The content delivery network (CDN) services provider cloud security solution Akamai, has recently published their The Summer 2018 State of the Internet / Security: Web Attack. These reports reports are published twice a year after breaking down all the security attacks performed against their own infrastructure (over 7000 in the last 6 months). Their main goal is to inform users on the latest changes in security attacks to help improve protection.
One of the main highlights from the report is that DDoS attacks are not just about volume. Many would think of DDoS as only one type of attack vector – volumetric. They tend to be the ones that get the most attention, the ones that frequent press headlines more often. Funnily enough, they are the ones that are easier to identify and mitigate nowadays. As long as traffic is redirected to your on-prem or cloud scrubbing once detected, protection occurs in a matter of minutes.
Attackers are getting more sophisticated though: Picture a 45-minute-long, high capacity SYN flood attack to a particular IP. Once an attack has been detected and mitigation has started, the attacker may change the vector and reduce substantially the volume of traffic. For many security platforms this malicious traffic is likely to be allowed, since it may look as though it is just normal TCP threshold.
So, on one side you need to be able to get protection for large attacks. Inline mitigation devices will be ineffective for volumetric attacks larger than your link total bandwidth. And if your organization have multiple internet links or you work for an ISP this is just non-practical. An always on traffic redirection to a cloud-based DDoS protection service will overcome that limitation but will likely come at a high price point. On the other side, adaptative and evolving DDoS attacks that may trick some of the above defences.
What can organizations do to protect themselves moving forward? Mirror the attackers: evolve and adapt.
- Review your DDoS response plan. A cost effective and highly scalable method for DDoS detection is leveraging NetFlow traffic from your existing devices to analyse traffic patterns and detect attacks out of path.
- Make sure your security solution is able to identify changes in attacks and adapt the detection mechanism. This will ensure ongoing protection, even if the threshold of the attack drops to “business-like” traffic.
- Consider sophisticated mitigation strategies. The most efficient and cost-effective way of dealing with DDoS attacks is combining mitigation techniques in stages. For example: Redirect the first phase of the attack to an on-prem mitigation appliance; reroute latter stages to cloud based DDoS protection services to keep costs lower; and leverage BGP Flowspec so that your routers can drop traffic on the last phase of the attack.
DDoS attacks are here to stay and they will only get more complex as more vectors to exploit vulnerabilities are created. Organization need to be as creative as those attacking them. What does your DDoS response plan look like? I would love to learn from your experience so please comment below.
P.S. If you want to know more, this webinar will give you some tips on adaptative DDoS attacks.