It was recently discovered that, from November 2020 until early February 2021, Plex Media Server systems were being abused by DDoS-for-hire services as a UDP reflection/amplification vector, in single and multi-vector distributed denial of service (DDoS) attacks. It’s great that Plex Media patched that vulnerability in a matter of days after it was announced, but the problem is just another example of how creative and innovative today’s attackers are in finding and exploiting vulnerabilities. Although that vector was only capable of launching smaller (3Gbps) attacks, even that would be enough to have significant negative impact on its target, causing partial or full-service interruption.
Because attackers are highly creative in leveraging the vulnerabilities they regularly uncover on the open Internet, and their attacks are increasingly sophisticated, organizations must invest in a DDoS mitigation solution that can effectively keep pace with their latest attack techniques. Deciding which DDoS solution is the best fit for your organization may be overwhelming at first. So here is some advice for organizations when they shop for a distributed denial of service (DDoS) protection solution. There are several criteria to consider: How accurately does it detect attacks? How quickly can it mitigate DDoS attacks? How much does it cost on a CAPEX or OPEX basis? Does it effectively mitigate small, sub-saturating and multi-vector attacks as well as those which are large-scale and high-volume?
Single-pane View of Security
Another important criterion is does the solution provide comprehensive visibility into a current or past attack, to enable forensic review? Unfortunately, security analysts often find themselves lacking the visibility they need into security incidents. Even when they do have data, they spend a lot of time analyzing past, current, and potential attacks; and are often faced with sifting through reams of log data. What they need are easy-to-use, accurate and immediate dashboard reports at their disposal. Users should be able to view these dashboards at a site-by-site level, or in an aggregate view that delivers a consolidated “single-pane” security picture.
Integration with Security Information and Event Management Systems
A DDoS mitigation solution should integrate with existing networking and as well as a variety of Security Information and Event Management (SIEM) and Operational Intelligence solutions. Plus, it should be easily accessible via any browser, so that end-users don’t have to install a specific desktop application to manage or review DDoS attack activity. That’s why Corero’s DDoS Analytics App leverages Splunk software for big data analytics and visualization capabilities that transform security event data into sophisticated dashboards.
Real-time Visibility into Current Attacks
The chosen solution should also offer alerts that give early warning signs of suspicious and malicious activity. Network level metadata typically contains the leading indicators of unusual activity targeting a network. So, when considering a DDoS mitigation solution, organizations should seek out one that provides real-time views that summarize network and security activity, so that, if necessary, they can configure their mitigation “on-the-fly.” DDoS attacks have grown in sophistication, and attackers often use multi-vector attacks that change faster than security analysts can manually respond to them, so using an automated real-time solution, with comprehensive visibility, is more critical than ever.
Historical Analysis
Comprehensive visibility is essential not only to quickly combat DDoS threats, but also to enable compliance reporting, security audits, and forensic analysis of past threats. Once a DDoS attack has been mitigated , security analysts can learn by conducting a forensic review of the attack and by uncovering hidden patterns and identify emerging threats within the massive streams of security event data. Without such forensic insights, it is impossible to determine how quickly and effectively an attack was mitigated and whether there were any false-positives that led to collateral damage that may substantiate any customer Service Level Agreement (SLA) claims.