As we said in last week’s article on the rise of Distributed Denial of Service attacks on company networks, the attacks have evolved, becoming bigger in scale, more damaging in their effects, and targeting more and more companies.
But attackers are also innovating in the vectors they use and identifying more weak points to go after.
This means defenders need to adopt a multi-layered defense strategy.
It's Not Just About Simple Flooding Anymore
The traditional DDoS attack is when a company gets hit by a sudden dramatic increase in incoming messages, flooding communications channels until legitimate traffic can no longer get in.
To defend themselves, data center operators typically use DDoS mitigation services from vendors like Akamai and Cloudflare.
But that's just one way of doing DDoS, and attackers are always looking for new ways to do damage, said Joseph Blankenship, analyst at Forrester Research.
"For example, having protection in place for volumetric DDoS attacks doesn’t necessarily mean that a company is safe from application-based or multi-vector attacks," he said.
An application-based attack can shut down a company's website or other service with a much smaller volume of messages. For example, they can make extremely resource-intensive information requests that bog down the application.
The messages can be so few in number that they don't even look like DDoS attacks.
Some DDoS mitigation vendors offer protection against these types of attacks as well, but companies also need to do their part by designing applications smart enough to avoid these kinds of traps.
In addition, Tony Kourlas, director of product marketing for Nokia’s Carrier SDN technology, recommends a two-tier approach to DDoS attacks: handing volumetric attacks at the edge of their networks, and then, after messages pass this first level of checks, sending them to a scrubbing center that specifically looks for more sophisticated, targeted attacks.
"What happens today is you get an attack, the appliances that detect attacks see that there's a massive surge of some sort of traffic or other, and they would forward all that traffic to a scrubbing center," he said.
But that doesn't work well against today's large-scale attacks. "You're incurring all those costs and it takes too long to mitigate this attack."
Plus, the DDoS protection appliances have to be cleverer at identifying malicious traffic -- it's not enough to just go by size.
"You need sophisticated algorithms to identify if there's a problem," he said. Nokia is monitoring internet traffic to identify sources of malicious messages, and tracks traffic ratios to see if a source suddenly starts sending out different types of messages than it did before.
In addition, instead of attacking a data center or website directly, the target could be a key infrastructure provider such as the DNS service, said Al Sargent, senior director of product at OneLogin.
As a result, when considering cloud services, companies should check that the vendors use multiple DNS providers.
"That way, if one DNS provider is experiencing a DDoS attack, the other providers can still route packets to the cloud service," he said.
And if a company is large enough to be running its own authoritative DNS servers, it may need to take more action.
That didn't used to be the case, said Rich Groves, director of research and development at A10 Networks. It changed after the Mirai botnet attacks late last year.
That brought attention to the fact that attackers can send a flood of requests to a randomly-generated subdomain on the company's URL, which can slow down or completely block legitimate incoming traffic.
"Before, people cared, but they didn't put as much into the problem," he said. "Now they're putting in brain power and money. They're putting in systems, like ours, in front of their authoritative DNS."
More Help On the Way
As DDoS attacks increase in scope and damage, telecommunications companies, security vendors, infrastructure providers, and other industry participants are working together to help data centers defend themselves.
Cloudflare, for example, partners with data center providers and telecom companies to extend protections to their networks and customers. It currently has presence in 117 cities in the world and sees about ten percent of internet requests, according to Matthew Prince, its CEO.
By providing DDoS defenses to internet service providers, Cloudflare can stop the attacks long before they reach their intended victims.
"We stop them as far upstream as we can," Prince said.