In the year of the DDoS, how best to fight the fire?
Malware hits the Mac but is it worth worrying about?
In research last week, Prolexic revealed that distributed denial-of-service (DDoS) attacks were increasingly being targeted at the technology designed to mitigate them.
The company claimed that DDoS mitigation equipment was being targeted as most technologies "do not have the capacity to process the high packet per second attacks that are being used".
Ahead of this research, I had been thinking that with the DDoS attack being so prevalent, was it really possible to divert the excessive traffic and page requests? It is almost a year since the Anonymous group began its campaign of DDoS attacks in support of WikiLeaks founder Julian Assange, and since then it has become the attack du jour.
Prolexic's report was, not surprisingly, followed by a service announcement: the roll-out of its security engineering and response team (PLXSERT), which provides pre- and post-attack data to clients as a subscription service. It said that with intelligence gleaned from monitoring threats, it is possible to identify botnet characteristics without any DDoS traffic having been received.
Prolexic is far from the only company offering DDoS mitigation technology. Products and services have been launched by Tata Communications and Imperva, while Adversor has unveiled its True Dynamic Mitigation service.
Adversor said its technology uses continuous monitoring of network traffic, early threat detection and a combination of filtering and mitigation techniques. It said it is able to blocks DDoS attacks close to the source and implements more than 30 techniques to protect against the largest and most sophisticated attacks.
Speaking to SC Magazine, Rob Rachwald, director of security strategy at Imperva, said mitigation is the best alternative to going onsite and physically stopping hackers.
Asked if there was any way of mitigating and/or 'cleaning' traffic, apart from in the cloud, he said: “Many companies provide technology (network firewalls) that stop DDoS as well. However, this puts the onus on enterprises to manage this themselves. As more and more companies, especially smaller ones, become targets, a cloud option becomes very appealing due to lower cost while retaining effectiveness.”
Following Symantec's acquisition of the identity and authentication business of VeriSign, the latter has remodelled itself as an enterprise-level DNS and DDoS mitigation service provider. Sean Leach, vice-president of network intelligence at VeriSign, claimed that "enterprises need something and what we are offering is similar to other carriers.
“The DDoS is the number-one threat. Our research found that 66 per cent had experienced an attack, while 13 per cent had more than six attacks. Now they are attacking at the application layer and it is hard to tell the real traffic apart. A 100GB connection cannot provision for it, you can have a massive headache or you can buy the capability.
“It is very difficult to mitigate, but we now offer a service to smaller enterprises. This will 'scrub' the traffic in the cloud and send the genuine traffic back to you.”
Darren Anstee, solutions architect at Arbor Networks, said that while the 'classic' DDoS issues a 'get' for a website, with an attack on the application layer it is hard to tell what a real query looks like.
He said: “Most DDoS attacks are against the application layer, but if the attack is larger than the pipe then there is nothing you can do and, if you are saturated with traffic, then your customers cannot get through. If you get overwhelmed, our Enterprise Edge solution uses cloud signalling to call for help from a 'parent'. A service provider will sell this to a data centre and enterprises.
“There are a lot of operators offering DDoS mitigation; an MSSP will offer DDoS protection and risk services, they will monitor it and divert traffic to cloud cleaning. This is a big growth area as people want protection from a DDoS.”
Leach claimed that the DDoS tool is very sophisticated compared with the brute-force style of earlier attacks, with them now designed to look like real traffic. “They are now attacking the DNS and they are not using all 'members' of the botnet, but just enough to get the job done,” he said.
While the first year since Anonymous took action against the likes of PayPal, Amazon and MasterCard is unlikely to be 'marked', the first action did take online attacks to a whole new avenue. From that point, anyone could be an attacker, and while there have been arrests to warn other wannabe attackers off, the threat to businesses remains.
That said, the solutions that have been launched could solve these problems and mitigate the threats, and attackers may be forced to find another way to bring their targets down.