How to stop hackers leveraging DDoS activity to cause more damage

DDoS attacks against Corero customers grew by a third in the last quarter, with organisations experiencing an average of 4.5 attacks every day. This may sound like a meteoric rise, but it is hardly surprising given the proliferation of cheap and easy-to-launch attack tools.

While most DDoS attacks were once launched by bad actors coding in their bedrooms to carry out protests – now, DDoS-for-hire botnets allow just about anyone to launch a crippling attack for just a few dozen dollars – with no coding skills required.

In many cases these attacks are merely a smokescreen, designed not to deny service but to detract attention from the real motive – usually data theft and network infiltration.

But how can network and security teams respond to the debilitating impact of these chronic, sub-saturating attacks and see through the noise to the real assaults taking place below the surface? And what is the best way to respond to attacks of this nature – on-premise or in the cloud?

> See also: DDoS ransom notes: why paying up will get you nowhere

According to our mid-year report, in the first half of 2015, the vast majority of DDoS attacks experienced by Corero customers were less than 1 Gbps. Additionally, more than 95% of these attacks lasted 30 minutes or less.

As attackers look for new ways to leverage DDoS attacks, they have realised that short duration sub-saturating attacks are more difficult to defeat, because they evade traditional cloud-based scrubbing centres.

In many cases, re-routing traffic through a scrubbing solution – most often after an outage or service degradation has occurred – devolves into a game of cat and mouse.

This is because the time between detection to mitigation can be upwards of one hour, meaning that the damage has usually been done before on-demand defences are engaged. In addition, switching to the cloud in each instance of a short duration, sub-saturating attack will quickly break the bank.

In order to keep up with the shifting and progressive range of threats, solutions appropriate for today need to be always-on and instantly reactive. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future evolution of DDoS threats – whatever that may entail.

The most effective method of fulfilling these aims is to utilise in-line DDoS mitigation, coupled with industry disruptive, economically viable bandwidth licensing. With this technique, an in-line DDoS mitigation engine is employed but the operator only pays for the bandwidth of attacks actually mitigated.

The benefit of this approach is that it delivers full edge protection for locations in the network that are most affected by DDoS, at a fraction of the cost of traditional scrubbing centre solutions.

The desirability of these tools is due to the fact that they can be constantly on, with no need for human intervention, and they provide non-stop threat visibility, attack mitigation and DDoS forensics.

Another aspect of effective DDoS mitigation is security event reporting. One of the Achilles heels of traditional DDoS scrubbing centre solutions is that they rely on coarse sampling of flows at the edge of the network in order to determine whether an attack is taking place.

DDoS attackers are well aware of the shortcomings of this approach and have modified many of their techniques to ride under the radar, below the detection threshold, in order to evade ever being redirected to a scrubbing centre.

Your security posture will only be as good as your ability to visualise the security events in your environment, and a solution that relies on coarse sampling will be unable to even detect, let alone act on, the vast majority of the modern DDoS attack landscape.

A robust modern DDoS solution will provide both instantaneous visibility into DDoS events as well as long-term trend analysis to identify adaptations in the DDoS landscape and deliver corresponding proactive detection and mitigation techniques.

Real-time responses are possible with new, high-performance, in-line DDoS defence solutions. DDoS attacks generally have a bell-shaped barrage of traffic. This is to throw off sample-based anomaly detectors – however it plays into the hands of DDoS mitigation solutions that utilise modern data analytics platforms that are optimised for detecting that a DDoS attack is underway before the system has reached a critical threshold. This is something that is simply not possible with legacy scrubbing-centre approaches.

Effective DDoS defence can be deployed either as an on-site solution or provided as a premium defence-as-a-service offering from an upstream Internet provider. Carriers are in a unique position to effectively eliminate the impact of DDoS attacks against their customers by surgically removing the attack traffic transiting their networks.

In a recent survey, Corero asked enterprise IT teams about the role that ISPs should play in defending against DDoS attacks. Around 75% of respondents indicated that they would like their ISP to provide additional security services to eliminate DDoS traffic from entering their network, and more than half would be prepared to pay for this type of premium service.

But on a day to day level, how can IT managers deal with such an avalanche of attacks? Our main piece of advice is the following: Just because you have not suffered a major outage, do not be lulled into a false sense of security thinking that DDoS is not a problem for your organisation.

Invest some time familiarising yourself with the trends in the DDoS landscape and start looking more closely at lower level activity within your environment. When a breach does happen, claiming you had never had an outage before and so you thought your protections were just fine is not going to be very convincing to your management. The online enterprise requires a proactive and real-time approach to dealing with the onslaught of DDoS attacks targeting their networks.

In short, there’s no reason that companies should resign themselves to eventually getting DDoS’ed. The technology exists to provide an effective defence, and this type of in-line, always-on protection can come in various forms – either on-premise, or purchased as a security service from an upstream provider.

> See also: 74% of DDoS attacks are just smokescreens for other malicious meddling – research

A robust solution cannot be found in the cloud alone, but rather through a hybrid solution of on-site technology and system-wide visibility, to gauge long-term trends and deliver proactive detection and mitigation techniques.

It is only through deploying these real-time solutions that IT teams will really be able to separate the wheat from the chaff and identify the most serious attacks on their networks.

Sourced from Dave Larson, CTO, Corero Network Security

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

DDoS Attack