Change is inevitable – Time to re-write the playbook

Stephen Gates
By | November 26, 2014

Posted in: Hosting Provider DDoS Protection

Hopefully most of you in the industry have noticed that the approach to DDoS protection has changed dramatically over the last few years. What was once considered a good defensive posture is now proving to be sub-par protection against today’s sophisticated and adaptive DDoS attacks.  The days of firewalls, IPS’s and other traditional security infrastructure are considered obsolete when it comes to defeating today’s denial of service attacks.

Organizations that have taken the steps toward outlining their DDoS defense strategy typically first look to out-of-band defenses and anti-DDoS scrubbing-lane approaches for re-routing traffic once an attack has been identified. This approach is a good first step for DDoS prevention, however the recommendation by industry analysts is to execute on a two pronged approach, to include in-line, real time detection and attack mitigation as the primary means for DDoS defense. Here’s why.

Corero has seen an increase in one type of DDoS attack that is becoming more and more common.   Many of the DDoS attacks we observe daily are large (relatively speaking), but are only lasting for a short period of time. The  key is that they do not fully saturate the Internet link.  While these can be quite devastating to unprotected downstream border defenses; there is certainly an ulterior motive.

For example, an average attack is somewhere between 3 and 6 Gbps across a victim’s 10 G pipes.  The network, regardless as to whether or not a cloud scrubbing service is waiting in the wings, experiences increased latency and increased CPU usage across all border technologies. During this attack, firewall state tables are becoming overwhelmed, IPS devices are reverting to layer 2 fall-back mode, and security analysts are scrambling to re-boot, restart, and identify the problem—not to mention determining whether or not to engage the cloud provider to re-route and scrub the malicious attack traffic. This all requires human intervention and most often takes place in a very short period of time – usually about 30 minutes or so. What the cloud provider or security analyst won’t see during this commotion, is a very common attack tactic - executing large numbers of connection attempts on TCP ports 22, 443, 1433, 3306, 3389, etc. which is likely brute-force password crack attempts during the short duration DDoS attacks.

By the time the attack victim engages their scrubbing-lane or cloud-based defenses, the attack has already subsided.  The decision to reroute traffic through a scrubbing-lane or through cloud-based defenses is never taken lightly, and can often take more than 30 minutes to execute. This DDoS protection attempt most often, is too little, too late.  Attackers know too well that this is an *almost* fool-proof method of taking systems offline and drawing and blinding you from the more sinister motivations.

Where do we go from here?

Organizations today are evolving, just as the DDoS attack landscape continues to advance. Deploying in-line, on-premises DDoS defense on the raw Internet feeds or peering points - as close to the edge as possible. This provides immediate detection and defense coupled with real-time attack visibility designed to prevent the kinds of catastrophes that I’ve just described. In-line technology designed to defeat all classes of DDoS attacks – volumetric and application attacks is now becoming Plan “A” against DDoS attacks, vs Plan “B” to anti-DDoS scrubbing solutions. With the ability to defeat attacks in real time, not only are you protecting yourself right from the start of an attack, latency is reduced along with cost to mitigate – there is no longer a need to re-route traffic at the onset of every attack.

Corero customers defeat these types of partial saturation attacks on a regular basis and don’t have to worry about what’s lurking behind these targeted DDoS attacks.  Often we see Corero SmartWall® Threat Defense technology deployed to complement cloud-based DDoS services. DDoS scrubbing lanes in these deployment scenarios are engaged only when full pipe saturation occurs. Corero SmartWall TDS technology, utilizing superior attack visibility and reporting will alert security teams before full bandwidth consumption becomes inevitable.  Cloud services can then engage, and scrub the bulk of the traffic, removing the unwanted DDoS activity from the stream. Re-writing the playbook for complete DDoS defense is easier than ever before with a two pronged approach against DDoS attacks.


You May Also Be Interested In: