By Riaan van der Merwe
We live in a present that many of us would never have imagined 20 years ago. Cashless payments, automated homes, instant communication, access to all our services through a single device – these are now all part of a reality. Technologies will only get more complex as our civilization digitizes itself, gradually moving away from archaic information storage systems.
As it has always been with the advancement of technology, security concerns will be a part of the cycle. As technology develops, people will inevitably tinker with, hack and exploit the mechanics of the deeply integrated Web of Things, to gain unauthorized access to sensitive data and information systems. This is why attacks such as DDoS over the decades have evolved from being a mischievous experiment to be coming a fully-commercial criminal industry.
Purpose and motive of DDoS attacks
The motive for DDoS attack can range from criminal extortion attempts, vandalism, criminal demonstration of attack capabilities, political attacks, financial market manipulation and diversion for data exfiltration just to mention a few.
Recently in South Africa, several ISPs have been targeted by large volumetric attacks, causing widespread service disruption to their customers. The South African banks also fell victim to ransom-driven DDoS attacks in October 2019. These attacks incurred a massive loss of production and man-hours for not only the aforementioned institutions and companies but also their client base.
DDoS attacks are becoming bigger and more sophisticated each year, and it’s incredibly important for vulnerable institutions and companies to secure themselves against the ever-growing threat of endless motives.
Most vulnerable institutions and companies
In modern networks, we have reached a point where particular institutions, especially ones that store valuable, personal or sensitive information, have become the target of criminal extortion in the cyber-realm. Traditional security appliances such as NGFWs, IPS devices, and load balancers are no longer sufficient to protect these critical networks. These devices have become vulnerable to state exhaustion attacks- an attack that completely overwhelms the device’s ability to perform its security functions.
In light of the previously mentioned cyber-attacks on banking institutions and government resources in South Africa, it should become perfectly clear by now that these entities should be gearing up to protect themselves from the very real modern threat of cyber-crime. Institutions within banking, finance, healthcare, and government are amongst the most targeted. They should be looking at integrating these products within their networks, or at the very least, subscribe to ISPs that are using these products and are able to provide DDoS protection as a service.
DDoS mitigation and edge defence technologies
DDoS mitigation refers to the successful protection of assets against malicious denial-of-service attacks. The need for this type of mitigation is covered extensively by products from companies like CloudFlare, ARBOR, Fastly, Imperva, Akamai and many more.
All of these technologies use similar methodologies in dealing with the threat of DDoS attacks. The mitigation process usually takes form in the following stages: Detection, diversion, filtering and analysis.
These platforms usually leverage constantly growing databases and security teams to analyse and gather intelligence on these worldwide attacks. This is an ongoing process to improve future resilience and faster identification of attacks from similar patterns and origin networks. Many of these platforms are also incorporating machine learning and proprietary AI to identify and mitigate attacks.
The techniques used to protect against DDoS attacks vary depending on which type of service the attackers target on your network.
Network layer attacks target protocols within the network layer (layer 3 & 4). These attacks are commonly used in volumetric attacks which aims to cripple or completely starve services from performing legitimate requests. Techniques for mitigation in this event makes use of mechanics, some more indiscriminate than others, such as null routing (traffic blackholing), sinkholing or scrubbing.
The operation of these techniques ranges between different levels of discrimination. Blackholing traffic will completely discard all traffic, disposing of everything including dirty traffic and legitimate requests alike. Scrubbing, on the other hand, will redirect all traffic towards a scrubbing appliance or datacentre, where bad and good traffic is separated, whilst only reinjecting the legitimate traffic. Network layer mitigation is usually activated by means of BGP announcements.
Application layer attacks target protocols within layer 7 of the OSI model. Mitigation techniques for this type of attack makes use of DNS routing, otherwise known as DNS redirection. DNS routing is activated by redirecting your DNS CNAME and A records to a mitigation provider’s scrubbing site. Here, malicious requests are scrubbed whilst legitimate traffic is forwarded back to your network via secure tunnels.
The following briefly explains each type of mitigation method:
- Blackholing is a method of mitigation that uses a next-hop address to direct traffic to a destination where traffic is discarded. Some ISPs or INX networks offers a service where you can advertise and tag /32 prefixes with a blackhole community. This will then be blackholed to a next-hop IP that is not routable to the internet. Essentially, this will attempt to reduce packet flow to the blackholed destination. The biggest con of this mitigation method is that the IP becomes completely unreachable until the blackhole is removed, making this the most harsh and indiscriminate method.
- BGP Flowspec is a more granular method of blackholing, as described in RFC5575 by the IETF. BGP Flowspec allows for matching criteria on a particular flow, including source, destination, L4 parameters and some packet specifics such as packet length. These matching criteria are sent within BGP UPDATE messages within the FLOW_SPEC_NLRI (network layer reachability information) and also includes the action criteria. Traffic matching these criteria can then be dropped or redirected to either another VRF or device where further actions such as policing or scrubbing can take place. Infrastructure using BGP Flowspec consists of a FS controller and one or more FS clients. Matching criteria and actions are created on the controller and distributed to the clients via MP-BGP (multiprotocol BGP) using the flowspec address-family. A pro of this mitigation method is that the destination IP(s) do not become completely unreachable as legitimate traffic will remain mostly unaffected, depending on the type of attack.
- Scrubbing is the method used to “clean” malicious traffic and redirect the legitimate traffic back to the destination. Products such as Arbor uses scrubbing services which directs suspicious traffic to either cloud-scrubbing centres, or to a TMS device that detects attack patterns and cleans the traffic. Scrubbing can be done either via BGP Flowspec or having a passthrough device which collects and analyses flows. Inbound traffic is redirected to a “dirty VRF” and then redirected after being cleaned. This is the most expensive deployment of DDoS mitigation but it has a major advantage. Only malicious traffic gets blocked and services keep functioning for legitimate requests.
Choosing a mitigation provider
There are a number of factors to consider when choosing a mitigation provider.
- Network capacity – It is important to determine the capacity of bandwidth you should be able to withstand in an attack. On-pre mitigation devices will only be able to sustain smaller amounts, whilst the cloud-based services will usually be able to withstand much more than the biggest attack ever recorded.
- Processing capacity – Make sure about the providers processing capabilities. This factor is measured in forwarding rate (Mpps – millions of packets per second). Some of the biggest attacks in recent times have measured up to anything ranging between 50 Mpps to 300 Mpps.
- Time to mitigation – Here is where you should decide whether to have an always-on solution, and what the provider’s time to mitigate response levels are.
- Network and/or application Layer mitigation techniques – Depending on your network type, you should decide on a suitable product. Network layer mitigation products will be more suited towards carrier networks such as ISPs where bandwidth and capacity are important service deliverables. DNS mitigation will be the main form of protection for institutions hosting websites or mission-critical web services. Some instances may require a combination of both, but in varying aspects.
- Pricing and SLAs – All these different solutions offer varying pricing models. As with many modern licensing, pay-as-you subscriptions are available, priced according to cumulative attack bandwidth or cumulative hours under attack, where most will offer flat monthly costs as well. Also check provider SLAs for uptime guarantee, protection levels in which attack scope is covered. And lastly, make sure of your provider’s support service levels and response times.
Although security products like these may come in at a high capital expenditure cost, justifying its necessity should be easy considering what is at stake. Successful attacks can cause substantial damage, loss of intellectual property and even insurmountable reputational scarring to compromised institutions or companies.
As long as these vulnerable networks exist, there will be a target for attackers and the consequences of being exploited become even more dangerous every year. I think it’s time for all of us to approach DDoS with a lot more deliberation. Let’s be prepared for the present, and stay secured for the future.