DDoS Protection in the Wild Wild West
Distributed denial-of-service (DDoS) attacks are the Achilles heel of Internet-centric enterprise IT. Businesses with websites, running applications in the cloud or relying on cloud-based services are not only vulnerable to direct attacks on critical infrastructure, but can also take collateral damage as a result of attacks on other targets. Even worse, the frequency, intensity, scale and diversity of DDoS attacks are all increasing. Sophisticated bad actors are also using DDoS attacks as a smokescreen to mask advanced threats designed to breach perimeter security, exfiltrate data and deliver malware.
The Internet is the wild wild west, except the bad guys aren’t gunslingers in black hats strutting into town in broad daylight, but hackers in hoodies lurking in the shadows of the Dark Web.
One of the first large-scale DDoS attacks occurred nearly 20 years ago, in 1999. Since then, network engineers and equipment vendors have developed solutions to detect attacks as they occur and rapidly take action to mitigate against their ill effects. While these solutions were reasonably effective at the time, recent technology trends have created conditions conducive to attacks that are exacerbating the problem.
DDoS attackers are taking advantage of the global scope of the Internet, the explosion in the number of applications and services in the cloud and the proliferation of millions and millions of poorly secured IoT devices that are easily compromised. Hackers are harnessing the power of vast IoT botnets to launch massive volumetric attacks from hundreds of thousands of endpoints Attacks targeting web servers or application servers can also knock out perimeter security appliances such as firewalls and intrusion protection systems. On top of this, the ever-increasing speed of Internet backbone and access connections means that the rate of traffic hitting networks and systems under attack is also increasing.
Hybrid multi-cloud enterprise IT presents attackers with a target-rich environment in which DDoS protection involves multiple approaches that work in concert to detect and mitigate attacks. There are cloud-based DDoS protection solutions for websites and Internet-facing applications. The leading cloud service providers offer some type of DDoS protection. Internet service providers (ISPs) deploy DDoS detection and mitigation systems in their own networks. Enterprises have the option of installing an on-premise DDoS protection appliance or relying on a DDoS protection service provided by the ISP.
There is no silver bullet and different solutions are required in each domain: enterprise networks, ISP networks, and in the cloud.
Detecting DDoS attacks is problematic when attacks generate what appears to be legitimate traffic. If websites or applications become slow or inaccessible to users, how does an enterprise IT manager determine if this is due to a sudden surge in demand vs. a DDoS attack? False positives are always a concern, and attacks should be mitigated immediately, but the last thing anyone wants to do is block legitimate traffic.
What if the enterprise itself isn’t under attack, but users are experiencing the effects of collateral damage due to overwhelming demand on networks or cloud infrastructure shared with the intended target? The effects of DDoS attacks can impact a wide radius surrounding the initial point of attack.
DDoS protection is complex and IT managers would be wise to seek solutions from vendors and service providers with proven expertise directly relevant to the particular needs of their enterprise. One approach is to outsource DDoS protection to managed security service providers. Large enterprises are often inclined to manage their own deployments, which could be a hybrid approach of on-premise and cloud-based detection and mitigation solutions.
Due to the vast scale of the Internet, effective DDoS protection relies on tools that constantly ingest network telemetry data and provide real-time visibility into Internet traffic flows, end-to-end network paths and the end points generating malicious traffic. Retaining historical data can be extremely valuable for characterizing attacks as they occur and to conduct post-mortem analysis, so IT managers should closely evaluate the benefits of DDoS protection solutions that incorporate Big Data for rapid, multi-dimensional analytics of network telemetry data.
Make no mistake, the bad guys aren’t going away, and the pace of DDoS attacks is not letting up. But thanks to recent advances in streaming telemetry, network visibility and Big Data, the good guys are armed with the weapons they need to maintain the peace.