Evolving DDoS Threat Challenges Service Provider Capacity

Sean Newman
By | April 16, 2019

Posted in: Network Security Trends

The DDoS threat continues to grow in sophistication as cybercriminals improve their attack techniques in an attempt to evade the trusted mitigation methodologies typically used for DDoS protection. At Corero we have observed attacks that demonstrate how cybercriminals are getting smarter, with attacks that are more dynamic. In particular communications service providers now need to rethink how they are delivering DDoS mitigation for their customers.

 Headline-Grabbing Attacks Have Waned

A couple of years ago the Mirai botnet and its derivatives were regularly making headline news, launching massive DDoS floods such as the attack against Dyn DNS. However, in the past year or so, much of the global botnet activity has been directed towards cryptocurrency mining, which likely explains why we haven’t a massive DDoS attack for over a year now. It appears that cybercriminals figured out they can make more money harnessing botnets for cryptocurrency mining. However, we have witnessed the continued evolution of existing botnets; variations of the Mirai malware continue to show up, and there are many of them being used to power booter and stresser services, effectively offering DDoS for hire.

Multi-Vector Attacks are on the Increase

Cybercriminals can, and often do, dynamically and automatically change parameters and vectors in response to the cyber-defenses they encounter. When criminals continually modify the attacks, it becomes much more difficult to mitigate them. They often increase the number of vectors to build the volume of an attack. Sometimes they layer different vector types and sometimes they vary the attack vector itself to evade detection. 

Hackers have also taken to spraying attacks over an entire subnet, rather than just directing them at a single IP address. An attack which is diluted across a subnet in this way is designed to evade traditional DDoS mitigation technologies. And, Pulse-Wave attacks are yet another evasion technique; hackers send attack traffic to one IP address for a few minutes, then stop the attack while they attack another target, and then cycle between targets for the duration of the attack. Thus, they create confusion, and try to prevent victims from swinging traffic to a scrubbing protection service.

Mid-size Attacks Have Increased

In 2018 Corero also observed an increase in attacks in the tens to hundreds of gigabits per second range; this is a trend that will be particularly troublesome for providers who have been relying on back-hauling attack traffic to centralized scrubbing centers. Because scrubbing center capacity is typically a fraction of a provider’s edge capacity (often around 10-20%), traditional DDoS mitigation is limited to 100 Gbps, or less.

With more attacks over 10 Gbps, there will be more incidents where an attack, or the volume of concurrent attacks, is larger than a provider’s scrubbing capacity. That forces providers to blackhole traffic (via BGP, RTBH or FlowSpec) before it gets into their transit connections. The trouble is, blackholing pushes one or more of a provider’s customers completely offline, for the duration of the attack, in which case the attacker has succeeded because the target is still offline as a result of their actions. These days uptime is critical for many organizations, as they conduct much, or all, of their business over the Internet. Obviously, directly impacting business is a bad situation for providers to find themselves in.

A New Approach to DDoS is Needed

As the providers’ traditional scrubbing center approach struggles to keep up with growing attack volumes and sophistication, and their NOCs (Network Operations Centers) and SOCs (Security Operations Centers) struggle to manually distinguish between good and bad traffic, a new approach to DDoS protection is needed. Fortunately, through Corero’s partnership with Juniper Networks, it is now possible for the network perimeter to be the DDoS protection enforcer. Now providers can filter out DDoS traffic right at the edge of the network, in real-time, and at tens-of-terabits-per-second scale, instead of blackholing, or backhauling attacks to a scrubbing center. To see and hear more detail on this topic, watch my recent UKNOF conference presentation.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. If you’d like to learn more, please contact us.

You May Also Be Interested In: