Evolving DDoS Threat Challenges Service Provider Capacity

The DDoS threat continues to grow in sophistication as cybercriminals improve their attack techniques in an attempt to evade the trusted mitigation methodologies typically used for DDoS protection. At Corero we have observed attacks that demonstrate how cybercriminals are getting smarter, with attacks that are more dynamic. In particular communications service providers now need to rethink how they are delivering DDoS mitigation for their customers.

Headline-Grabbing Attacks Have Waned

A couple of years ago the Mirai botnet and its derivatives were regularly making headline news, launching massive DDoS floods such as the attack against Dyn DNS. However, in the past year or so, much of the global botnet activity has been directed towards cryptocurrency mining, which likely explains why we haven’t a massive DDoS attack for over a year now. It appears that cybercriminals figured out they can make more money harnessing botnets for cryptocurrency mining. However, we have witnessed the continued evolution of existing botnets; variations of the Mirai malware continue to show up, and there are many of them being used to power booter and stresser services, effectively offering DDoS for hire.

Multi-Vector Attacks are on the Increase

Cybercriminals can, and often do, dynamically and automatically change parameters and vectors in response to the cyber-defenses they encounter. When criminals continually modify the attacks, it becomes much more difficult to mitigate them. They often increase the number of vectors to build the volume of an attack. Sometimes they layer different vector types and sometimes they vary the attack vector itself to evade detection.

Hackers have also taken to spraying attacks over an entire subnet, rather than just directing them at a single IP address. An attack which is diluted across a subnet in this way is designed to evade traditional DDoS mitigation technologies. And, Pulse-Wave attacks are yet another evasion technique; hackers send attack traffic to one IP address for a few minutes, then stop the attack while they attack another target, and then cycle between targets for the duration of the attack. Thus, they create confusion, and try to prevent victims from swinging traffic to a scrubbing protection service.

Mid-size Attacks Have Increased

In 2018 Corero also observed an increase in attacks in the tens to hundreds of gigabits per second range; this is a trend that will be particularly troublesome for providers who have been relying on back-hauling attack traffic to centralized scrubbing centers. Because scrubbing center capacity is typically a fraction of a provider’s edge capacity (often around 10-20%), traditional DDoS mitigation is limited to 100 Gbps, or less.

With more attacks over 10 Gbps, there will be more incidents where an attack, or the volume of concurrent attacks, is larger than a provider’s scrubbing capacity. That forces providers to blackhole traffic (via BGP, RTBH or FlowSpec) before it gets into their transit connections. The trouble is, blackholing pushes one or more of a provider’s customers completely offline, for the duration of the attack, in which case the attacker has succeeded because the target is still offline as a result of their actions. These days uptime is critical for many organizations, as they conduct much, or all, of their business over the Internet. Obviously, directly impacting business is a bad situation for providers to find themselves in.

A New Approach to DDoS is Needed

As the providers’ traditional scrubbing center approach struggles to keep up with growing attack volumes and sophistication, and their NOCs (Network Operations Centers) and SOCs (Security Operations Centers) struggle to manually distinguish between good and bad traffic, a new approach to DDoS protection is needed. Fortunately, through Corero’s partnership with Juniper Networks, it is now possible for the network perimeter to be the DDoS protection enforcer. Now providers can filter out DDoS traffic right at the edge of the network, in real-time, and at tens-of-terabits-per-second scale, instead of blackholing, or backhauling attacks to a scrubbing center. To see and hear more detail on this topic, watch my recent UKNOF conference presentation.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.