for Q2 of 2015, we spoke to Darren Anstee, Chief Security Technologist at Arbor Networks, about the current trends in DDoS attacks and the importance of threat intelligence.

What were the key findings from your recent ATLAS DDoS attack study?

The main takeaway from the ATLAS Q2 statistics is that the proportion of DDoS attacks over 1Gbps is increasing, up to 21 per cent in Q2 compared to 16 per cent in 2014. This increase is important as many organisations have Internet connectivity at or below the 1Gbps level, so there are now many more attacks out there that are capable of saturating this connectivity.

Just in the past few weeks we have seen major disruption to RBS and Natwest customers and Valve's $18m Dota 2 International e-Sports tournament as a result of DDoS attacks – and this really illustrates the kind of impact these attacks can have to organisations that are reliant on the Internet to provide key customer services.

What changes have you seen compared to previous studies and what is causing these changes?

The most prominent trend is that the proportion of attacks over 1Gbps is growing – in 2014 they accounted for around 16 per cent of attacks and in Q2 ’15 they accounted for 21 per cent. This increase is due to the average size of attacks shifting up sharply to 1.04Gbps – the first time the average attack size has been over the 1Gbps threshold since the huge storm of attacks seen in early 2014.

This increase in average attack size is especially obvious in reflection amplification attacks. Average reflection amplification attack sizes – a technique used to magnify the amount of internet traffic generated – were up pretty much across the board in Q2, and reflection amplification represents one of the key ways in which attackers are launching attacks today.

We also started to see the number of Simple Service Discovery Protocol (SSDP) attacks reducing for the first time since their incredible growth in the latter half of 2014. In Q2 ’14 ATLAS tracked 3 SSDP reflection amplification attacks globally, in Q1 ’15 this jumped to 126,000 attacks, but in Q2 we are back down to 84,000 – so this attack vector may be starting to wane in popularity.

Based on the new findings, what security advice would you offer to businesses?

Quite simply, layered DDoS defence is key. The increasing size and frequency of volumetric attacks that can saturate Internet connectivity clearly shows the need for cloud and ISP-based DDoS protection services that can deal with these higher magnitude attacks. However, the stealthier, sophisticated application layer attacks haven’t gone away.

In this years’ World-Wide Infrastructure Security Report (WISR) Arbor found 90 per cent of respondents were seeing application layer attacks, with enterprise organisations estimating that 29 per cent of the attacks targeting them were aimed at the application layer. These attacks can lead to longer recovery times than volumetric attacks and can be harder to detect from the cloud and ISP perspective, making ‘always-on’ network perimeter DDoS protection is so important.

These two layers of protection – cloud and ISP, plus network perimeter – work together to protect the availability of key services from the DDoS threat, reducing the risk of costly business interruption.

Extortion, one of the oldest DDoS motivations, has seen growth in the past year, some of it well publicised given the DD4BC activity. This started back in July ’14 and is continuing, with extortion attempts targeting organisations mainly in the finance sector.

The other trend to be aware of is the increasing use of DDoS as a part of broader attack campaigns, usually to distract security teams from either malware infiltration or data exfiltration. If an organisation is targeted with a DDoS attack they must be careful not to lose focus on the monitoring of their internal networks, as the DDoS attack may simply be a smoke screen for something potentially far more damaging.

Threat intelligence could play a key role in reducing the risks of a cyber attack, how important is it for companies to share this type of information?

Sharing threat intelligence really helps, as information from other organisations in the same vertical or geography can be very pertinent to the same risks. One key thing to remember is that attackers often share capabilities between each other, so they are making use of their collective capability – we need to do the same.

Recent research from the Ponemon Institute, looking into how retail and financial organisations dealt with advanced threats, showed that the average dwell time – the time a threat remains undetected within a network – for the finance vertical was roughly half that of retail. One of the key differences between the verticals in the steps taken to deal with threats – a 26 per cent difference in adoption – was in the sharing of threat intelligence information with others in the same vertical or with government agencies.

Organisations need to look at the benefits that can come from sharing threat intelligence; sometimes organisations are too concerned about ‘helping the competition’ – but the key thing to remember is that sharing intelligence is usually a reciprocal arrangement, and the right information could prevent a hugely embarrassing and costly breach for all parties. Government initiatives such as CiSP, which is part of CERT-UK, help facilitate sharing by providing a safe and secure environment between organisations.

There is no doubt that BYOD and IoT add additional risks alongside their business benefits. Historically organisations have been used to a significant level of control over the devices and software on their networks – BYOD and IoT have completely changed how organisations need to think about this. Every new device on the network is a potential point of compromise and understanding what is connected, who is using it and what is being accessed are all important.

Organisations can put access control and identity management solutions in place to identify employee owned devices, and who is using them, so the correct access levels can be placed on these devices. But in reality less than a half of organisations have any way of identifying employee owned devices on their networks which is a concern.

In the case of both IoT and BYOD visibility is key. We need to ‘know’ what these devices are doing and who is using them when they are connected to company networks. Ideally, security teams need to establish patterns of normal operation, allowing us to identify anything unusual as soon as it occurs. Most exploits or insider misuse and abuse can be identified based on network activity – organisations just need visibility of what is going and that means broad visibility across our networks.

This can seem daunting, and potentially very expensive, but technologies like Netflow are built into many enterprise switches and routers. These technologies provide a very cost-effective way of collecting telemetry from right across our infrastructure, and this can be used to build up a picture of exactly what is going on.

There is no doubt that we will continue to see a lot of reflection amplification DDoS attack activity. The latent capability within the Internet, which attackers are more than willing to exploit, still exists so it wouldn’t be surprising to see an attack up at around 500Gbps – higher than any other recorded attack – in the not too distant future.

From an enterprise security perspective, I think we will continue see more of the high-profile breaches we’ve seen over the last year. It is also likely that we’ll become aware of many smaller organisations falling victim to data-theft. Many organisations have data that is either directly or indirectly valuable to attackers, and at the moment the value of that data is significantly higher than the cost to the attacker of extracting it.

We need to shift our approach, leverage the data we have more effectively, share intelligence more quickly and usefully and fundamentally make better use of our security resources.

Image source: Shutterstock/sibgat