In a recent report on its attack data (PDF), Distributed Denial of Service mitigation provider Black Lotus saw the average DDoS attack size swell to 3.1 Gbps and 1.5 million packets per second, which is enough to flood many organizations with requests and prevent legitimate traffic from reaching its intended destination.
More than 70 percent of data centers had reported DDoS attacks in 2013, according to Arbor Networks’ latest infrastructure security report.
Even larger enterprises that have the available bandwidth necessary for high-volume attacks may find that their networks lack the infrastructure to process large bit or packet volumes. And DDoS attack detection and mitigation infrastructure can also be handicapped by the network equipment and the bandwidth available to the company that’s often 10 Gbps or less.
By perhaps all measures, the scale of DDoS attacks is growing, and with it the risk that business-as-usual might cease at unprepared organizations.
There are many reasons for the larger scale of attacks. For one, instead of the traditional botnets made up of compromised PCs that flood a target with traffic, new botnets are able to launch more devastating attacks using powerful web servers, cloud services and mobile devices. These attacks are also smarter – pinpointing applications and infrastructure within a network that are most susceptible to attacks.
Keeping Your Servers and Customers Free of Malware
A recent study from online security provider Solutionary found that many online criminals are using cloud providers and mainstream web hosts to host and distribute malware. These services are attractive for all the same reasons legitimate clients use them: they’re easy-to-use, they’re scalable, and they’re cost-effective. The last point is crucial given that some criminals are using compromised servers, but also paying for services like regular customers.
Solutionary senior research analyst Jeremy Scott says there are a number of ways service providers can keep their networks clean. “The first and most important thing these providers can do is to pay attention to the ‘abuse@’ email address.” This is, of course, the email address people can use to report misuse of your services, usually taking the form of “firstname.lastname@example.org”.
Scott says rather than ignoring abuse messages or forwarding them to the abuser (which surprisingly many web hosts do) one should provide a prompt and appropriate response. This could means looking into the nature of the complaint, and soliciting additional details from the complainant if necessary.
Proactive scanning of content on web services could also come up with misuse, Scott says, but it could slow down services. Anti-virus scanning also has the weakness that it often relies on virus signatures to identify these viruses – which takes time to develop for any new threat.
He says on-going monitoring of bandwidth utilization and other factors like outgoing connections is probably a better way to identify misuse. “[Service providers] can trend things and see where things aren’t looking normal.” For instance, it could be cause for suspicion when a small business site suddenly starts using up vast quantities of resources.
Hosting service providers can help make sure their customers aren’t using their services to support malware, but also that legitimate customers aren’t having their services hacked into. But outside attacks pose a host of other problems.
Using Next-Gen DDoS Mitigation
DDoS pioneer Barrett Lyon founded Prolexic in 2003. Lyon had long left Prolexic by the time cloud delivery platform and online security provider Akamai acquired Prolexic in December 2013, which added to Akamai some crucial new data center protection capabilities it was lacking.
But after Lyon was unable to access his bank account due to his bank being targeted by a DDoS attack, he returned to the industry with a new company called Defense.Net that specializes in mitigating DDoS attacks for modern Internet applications. “Prolexic was built before the internet had video – websites and applications have changed a lot since then,” he says, noting that Prolexic and many competitors have done little to grow their per customer capacity or refine their algorithms to avoid false-positives – legitimate website visitors and application users.
Given the current size of new DDoS attacks, an ideal DDoS solution should provide enough scale per customer to mitigate attacks, meaning that mitigation providers must continue to increase the size of their networks. There’s also a concentration risk in which attackers going after multiple sites on the same mitigation service overwhelm the service.
Defense.Net’s DDoS Frontline solution was designed to provide enough capacity for each customer, but it also sending incoming web traffic to a “DefenseActioner” which divides packets and routes them to the most appropriate mitigation solution among hundreds. It also provides visibility into the attack origin, type, and size, as well as the mitigation techniques used.
DDoS is a very serious problem for businesses and the service providers that host them. When customers and even employees are unable to reach services, there are serious consequences. And even if your organization hasn’t yet faced a DDoS attack, it might be worth having a plan in place before an attack happens.