Mitigating Intelligent DDoS Attacks
October 11th, 2011 By: Industry Perspectives
Rakesh Shah is director of product marketing and strategy, Arbor Networks.RAKESH SHAH
Whether you’re an ISP, a hosting company, a data center operator offering “cloud services,” or all of the above, you are no doubt facing multiple business challenges. Increasing competition; corporate pressure to expand market share, ARPU and profitability, shrinking staff size, and reduced CAPEX/OPEX budgets. Today’s business environment is clearly tougher than ever.
The size, frequency and complexity of DDoS attacks are increasing and to make matters worse, traditional security products such as firewalls or Intrusion Prevention Systems (IPS) are inadequate when it comes to stopping them. Over the last two years, the term “DDoS attack” has made its way into the public media stream and even folks with no technical background are aware of the existence and potential impact of such attacks.
In years past, DDoS attacks have been dominated by “volumetric” attacks usually generated by compromised PCs that are grouped together in large-scale botnets. Some well-publicized examples include the DDoS attacks against UK-based online betting sites where the hackers extorted the gambling firms, and the politically motivated DDoS attacks against the Georgian government. This type of DDoS attack is generally high bandwidth and originates from a large number of geographically distributed bots. The size of these volumetric DDoS attacks continues to increase year over year, and they remain a major threat to enterprises and ISPs alike.
Not only are attacks increasing in size, but they are also increasing in complexity as new types of DDoS attacks continue to emerge and threaten the availability of Internet-facing businesses and services. Try this: conduct an online search and you won’t find it difficult to locate media coverage regarding online banking, e-commerce and even social media sites that have been victims of application-layer DDoS attacks.
So, these attacks are prevalent. What’s the motivation? Most of the time it’s for financial gain, but other incentives include political “hacktivisim” or just plain old ego. Thanks to a growing trend of do-it-yourself attack tools and “botnets for hire,” even a computer novice can execute a successful DDoS attack.
Let’s Talk Cloud
Data centers lie at the heart of every service provider’s cloud service. Not surprisingly, enterprises and data center operators are very concerned with the availability of the critical services running in their data centers. Today’s attackers view internet-facing data centers as one of the new prime targets and are constantly launching DDoS attacks against these infrastructures for financial gain. Attackers find Internet data centers attractive for a few reasons:
- The shared resources and multi-tenant nature of data centers allow attackers to cause much collateral damage. In other words, they get “more bang for the buck!”
- Many times, data centers are running high-profile, mission-critical applications. This makes them ripe targets for extortion. By targeting such data centers, attackers are simply following the old saying “go where the money is.”
- Virtualization is a big part of data centers. This not only brings benefits but also opens up a whole new set of security challenges. For example, how do you get visibility into the virtual environment to protect it from inter-VM (virtual machine) attacks?
Combined Combat Effort
Today’s attacker uses a combination of 1) volumetric and 2) targeted application-layer attacks to execute multi-vector threats. To stop both of these attacks, security pros often take a layered approach. This means, they use a combination of network-based (in the ISP’s network) and data center-based DDoS attack detection and mitigation. Industry best practices have proven that the best place to stop volumetric DDoS attacks is in the ISP’s cloud (via network-based DDoS protection). By the time the attack reaches the data center, it’s usually too late to mitigate, because it has already overwhelmed the network infrastructure or security devices (i.e., in-line firewalls and IPS). You must rely on the network-based DDoS protection of your ISP to stop these types of attacks.
Something else to keep in mind is that the best place to perform application-layer DDoS detection and mitigation is in the data-center edge. Because these attacks are usually much smaller than volumetric attacks, they are harder to detect and stop in the ISP’s network. Since today’s DDoS attacks require detection and mitigation capabilities both in an ISP’s network and in the data center, it’s easy to see how an ISP can deliver a valuable and comprehensive DDoS protection service to customers. When deploying a managed security service, you could take a hybrid approach where the ISP offers network-based DDoS protection for volumetric attacks while the data center operator handles data center-based protection for application-layer DDoS attacks.
There’s no doubt that as DDoS attacks become easier to execute, they will continue to increase in size, frequency and complexity. Though IPS devices and firewalls are effective tools in addressing network integrity, when it comes to DDoS protection, they need some help. To defend data centers against today’s volumetric and application-layer attacks, one must take a layered approach in both the ISP’s cloud and the data center.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.