For anyone involved with DDoS defence, 2016 will be remembered as the year of Mirai. Until the botnet’s spectacular attack on Internet company Dyn on 30 September, things had been going relatively well. DDoS attacks were up, of course, but probably no more than expected. The feared reflection attacks that exploit any one of a family of common Internet protocols to multiply DDoS size had largely subsided, or were being dealt with.
Mirai’s size was alarming – the first disclosed Terabit-level DDoS attack in history – but the real story was that nobody saw a botnet built from ignored Internet of Things devices (webcams, old routers, PVRs) as a plausible threat until after the event. It was as if Mirai were a volcano that had erupted suddenly from a quiet city park.
One theme of Mirai remains how such vast, volumetric attacks can be defended against in an economically-sustainable way and by whom. Customers need protection but at an affordable cost and in a reasonable timeframe. Mitigation, in turn, can’t come at the expense of tying up expensive human and technical resources for days at a time.
Defences exist for even the largest DDoS attacks but below the surface not all of them work in the same way. One company pioneering a distinct approach is Corero Network Security, a London-quoted US company which can trace its DNA in this business back to an outfit called Top Layer Security, which it bought out in 2011.
Despite having a lot of in-house technology and expertise it set about building a new system from scratch. What came out of the other end is now called the SmartWall Threat Defence System, which can be used in the cloud or on premise.
“We embarked three and a half years ago to build carrier-scale DDoS mitigation solutions,” opens CTO Dave Larson, who joined the company in 2014 after a succession of jobs at intrusion prevention pioneer TippingPoint, followed by 3Com (which bought TippingPoint) and finally HP (which bought 3Com).
SmartWall wasn’t just another anti-DDoS mitigation platform but one designed to overcome the limitations of traditional anti-DDoS architectures.
Large, saturating, Mirai-like attacks that aren’t common but are a major challenge when they happen. Sinkholing the traffic is one option but causes immediate downtime. A less drastic option is scrubbing, but this comes with its own drawbacks.
“The majority of competing solutions are employed out-of-band in scrubbing centres. The problem with that is you are required to detect the attack and move the flows into your scrubbing centres. That is tremendously complex and very time intensive,” says Larson.
“The minimum outage caused by a major DDoS event is in the order of 30 minutes – that’s not something viable in the modern Internet.”
Paradoxically, smaller, everyday DDoS attacks are almost as difficult to mitigate. If they’re short enough they’re not easy to detect so might never be mitigated at all. When they are spotted, scrubbing often requires manual intervention, upping the cost, precisely the sort of overhead the attackers want to induce.
“The differentiation of our solution is it can be employed in an always-on, inline manner without damaging good traffic in peacetime, automatically in sub-second timeframes mitigating attacks as they occur.”
Putting DDoS mitigation ‘inline’ sounds simple enough but it a radical departure from the traditional custom which demands that as little as possible should ever stand between a datacentre server and its traffic. This allows service providers to automatically mitigate DDoS traffic of all kinds at the edge of the network, in front of their firewalls. As long as it’s done at scale, the latency is minimal and a range of DDoS events suddenly become cheaper and simpler to deal with. The appeal for carriers is obvious because, almost for the first, time they can sell DDoS protection as an affordable service.
“We are making a terabit of DDoS capacity available for $1 million dollars. That’s almost an order of magnitude more that you’d be able to purchase from a competitor.”
But the DDoS mitigation market has not been easy to change, Larson admits.
“There was incredulity in the existing market. That’s one of the difficulties when you are a category creator. You have to change hearts and minds.”
LDAP zero day
Corero’s claims about the capabilities of SmartWall got a boost in October with the company’s detection of a previously unknown amplification attack based on abusing Connectionless Lightweight Directory Access Protocol (LDAP), against one of its customers. This was so novel, nobody had even imagined that LDAP could be abused on the open Internet (LDAP should normally only be used inside networks).
“That attack was a novel zero day that occurred for the first time on the Internet at 70Gbps – it was perfectly mitigated by our system. We didn’t know what it was, we just knew it was a reflection attack.”
The vulnerability was unknown, then, but the company’s inline technology was still able to protect the customer. Normally in this case, the customer would call the datacentre after going down. An anomaly would be detected, thereby moving traffic into a scrubbing centre. That entire sequence of events was shorted.
“Both our customer (the datacentre) and their customer (the tenant) were initially completely unaware that an attack even took place,” says Larson.
According to Larson, coping with DDoS attacks requires more attention at the service provider level, particularly in terms of the way they provision capacity. At the very least, more regional scrubbing capacity is needed to cope. Better still, DDoS mitigation should be put at the edge of these networks, not in large centres further down.
In the end, Larson and Corero’s insight is that DDoS mitigation it is simply too costly and slow. It is not automated enough and that on its own has played into the hands of attackers. This sounds like an acid criticism of a market badly in need of a shakeup.
Despite recent events, he remains remarkably upbeat about the future, believing that DDoS attacks can be put back in their box with better mitigation design at carrier level. If this sector becomes engaged in solving the issue, the neighbourhood can be cleaned up, he says.
“Good discipline, good hygiene, good cooperation and maybe a little bit of regulatory stick from government agencies. It’s not going away so the community has to deal with the new reality.”
