The frequency and size of DDoS attacks is ever growing and continues to be an issue for many businesses.
With the ongoing work to shut down or neutralise botnets, a cyber-arms race has started with hacktivists and other cybercriminals who are constantly searching for new ways in which to amplify attacks. As a result, DDoS attacks are becoming increasingly common.
DDoS attacks are nothing new, in fact we have seen a number of high-profile attacks dominating the media over the last 12 months, with well-known brands, such as Evernote, Tweetdeck and Feedly, publicly feeling the impact of sophisticated attacks.
We have also seen in more recent news that PlayStation Network (PSN) has again been targeted in attacks and this just goes to show that now it is more important than ever for organisations to have the right defences.
PSN and similar services have huge customer bases and, due to their global nature, have a need to be available 24/7. This makes them very appealing targets for entities looking to create highly visible disruption or to steal large numbers of customer details.
It’s an unfortunate fact that the DDoS threat has never been greater and is likely to continue to grow and get stronger.
DDoS can affect businesses in many ways and attacks can cause damage running into millions of pounds; Forrester Research claims losses can be as much as $27 million for a 24-hour period of downtime. They can also permanently ruin a company’s reputation – who wants to do business with a company that can’t keep your personal information safe?
Looking at the number of DDoS attacks reported, we can see that these attacks show no sign of losing popularity with cybercriminals. Importantly, as the lines between the professional and social use of technology continue to blur, we are seeing increased focus from the attackers on those who legitimately access systems with a view to compromising their systems as another attack vector.
It is vital that we start to really recognise the significance of these attacks, how likely they are and how damaging they can be.
Understanding whether DDoS attacks are the work of mischief-makers, criminals or even attempts to sabotage rivals is difficult.
What is clear is that defending against DDoS attacks is no longer just the province of private and public sector businesses. These attacks against end-user systems have become more prevalent and have amplified over the last year – the worrying trend is for these attacks to be a smokescreen for more insidious activities.
The challenge businesses face is how to defend effectively. The issue is companies typically have multiple autonomous systems in place, with limited integration and some key functional limitations at each layer.
Cloud-based solutions, for example, cannot process encrypted traffic unless the enterprise is willing to give the cloud provider access to their private certificate keys (which most are not), hence this traffic gets passed through.
Therefore if an attack is encrypted, it is already past the first layer of defence.
Most on-premise firewalls have the same limitation: encrypted traffic is allowed through because the firewall typically does not have the capability to inspect the traffic at an application level, and so the attack traffic breaches the on-premise protections too.
Finally when we add volume to these attacks and blended attacks – multiple different attacks types at once (DDOS, attacks against the applications, compromised user system attacks) – to the picture, it’s easy to see how enterprises struggle to cope.
One answer to this is contextually aware defences, which are aware of applications, how they function and have visibility into the traffic going to and from them.
Ideally this awareness will span the cloud and on-premise components, and in an ideal world will also be able to understand if an end user’s system is compromised, giving better integration and the best possible chance of mitigating attacks before they start impacting service.
With this in mind, and in order to prevent DDoS attacks, businesses should ensure they have the ability to filter requests before they enter the data centre, and monitor incoming traffic for abnormal data.
This can stop access that is not from a genuine customer through techniques such as recognising that a repeat request is being made by a computer source, rather than an actual person at a keyboard.
Understanding whether traffic is good or bad is the key to understanding whether traffic should be allowed into the data centre at all.
Businesses can also put in place firewalls which allow for a greater number of requests per second, ensuring that systems are less likely to crash under the weight of the repeated requests associated with DDoS attacks. Essentially, a full proxy firewall can avert significant downtime and data loss at a business.
Finally, being able to check if the end user’s system has been compromised (by malware) can help businesses stop legitimate access being used to piggy back unauthorised access. To be able to make these checks without impacting the end user is important here.
When it comes to securing systems, the best practice has traditionally been to apply as much security as you can afford. These days, however, we need integrated defence systems to ensure the defences are not the weak points.
Sourced from Paul Dignan, F5 Networks