In the 13th Annual Worldwide Infrastructure Security Report (WISR) from NETSCOUT Arbor (PDF is available in the directory), survey respondents were asked to identify the security measures they had in place against distributed denial of service (DDoS) attacks.
Among enterprise respondents, firewalls, IPS, WAF and access control lists (ACLS) remained the most common DDoS mitigation mechanisms for more than half of the respondents. Unfortunately, some of the most popular DDoS mitigation tools (firewalls, IPS and load-balancers) are also the least effective.
In this article, I’ll seek to explain those risks and suggest defenses.
Most cybersecurity practitioners know about the security triad of Confidentiality, Integrity and Availability. They also know that securing an organization from cyber threats requires all sides of the triad to be in place. Without the full triad in place, it’s sort of like having one leg missing on a three-legged stool – in other words, the entire stool falls down. With all the hype and media attention focused on things like authentication, ransomware and other data breaches, it’s no surprise that Availability protection commonly seems to get neglected.
What most organizations fail to recognize is that, just as with other forms of malware, DDoS attack methods and techniques are constantly changing. Gone are the days of DDoS attacks being simple UDP floods designed to saturate 1Gbps Internet connections. Those were easy to identify and stop by using cloud-based mitigation such as from your ISP.
The modern-day DDoS attack is a dynamic combination of multiple attack vectors:
Volumetric: Large bandwidth-consuming attacks (e.g. as large at 1.7Tbps!) designed to saturate network pipes and Internet-facing router interfaces.
TCP State-Exhaustion: Attacks (e.g. TCP-SYN) designed to fill TCP State tables in devices such as firewalls, IDS/IPS and load balancers.
Application-Layer: Low and slow application layer attacks (e.g. HTTP PUTS/ GETS, SlowLoris) designed to slowly exhaust resources in application servers.
In fact, 59 percent of NETSCOUT Arbor survey respondents have experienced a multi-vector DDoS attack. The report also showed a 21 percent YoY increase in the percentage of application layer attacks. This is concerning because cloud-only attack mitigation services (e.g. from an ISP) will struggle to detect and stop these attacks in a timely fashion.
Firewalls and IDS/IPS certainly have their place in the security arsenal, serving to protect data confidentiality and integrity. They are the first line of defense against attacks whose purpose is, for example, to identity theft or industrial espionage. But on their own, they are inadequate against attacks intended to deny availability. In fact, they are often the first targets of DDoS attacks seeking to compromise network infrastructure – 52 percent of organizations surveyed by NETSCOUT Arbor had firewall or IPS devices experience a failure or contribute to an outage during a DDoS attack.
The increased use of compromised IoT devices is contributing to the increase in size, frequency and complexity of DDoS attacks. Mirai, one of the most well-known IoT based botnets, caused significant outages to many online services in late 2016. Since the original Mirai malware source was released to the wild, there have been numerous variants such as OMG, JENX, Satori, and IoTrojan which have been used to launch multi-vector DDoS attacks around the world.
And DDoS attacks aren’t only used by hactivists. Crimeware organizations and even Nation States now commonly use DDoS attacks as one of their Tactics, Techniques and Procedures (TTPs). Increasingly, we see evidence of DDoS attacks throughout the advanced threat kill chain. DDoS attacks target the availability of information and attackers use it as a tool for both reconnaissance and obfuscation during malicious advanced threat attacks, making protection against DDoS attacks a necessary component of any effective security posture.
What’s more, sophisticated attackers are turning the tables on defenders and planting malware in enterprise networks that can be used to launch attacks on both internal and external targets – the outbound attack from within. Bad actors especially favor Internet of Things (IoT) devices as a way to worm their way into enterprise networks. IoT botnets have figured prominently in recent large attacks.
Security decisions often reflect a “check-the-box” approach: what tools do we need to have? And perimeter defenses like firewalls usually rank high on the must-have checklist. Often this approach is driven by compliance concerns: what do the regulators say we must have?
Instead of checking off a list of solutions, enterprises need to assess where they stand on the continuum of risk posed by DDoS threats to Availability. In other words, “What are the DDoS risks we face, and are we prepared to meet them?”
A strong defense posture calls for protection against all these types of threats. Ignoring any one of them leaves you exposed at some point along the risk continuum. A hybrid or layered defense combining cloud-based and on-premise detection and mitigation, informed by global threat intelligence alerts and powered by automation, is widely considered best practice.
Increasingly, enterprise organizations outsource to a provider that has already made the investment in technology and professional expertise to mitigate any type of attack. For organizations facing budget and resource constraints, managed DDoS service options provide them with a means to save money, amplify in-house resources and reduce risk.
Outsourced or in-house, a hybrid DDoS defense ensures detection and mitigation across the full spectrum of DDoS risks while protecting Availability.
About Tom Bienkowski
Tom Bienkowski has worked in the network and security industries for more than 20 years. During this time, he has served as a Network Engineer for large enterprises and has had roles in Sales Engineering/Management, Technical Field Marketing and Product Management at multiple network management and security vendors. Currently, as Director of DDoS Product Marketing at NETSCOUT Arbor, he focuses on Arbor’s industry leading DDoS Protection Solutions.