Information Security Today Home

New Books

Walling Out the Insiders: Controlling Access to Improve Organizational Security by Michael Erbschloe; ISBN 9781138031609
Cognitive Hack: The New Battleground in Cybersecurity ... the Human Mind by James Bone; ISBN 9781498749817
Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework by Anne Kohnke, Ken Sigler, and Dan Shoemaker; ISBN 9781498785143
The CISO Journey: Life Lessons and Concepts to Accelerate Your Professional Developmentn by Eugene M Fredriksen; ISBN 9781138197398
Biometrics in a Data Driven World: Trends, Technologies, and Challenges by Sinjini Mitra and Mikhail Gofman; ISBN 9781498737647
The Data Protection Officer: Profession, Rules, and Role by Paul Lambert; ISBN 9781138031937

IoT Threats Underline the Need for Modern DDoS Defense

By Avi Freedman, co-founder and CEO of Kentik

A chilling new report from Deloitte warns that the proliferation of IoT devices in 2017 will raise the threat of Distributed Denial of Service (DDoS) attacks. The scale and nature of the evolving DDoS threat means that companies need to modernize and implement new defense strategies if they want to avoid bad outcomes.

Yes, It's That Bad

The size of DDoS attacks grew by 30% annually from 2013 to 2015, but 2016 marked the first time that security experts have detected attacks of more than a Terabit per second. In the report, Deloitte warns that such high-volume attacks will only increase in 2017, with a prediction of one terabit-sized attack each month this year on average.

The DDoS threat has escalated in part due to the growing base of insecure IoT devices, along the rise of powerful malware bots that aggressively colonize IoT devices and leverage them for brutally powerful flooding and other attacks. Last year's massive attack on Brian Krebsí website, even though it was being protected (and then dropped) by web caching giant Akamai, and the takedown of European hosting provider OVH and DNS provider Dyn, are example of the worst case scenario. While most exploits will fall in the 1-50 Gbps range, that's still large enough to do serious damage.

Not only are attacks getting bigger, but they're getting more sophisticated. In the past, DDoS attacks were very commonly performed using IP address spoofing, but now with armies of IoT devices, harder to defend reflection and amplification attacks have become far more feasible. In addition, the geographical spread of attacking elements means that for organizations that have multiple internet peering connections, attack traffic will likely enter at multiple points.

For organizations that have revenue at stake via their internet traffic, it's important to know that attacks targeting higher value internet businesses perform thorough research ahead of time, so that they will familiar with all your IP addressing blocks. This allows them to both probe your weaknesses before launching the real attack, as well as spread attacks across your IPs and comprehensively try to shut down your network bandwidth.

More than Your Website at Stake

Most people think of their websites when they consider the possible impact of DDoS attacks, and that's entirely appropriate. But it goes further. Your business' DDoS attack surface grows as you become more dependent on cloud and digital services. For example, let's say your team is developing applications on an IaaS cloud. A DDoS attack could render your developers unproductive. Not the end of the world, but certainly costly. But what if youíre dependent on a PaaS cloud to test and push timely updates to an application that clients depend on? A DDoS attack that disrupts that update cycle could be more damaging.

Consider that you're running a revenue-critical scheduling application for a fleet of trucks that depends on services such as location that are delivered across the internet from cloud-based services providers. Or, as is common in most modern application stacks, you may have a complex digital supply chain, relying on APIs to providers like Twilio, Google, and Amazon to complete transactions.

A disruption of a critical service dependency can cripple that application. And protecting the "front door" of the application through a CDN is often insufficient, especially if your site "origin" reaches those digital partners over the internet.

Fact of the matter is, that businesses today are relying on the internet more than ever. Among respondents to a survey at a recent CIOArena conference in Atlanta, only 16% counted the internet as not core to any aspect of their business. This level of internet dependence is clearly about more than the website, so it's important to remember that when planning your defenses.

Hitting the Ceiling of Legacy DDoS Defense

The state of the art of DDoS defense has been on two parallel tracks over time. The mitigation or traffic scrubbing aspect of DDoS defense has evolved to meet the escalating volumes of attack traffic, handle different types of attacks as they morph, and to deliver via hybrid combinations of on-premises and cloud-based capacity. So, while there haven't been any quantum leaps in DDoS traffic scrubbing, progress is continuous, and the primary focus is how to handle the scale challenge.

The detection track has been decidedly more sluggish and less innovative in the past decade. Most "out of band" DDoS detection techniques based on network telemetry traffic flow data haven't really progressed since the early 2000s. Legacy, single server DDoS detection platforms suffer from limited, low-scale compute and storage resources, and as a result they miss a significant portion of attacks. The reason is that the dearth of computing forces severe compromises. While intelligent traffic baselining has been fundamentally possible for years, in single server DDoS detection system it is not practically useable. Due to their lack of compute power, detection servers have to segregate baselining to a per router basis and therefore canít baseline network-wide traffic. Inflexible, static policy configurations mean that policies fall quickly out of date. As a result, most network engineers and operators don't even bother trying to use them. Instead, they configure catch-all static thresholds that are far less precise. Even worse, legacy detection servers can't track individual IP addresses. That means that a static threshold-based DDoS detection policy is typically operating on a very large pool of destination IP addresses, so that an attack on a single server can easily be missed.

The Future of DDoS Detection Is Built on Big Data

The antidote for sluggish, single server DDoS detection is to transform these functions using the power of the cloud and big data. Big data has progressed rapidly from an open source, roll your own, batch-oriented business intelligence technology, into applied and optimized solutions that can also support true real-time operational use cases such as DDoS detection. Column store platforms provide operational speed and flexibility to store time series traffic flow and other data in an extensible fashion. But big data requires compute horsepower, and that's where cloud and SaaS makes sense, so that it's possible to tap into and shared a massive compute engine. Multi-tenancy is a well-known methodology by now, offering the ability to use wide computing resources fairly to ensure low latency detection, as well as rapid fire ad-hoc forensics operating on long-term retained data details.

Early results from big data DDoS detection deployed in conjunction with modern mitigation platforms are encouraging. Networking teams are reporting field results of 30% greater detection accuracy than legacy appliance approaches.

Don't Stop Moderniziní

Unless you're one of the small minority of organizations that doesnít rely on internet traffic for core parts of your business, the sad truth is that aggressively addressing the DDoS threat can be an existential matter. And in the age of DDoS, big data power is a key ingredient to modern defense.

Related Reading

Data Mining Tools for Malware Detection

Data Mining and Machine Learning in Cybersecurity

Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations

25 Years of DDoS

About the Author

Avi Freedman is co-founder and CEO of Kentik Avi Freedman is co-founder and CEO of Kentik. Avi has decades of experience as a leading technologist and executive in networking. He was with Akamai for over a decade as VP Network Infrastructure and then Chief Network Scientist. Prior to that, Avi started Philadelphia's first ISP (netaxs) in 1992, later running the network at AboveNet and serving as CTO for ServerCentral.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2017 Auerbach Publications