DDoS anxiety? How to keep calm and carry on in the era of cloud and IoT

DDoS anxiety? How to keep calm and carry on in the era of cloud and IoT

Cloud and IoT-based DDoS attacks are unmatched in their scale, sophistication, and in the damage they cause. A new generation of multi-dimensional analytics and router silicon is being recruited to eradicate this threat.

Coming on the heels of the DYN attack that disabled much of the internet and affected access to major sites like Twitter, Amazon and Netflix, the recent discovery of the REAPER bot sent shockwaves through the Internet and webscale communities. It crystalized the growing concern that they are dealing with new weaponry that is providing DDoS perpetrators with far greater power, and its driving a rethink of DDoS defence architectures.

“If you don’t ‘fear the REAPER’, you should” says Tony Kourlas, director of product marketing for Nokia’s Deepfield and Carrier SDN businesses. “This is not just another example of hackers taking advantage of IoT and cloud server vulnerabilities. With well over 1 million devices already infected, REAPER can unleash a fury that dwarfs anything before it.”   

And while REAPER has the potential to push attack traffic into the multi-terabit level, it’s not just scale that’s a problem. Today’s DDoS bots are based around sophisticated opensource software that is readily adapted to different attack types. Many of these constantly changing attack types are woven together into a single attack that can punch large holes through traditional DDoS defence architectures. 

Serious money

Kourlas notes that webscale companies and their Internet service provider partners are often first in line to blame in the wake of a serious DDoS incident. Many have been throwing serious money at the problem. They’re investing in ever more DoS mitigation appliances that sit deep within a network, and in detection appliances that decide which traffic flows are sent to these ‘scrubbing centres’ for further analysis and cleansing. Detection appliances work by taking a baseline measure for what is considered ‘normal’ movement of data, and by redirecting any traffic that displays suspicious spikes in volume. 

“This way of doing things is slow, expensive and subject to false positives and negatives,” warns Kourlas. “Used alone, traditional IP-flow based analysis is increasingly limited as a detection tool.” 

This is because without additional context to complement raw tonnage measurements, it is difficult to determine if a surge is a real attack, or a valid event like a large file transfer from Amazon’s AWS.  This can lead to false positives and negatives, with genuine attacks allowed to pass, and valid application traffic stopped in its tracks. Scrubbing center analysis helps, but it comes at a great cost in infrastructure, and it consumes precious time whilst the attack rages on. 

What is needed instead is a faster, more precise way of detecting attacks so that the vast majority of attack traffic can be quickly stopped at the edge of the network, before serious damage can occur. Operators need to look at combining new, software-based approaches to DDoS analytics with the enhanced filtering abilities of modern routers to develop more accurate and scalable defence against DDoS attacks. 

“The DDoS detection function belongs in software where it gains infinite context and scale,” says Kourlas. “You must be able to combine IP flow data, DNS data, BGP data, server data, packet ratios with view of how all public cloud services travel through the internet to reach your network. With all this context, you can instantly identify friend from foe far more accurately than before, and you can use this knowledge to dynamically stop volumetric attacks with the routers at the edge of your security perimeter.”

Taking defence further

Modern routers purpose built to support DDoS defence take this one step further. They support millions of ACLs without impact to performance so they can keep up with massive DDoS armies composed of millions of things. They also provide packet filtering capabilities, again with massive scale, to complement DDoS analytics software – they look within packets for the tell-tale signature of volumetric attacks so they can report up or take action as necessary.  

With this blend of multi-dimensional analytics and modern routers, Kourlas says, the operator can stop the 90% of attack traffic that constitutes volumetric attacks - without a trip to the scrubbing center. “This approach allows for the intelligent detection of volumetric attack traffic—down to the IoT device or cloud server—enabling real-time, surgical mitigation of even the largest and most complex DDoS attacks. It also frees scrubbing centers and mitigation appliances for what they do best – stateful analysis that can detect and mitigate more sophisticated application level DDoS attacks that constitute the remaining 5%-10% of attack traffic. This significantly lowers backhaul costs and scrubbing fees, which are typically tied to traffic volume.”

Deal with anxiety

At the time of publishing, the REAPER threat has remained just that. Its discovery at such an advanced state of cloud/IoT infection has turned heads, and it’s started the debate on how to best deal with REAPER anxiety and the changed face of DDoS. The answer seems to lie in leveraging the right blend of multi-dimensional analytics and modern routers to handle these massive volumetric attacks, and refocusing traditional scrubbing centers on state-full, application level attacks.  

The changing face of DDoS attacks

The most common and the most threatening form of modern DDoS attack is the so-called volumetric attack, accounting for around 90% of DDoS problems. These attacks have evolved to embrace cloud and IoT technologies. They use botnets to infect hundreds of thousands of these devices, which can quickly flood Internet and webscale network infrastructure with a huge amount of what at first seems like legitimate traffic. Network and cloud services become agonizingly slow, or stop altogether. These attacks can be huge, not of the order of a few Gbit/sec, but often several hundred Gbit/sec, and sometimes 1Tbit/s and beyond. Multi-vector attacks are increasingly common, where one attack type is used to tie up an organization’s security team while a secondary, more conspicuous attack causes the real damage.

Networks also face application layer attacks that exploit vulnerabilities in key networking protocols to attack application or cloud services. While they can significantly reduce access to these services, they are targeted attacks at the protocol level and hence use far less bandwidth that volumetric attacks.

Rethink DDoS protection: Insight-driven IP networking is here  

nokia.ly/insight-driven-automation

Gift this article