If they weren’t such a menace to the civilized world, you’d almost want to congratulate the hackers on one of their recent innovations: the super DDoS.
The number of mega-sized botnet attacks has shot up like a rocket in recent years. And as we saw with the 300 Gbps assault on Spamhaus a few months ago, they’re using astronomical amounts of bandwidth. Clearly, the bad guys are bringing their best game and aiming to break all the records.
Hackers are no doubt feeling elated at the success of these huge attacks, which came after a technological breakthrough of sorts, while the rest of us are shocked, confused and scared. DDoS attacks are indeed becoming frighteningly big. So how can we possibly stop them?
Well, it’s going to be tough. Just as there’s only so much you can do to secure your house against a Category 5 hurricane, most businesses will buckle under the stress of a 300 Gpbs assault. But putting things in perspective, you’re highly unlikely to be targeted by one unless you’re a really juicy target for online lawbreakers.
Realistically, it’s the “pretty big” DDoS attacks you should be preparing for. And the really small ones. And all the medium ones, too. Coming in many sizes and from all directions, any DDoS attack can be fatal to a business network. Defence in depth is the only sensible doctrine.
The big, “volumetric” flavour of DDoS attack—the type everyone reads about—is a threat that your upstream provider is responsible for preventing, says Carlos Morales, VP of global sales engineering and operations at Arbor Networks, an Allstream partner. Meanwhile, cloud and managed services providers “absolutely have to play a part in your defence ecosystem for the sheer size of attacks that could happen,” he says.
But hackers are opportunistic hunters, exploiting weaknesses wherever they find them, so you can’t rely solely on outside providers when there are flaws in your own infrastructure. In particular, DDoS attacks at the application layer are becoming very common, says Morales.
Along with having the right allies, he adds, you must have on-premise technology designed specifically to keep Web services running during a DDoS attack. “The ISP-based systems are going to be reactive,” he says, and an application-layer attack is something that “the upstream providers are not going to have an easy time detecting.”
Let’s step back for a minute, though. The goal of denial-of-service is, well, to deny you service. That goal can be accomplished in many different ways, says Morales, not only through a massive frontal attack or stealthy sabotage behind your security perimeter. There are plenty of dangers in between: HTTP GET and HTTP POST attacks are good examples of middle-of-the-road approaches that are very effective at knocking out a Web site or slowing it down to a crawl, he says.
Naturally, the best defense is a layered one, with an on-premise component that works with any service provider and your ISP, giving you control when and where it’s needed, and help where you can’t handle things on your own.
We’ve often heard this kind of advice before. But it’s also advice that’s been given many times and not taken. As Morales notes, many companies effectively neglected to get DDoS protection for years, until they got spooked when it happened in their own neighbourhoods.
As sectors go, the gaming industry has the dubious honour of being one of the earlier adopters of proper layered defences, having been targeted by online criminals who pioneered DDoS extortion. On the other hand, there was the financial sector, which was late to the game, Morales says.
And so far, the only big winners have been the hackers. They’ve gained the upper hand by taking advantage of widespread indifference among people who read the DDoS headlines and thought, “It won’t happen to my business.” Even more than indifference, many companies have suffered from a lack of imagination when it comes to security.
Focussing on the gigabits alone leads to binary thinking—cloud or on-premise, inside or outside the perimeter, big bandwidth attacks or tiny application-layer attacks—and that makes us lose sight of what denial-of-service is, at its core: online vandalism. It can be accomplished in many different ways, and it’s a good idea to find our weaknesses—all of them—before the hackers do.
Take the next step and quantify the financial risk of DDoS by downloading Allstream’s white paper.