revealed - plexnet pty ltd - 3... · intelligent ddos mitigation systems (idms) provide a...
TRANSCRIPT
DDoS: THE STAKES HAVE CHANGED. HAVE YOU?
Arbor White Paper
REVEALED:3 dangerous myths about DDoS attacks
When DDoS attacks make the headlines it’s usually because they are massive volumetric attacks that have flooded a high profile website. They understandably grab the attention of the media, but this focus on size can be misleading, as smaller businesses tend to think that they are unlikely to be targeted.
It’s true that the size of DDoS attacks is growing significantly as the storm of reflection amplification attacks continues to rage across the Internet – with ever larger peak attack sizes. In 2014, the largest attack Arbor monitored was throwing 325Gbps (gigabits per second) of bogus data at the targeted system. Last year the largest DDoS attack was up at 334Gbps. For the APAC region, the largest attack seen in year 2016 was 196Gbps in July. It's smaller than the largest attack seen in year 2015, which was 334Gbps, but still very significant in terms of size.
In total, 70 attacks over 100Gbps were monitored in APAC during 2016, versus just 18 in all of 2015.
Scaling your on-premise DDoS protection to protect against such high bandwidth network flood attacks would become extremely expensive, so they can only really be mitigated in the cloud, away from the intended target.
However, the reality is that most organisations will never experience a huge attack. Instead, the biggest threat is from smaller size attacks that are 1Gbps or less, which make up 86% of all attacks targeting organisations in the APAC region. The average DDoS size for APAC was 624Mbps in year 2016. Arbor predicts the average attack will be approaching 700Mbps by end of 2017 in the APAC region.
Compared to a large UDP flood attack on the network, a smaller HTTP flood attack that targets a business at the application level, using real IP addresses from real machines and running complete application transactions, can actually do much more damage as they can be harder to detect and block.
An attack that is 1Gbps in size is generally capable of saturating the Internet connectivity of most organisations and knocking them offline, resulting in service disruption, lost income and damage to the company’s reputation – unless you have the necessary on-premise DDoS protection. This provides the rapid reaction capability needed to quickly identify and mitigate the effects of “low and slow” application layer attacks, as well as state exhaustion attacks targeting infrastructure, such as firewalls and IPS.
SIZE – it isn’t always everythingMYTH: All DDoS attacks are huge – they only target big businesses, not companies like ours
They are a common way to disrupt businesses and online services. Traffic floods a system with requests, overloading the service and preventing legitimate traffic from getting through. As well as frustrating users and customers, the cost of these attacks can be severe in terms of lost revenue and productivity due to infrastructure downtime, reputational damage, and the price of remediation. In fact, Arbor estimates that the average cost to the victim of a DDoS attack is around $30,000 - $50,000 an hour¹.
Unfortunately, the perpetuation of certain myths means that many organisations still do not fully understand the dangers posed by DDoS attacks – or the risks to their business.
The findings of the latest annual Worldwide Infrastructure Security Report (WISR) by Arbor Networks! show that Distributed Denial of Service (DDoS) attacks continue to be popular with attackers, and are increasing in size, frequency and complexity.
2Arbor White Paper: Revealed - 3 dangerous myths about DDoS attacks
“Instead, the biggest threat is from smaller size attacks that are 1Gbps or less, which make up % of all attacks targeting organisations in the region.”
3Arbor White Paper: Revealed - 3 dangerous myths about DDoS attacks
DDoS attacks are happening so frequently that it is now virtually inevitable that your business will be targeted – and it probably already has been. Arbor's WISR shows that 42% of the organisations have experienced a DDoS attack, and there is an upward trend in certain sectors, for example banking and finance, government, etc. Attack frequency is on the rise, showing a 38 percent year-over-year increase among those experience more than 10 attacks per month.
Based on data gathered from Arbor’s Active Threat Level AnalysisSystem (ATLAS®), which provides a comprehensive view of thelatest global threats, the frequency of attacks is growing very rapidly. Two years ago, only 25% of respondents reported seeing more than 21 attacks per month. Last year, that proportion increased to 38%, and this year it has risen to 44%.
Over the year 2016, Arbor monitored an average of 37,000 DDoS attacks every week in the APAC region, with Korea, China and Australia being the top three targets.
The rapid growth in the number of attacks is primarily because the tools that can help launch a DDoS attack are easily available online for little to no money. Attack methodologies pioneered by skilled attackers and used sporadically for years have been ‘weaponised’. Nice GUIs and even 24/7 online ‘customer’ support have been made more broadly available to attackers with little or no technical skills. All it takes is a few clicks and a small amount of Bitcoin and now anyone with a computer, an internet connection and a grievance can launch an attack, on a massive scale, using an arsenal of DDoS botnets-for-hire and so-called ‘booter/stresser’ services.
And the cost to the attacker for using these ‘weapons of mass disruption’ could be as little as $60 a day. They can knock a website offline for a week and spend less that it costs to buy a new smartphone!
A side-effect of this is the proliferation of motives behind DDoS attacks – dramatically increasing the risk that almost anyone can become a target. While extortion and ideological hacktivism used to be the main reasons for launching an attack, now they are often instigated because of grudges against businesses or individuals, to generate kudos or simply “because they can”.
However, a motive that is becoming more prevalent is the use of DDoS attacks as a smoke screen for other criminal activities. For example, as part of an advanced threat campaign, a DDoS attack may be launched simply to distract IT staff, so they remain unaware of the attackers’ real aim of malware infiltration and the theft of confidential data, Intellectual Property or money. Last year, 19% of WISR respondents saw this as a common or very common motivation, and this has increased to 26% this year.
FREQUENCY – it’s only a matter of time before you get hitMYTH: With so many businesses in the world the odds are low that we will be attacked
Peak Attack Size (Gbps), Last 2 Months ( )
334.2
0
50
100
150
200
250
300
350
400
Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15
233.7
196.1
Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16
APAC Peak A�ack sizes (Gbps)
196.1
166.5
Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16
What is clear is that attackers are now employing complex and stealthy multi-vulnerability attack campaigns, using a dynamic combination of volumetric, TCP state exhaustion and application layer attacks aimed at the same target at the same time.
Arbor’s WISR shows that the vast majority of respondents (93%) had experienced an application layer attack on their networks. There was also significant growth in multi-vector attacks, with 56% of respondents last year admitting that they had been the victim of such attacks – a 14% increase on the previous year.
While multi-vector attacks may be smaller in size compared to high bandwidth flood attacks on the network, it is important to remember that the size of the attack does not always relate to the damage it can cause. Even the largest volumetric attacks may just slow or delay a service. However, application layer attacks can do much more damage, because they target critical services and can cause longer lasting service outages as businesses struggle to restart the affected applications.
Unfortunately, traditional defences simply cannot detect or defend against these attacks. In fact, they can exacerbate the problem. Firewalls, intrusion prevention systems (IPS) and other security products are essential elements of a layered-defence strategy, but they are designed to solve security problems that are fundamentally different from the weaknesses addressed by dedicated DDoS detection and mitigation products. And because
they are stateful they can be the weakest link. Hackers love the firewall because it’s so easy to overwhelm, often acting as the DDoS entry point or being the first device to go down during a state-exhausting DDoS attack, or they can become the bottleneck that delays legitimate traffic.
It’s also a myth that Internet Service Providers (ISPs) or Content Delivery Network (CDN) providers protect a business against DDoS attacks. Many ISPs have not implemented universal anti-spoofing measures, while CDN can be easily bypassed by changing the page request in every web transaction, which forces the CDN provider to “raise the curtain” and forward all the attack traffic directly to the target servers. Simply buying more CDN resources in order to create a bigger pipe will not work either – as it just delays the inevitable impact. On top of all this, it is also possible that your CDN provider may charge you for delivering all of the information spoofed by the DDoS attack, as they just see it as serving more content.
Tackling complex, multi-vector attacks needs a different approach. Intelligent DDoS Mitigation Systems (IDMS) provide a multi-faceted solution that can detect and block attacks with multiple dimensions of countermeasures before the attacks escalate. With visibility into all traffic and potential subterfuge, organisations can also stop dynamic and diverse threats before an attack is fully launched.
COMPLEXITY – more security doesn’t always mean more protectionMYTH: We’ve got a Firewall, IPS and our web traffic goes through our ISP or a content service – so we’re safe
4Arbor White Paper: Revealed - 3 dangerous myths about DDoS attacks
56% Yes27% Do not know17% No
Figure 20 Source: Arbor Networks, Inc.
Multi_Vector DDoS Attacks
56%27%
17%
There’s little doubt that DDoS attacks will continue to evolve and grow. There’s been discussion for a long time now about the potential security issues created by the many Internet-enabled appliances, such as fridges and fire alarms, that can now be found in homes and businesses. The threat posed by these “Internet of Things” (IoT) devices is now becoming a reality, with botnets made up of compromised webcams already being used to extremely high volume attacks of up to 400Gbps2.
Gartner predicts that there will be as many as 21 billion IoT devices in use by the year 2020³. More and more of these devices are connected to the Internet and security vulnerabilities are found or remain unpatched within them, so this capability is only going to grow and grow – giving attackers plenty of capacity to launch ever larger and more complex attacks.
Worryingly, 46% of organisations already admit to having NO dedicated DDoS solutions in place¹. However, as the size, frequency and complexity of DDoS threats continues to increase, businesses will need to ensure that they have an effective solution in place to protect themselves – or pay the price. And that’s why the IT analyst community strongly recommends a multi-layered defence.
Such Intelligent DDoS Mitigation Systems (IDMS) provide a multi-faceted solution that can detect and block attacks before they can escalate, by combining on-premise protection against application layer attacks with cloud-based mitigation of high volume volumetric attacks. With global visibility into all potentially dangerous traffic and subterfuge, you can also stop dynamic and diverse threats before an attack is fully launched.
Only then will your organisation be fully protected from DDoS attacks today – and tomorrow.
Summary
Resources
5Arbor White Paper: Revealed - 3 dangerous myths about DDoS attacks
¹ DDoS Mitigation: Prevention Plan for 2017”, C View Technologies (CVT)
² “The Lizard Brain of LizardStresser” blog, Arbor Networks, June 2016
³ Press Release, Gartner, Inc.,10 November 2015
Corporate Headquarters76 Blanchard Road Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267 T +1 781 362 4300
North America Sales Toll Free +1 855 773 9200
EuropeT +44 207 127 8147
Asia PacificT +65 6664 3140
www.arbornetworks.com
©2016 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others can’t.™ and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.