While the mobile industry was busy celebrating telecom innovation at MWC18, another kind of innovation was making headlines: a record 1.35 Tbps DDoS attack. It caused some disruption and highlighted the potential for much worse. In this instance, the attack was detected and mitigated relatively quickly—but it required manual intervention and rerouting of traffic. Fortunately, service was only disrupted for a few minutes, but it could have been much worse, and other targets might not have been as ready.
DDoS it is a worldwide problem that will not only be harmful if not treated on time but that also seems to be getting worse. This is why I tend to compare it with a flu epidemic, one that affects the connected world. And indeed both DDoS attacks and the flu have similarities.
For those who haven’t been paying attention to the latest medical news, this flu season has been especially rough. In January, Time magazine explained the phenomenon:
“The flu shot is tweaked each year in an attempt to target what are projected to be the most prevalent strains of the disease, but the process isn’t foolproof.”
This analysis of the flu season points out to what I see as the major resemblance between DDoS and the flu. Indeed in the case of the flu, vaccination acts as a static defence that targets specific, projected flu strains, and is only effective against 30per cent of H3 viruses. In the same manner, facing DDoS attacks, telecom operators only know how to mitigate what they already know it’s a “known knowns” approach.
ISPs and enterprises, just as health professionals are thus facing the same challenge. How will they defend themselves against non-prevalent strains? Indeed the unforeseen DDoS attacks, the new vectors, the zero-day exploits are in fact unknown unknowns. But then the comparison also has its limits. Indeed, fortunately, the world of data communications has a solution to DDoS attacks.
Facing DDoS attacks, firms may make use of autonomously adaptive, machine-learning algorithms utilising artificial intelligence techniques to automatically detect anomalous behaviour and trigger mitigation of the attack. And indeed, the recent attack on GitHub was spotted by IT professionals who noticed an unusual spike in inbound traffic. It was caused by the amplification of UDP traffic reflection through Memcached servers’ default port 11211. They eventually managed to fence of the attacks by rerouting traffic to a scrubbing centre provider that cleaned out the malicious packets and the attack ended shortly afterwards.
The attack didn’t last more than a few minutes but could have been worse if it had struck a less prepared company, and indeed other companies aren’t as prepared. If a firm the size GitHub can divert terabits of traffic to external DDoS cleanup services, this is a costly solution and for many firms scrubbing, and latency costs are prohibitive. This problem is bound to become even acuter as 5G and IoT expand the scale of data communications. Adding to heavy security costs, many short-term “hit and run” attacks evade external detection due to their short time stamp and will not get scrubbed.
Facing this harsh reality, I would like to point to a better solution. One that would enable networks, through high-performance, to distribute inline system that use machine learning techniques to automatically detect and mitigate any type of attack at wire speed, regardless of scale, within seconds and without disrupting service. This would unimped legitimate traffic while malicious traffic would be discarded. No manual intervention would be required. Here is how this works:
In the above picture, every packet of data is inspected by high-performance, inline appliance instances. This enables attacks to be automatically detected and surgically blocked within seconds. Network services are neither threatened nor disrupted. This success is achieved by using advanced Network Behavior Anomaly Detection (NBAD) technology. Volumetric attacks are detected by the anomalies they cause in the normally time-invariant behaviour of Layer 3 and Layer 4 packet rate statistics.
The dynamic creation of mitigation rules and surgical filtering of attack packets prevents over-blocking and enables legitimate traffic to flow unimpeded, assuring network protection and service QoE at all times.
DDoS attacks also have an aspect to often overlook: service providers can also be infected and become the source for outgoing botnet attacks. This can be harming for their customers and their reputation. Such outbound attacks can only be caught by inline systems that inspect all packets, travelling in every direction. Inspecting outbound traffic will not only block this attack, but they will also enable better detection of inbound attacks.
The system, by correlating bi-directional traffic, can easily highlight inbound traffic that weren’t in fact sent from the service provider.
During the recent Memcached attacks, Allot’s bi-directional, inline DDoS Secure solution successfully detected and prevented such attacks observed in multiple customer networks worldwide.
Below is an example:
So, while this year’s flu season may be winding down, DDoS is just gearing up. New vectors, new vulnerabilities and ever-growing volumetric attacks are just a matter of time. Get protected – inline and on time!