By Dave Larson, Chief Technical Officer of Corero Network Security
The World Wide Web is only 25 years old, but it has overseen countless advances in the way it is written and manipulated. Look at DDoS attacks – once simple volumetric attacks have now become deceptive and capable of carrying out several functions at once. Yet responses to this threat have not enjoyed the same rapid developments. This article examines what ISPs and carriers can do to mitigate the threat, as well as analysing what approaches are on offer to technical staff fighting the cyber-criminals.
The evolution of DDoS
In the early days of DDoS attacks (c. 2000), DDoS mitigation technology utilized in the Service Provider industry focused on the ability to determine that a DDoS attack was occurring, simply by sampling edge routers and interrogating NetFlow records from those routers. As a result, an operator could see the increase in DDoS traffic but they had few if any defenses at their disposal to block the attacks. Without any true solutions available or in place, a network operator would first interpret that an attack was in progress, then manually inject a null-route – sometimes referred to as a black-hole route – into the routers at the edge of the service provider’s network, and block the attack. This null-route effectively blocked all attack traffic headed toward the intended victim.
However, this approach had negative connotations as well. Null-route injections also blocked all good traffic along with the bad. The target victim was taken completely offline by the null route and this actually perfected the attack by dropping all packets destined to the victim’s IP addresses. This approach provided a way of at least blunting the flow of the attack and served as a tool to eliminate the collateral damage to other customers or infrastructure as a result of the DDoS attack.
Fast forward several years and we find improvements to DDoS mitigation, and an evolution in protection techniques available to operators. It became clear that a null-route was not an approach that operators preferred to use. Instead of injecting a null-route when an operator observes a large spike, they were now able to inject a new route instead. By implementing a new route, operators could now gain the ability to redirect all traffic through an appliance or bank of appliances that inspected traffic and attempted to remove the DDoS attack traffic from the good user flows. This approach spawned the existence of DDoS scrubbing-centers and DDoS scrubbing-lanes that are commonly deployed today.
This DDoS scrubbing approach, while a significant improvement, still required a considerable amount of human intervention. A DDoS attack would have to be detected (again by analyzing NetFlow records) then an operator would have to determine the victim’s destination IP address(s). Once the victim was identified, a BGP route update would take place to inject a new route to redirect or “swing” the victim’s incoming traffic to a scrubbing lane. The appliances in the scrubbing lane would attempt to remove the DDoS traffic from the good traffic and forward it to the downstream customer. In order to forward the good traffic back to the original destination, in most cases an operator would also have to create a GRE tunnel from the scrubbing lane back to the customer’s border router. This approach represents a significant improvement over null-route solutions but it also introduces significant complexity to the carrier network topology and requires dedicated and costly security personnel in order to ensure proper execution.
Recently, the complexity of the DDoS challenge has been evolving and attacks have been increasing in size, sophistication and frequency. Additionally, as large network operators have succeeded and grown, the sheer size and scale of their infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for damaging and disruptive DDoS attacks. The combination of these trends is now driving the need for an even more sophisticated approach to DDoS mitigation that utilizes purpose-built technology to enable a better economic model for defeating these attacks and creating new revenue streams around clean-pipe services.
As we approach the modern day DDoS threat, with advanced mitigation techniques that have evolved over the last decade, innovative protection, sophisticated visibility and scalable deployment options are emerging. In-line deployments of mitigation technology at the Internet or transit and peering points offer much needed relief from the frequent and damaging attacks that providers are dealing with on a regular basis. Alternatively, many providers prefer a scrubbing-lane approach, but require enhanced visibility into the traffic patterns as well as the need to scale the scrubbing operation for increased bandwidth.
DDoS mitigation approaches and real-time threat responses
The weaknesses of old methods – being slow to react, expensive to maintain and unable to keep up with shifting and progressive threats – tell us that solutions appropriate for today need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future face of DDoS threats – whatever those may be.
The increasingly popular method of fulfilling these aims is dynamic, in-line DDoS mitigation bandwidth licensing. With this technique, an in-line DDoS mitigation engine is employed but the operator pays for only the bandwidth of attacks actually mitigated. The benefit of this approach is that it delivers full edge protection for locations in the network that are most affected by DDoS, at a fraction of the cost of traditional scrubbing centre solutions. The desirability of these tools is due to the fact that they can be constantly on, with no need for human intervention, and they provide non-stop threat visibility and network forensics.
Another aspect of effective DDoS mitigation is security event reporting. One of the Achilles heels of traditional DDoS scrubbing centre solutions is that they rely on coarse sampling of flows at the edge of the network to determine an attack is taking place. DDoS attackers are well aware of the shortcomings of this approach and have modified many of their techniques to ride under the radar, below the detection threshold, in order to evade ever being redirected to a scrubbing centre. Your security posture will only be as good as your ability visualize the security events in your environment, and a solution that relies on coarse sampling will be unable to even detect, let alone act on, the vast majority of the modern DDoS attack landscape. A robust modern DDoS solution will provide both instantaneous visibility into DDoS events as well as long-term trend analysis to identify adaptations in the DDoS landscape and deliver corresponding proactive detection and mitigation techniques.
New software and hardware makes real-time responses possible, mainly because the traffic from DDoS attacks generally forms a bell curve. The reason they behave this way is to elude the sample-based anomaly detectors that are supposed to spot and kill DDoS attacks. However the modern data analytics in newer solutions enables DDoS detection far before the system’s critical threshold is reached.
As a result, companies don’t have to accept DDoS as one of those risks that you just can’t avoid – either by paying for it themselves or asking for it from their service providers, they can now acquire the technology that will stop these attacks and prevent the costly downtime that they incur.
Visit Corero’s website for more information: www.corero.com