Sophisticated DDoS attacks require new approaches
Distributed denial of service (DDoS) attacks are becoming increasingly sophisticated and more frequent, sparing no one, says
A10 Networks.
Donald Shin, Chief Security Strategist, A10 Networks shared that it can cost just US$30 to buy a week's worth of DDoS attacks due to the ubiquity of Internet of Things (IoT) devices.
"The biggest threat is proliferation of the weaponisation of IoT devices and the sheer number of these that are available," he said, listing Amazon Alexa devices, iPads, connected TVs, and mobile phones as some of the typical devices found in a household today. "Attackers are able to exploit 10x as many things in order to create weapons for DDoS attacks."
Another vulnerability comes from "servers that have no business being on the Internet", which can be used to amplify an attack.
Memcached servers can increase a single attack by up to 51,000 times, for example.
The Mirai botnet, which appeared in 2016, showed hackers that they could leverage Linux as a weapon to build sophisticated, targeted, multivector engines, he noted. IoT devices have IP addresses, a full Linux stack, but are lacking in crucial data protection elements such as antivirus, he explained.
"Malware developers have a rich environment to work in," he said.
"Organisations are responding too slowly. On average, it's taking them three to five hours to determine they are under attack, even before remediation has started," he added.
Song Tang Yih, VP, Asia Pacific, A10 Networks, shared the case of an oil & gas customer who had a clean pipe - a service that detects DDoS activity and "scrubs" or prevents the activity from reaching the corporate network - but still found that DDoS attacks were affecting the network.
The customer had its 2
nd main trading centre in Singapore, responsible for more than 80% of petroleum product volumes. Low-latency connections were critical to ensure that the company could execute trades at the most favourable price for its products, and receive up-to-date data feeds. Despite its clean pipe, a DDoS attack jammed its bandwidth in April 2018.
A new form of DDoS attack which is 'low and slow' disrupted trading, resulting in millions lost in trading revenue, Song said. The problem was that the clean pipe method cannot identify low-bandwidth attacks that target the network or application layer of service provider services and their subscribers.
"Companies are realising that the clean pipe is only one solution to DDoS resolution," he said. "We are seeing more enterprise customers implementing anti-DDoS in their network infrastrucuture in order to address the new sophisticated attacks. Every company that has an online Internet presence will share this risk."
Shin observed that traditional anti-DDoS solutions are built around the clean pipe, but that it is "2000s" technology. Clean pipes lead to too many errors, a tremendous amount of collateral damage during an attack, and an inability to surgically distance legitimate traffic from DDoS traffic. "The policies being set are less effective and very hard to scale and very expensive to scale (to a) significant threshold that (would be) required to defend against these IoT-based attacks," he said.
According to Shin ideal DDoS prevention solutions need to demonstrate precision, automation and scalability.
 |
| Source: A10 Networks. The modern approach to tackling DDoS features precision, automation, threat intelligence or scalability, and distributed detection. |
• Precision – the solution identifies workloads initiated by hackers with no false positives or false negatives, and also ensures that services and infrastructure remain available. A false positive would be to mistakenly block a legitimate user, while a false negative would occur if the system missed an attack.
Shin said that traditional anti-DDoS measures make availability the priority but indiscriminately block traffic, when maintaining legitimate traffic should come first. "When the network goes down (the customer) leaves. It's important to minimise the collateral damage due to DDoS attacks," he said.
• Automation – the ability to auto-detect, mitigate and profile incoming traffic, with minimal manual intervention. An intelligent solution ensures operations are simplified, and speed responses are quick and that DDoS defenses are focused on the more sophisticated attacks
"The only way we can counter attackers using automation is for us to use automation," Shin said. "Legacy defenses are based on manual intervention and static policies. It is almost more like art than it is science. It requires operators to tune the system based on attack strategies but this slows down the response time."
Song added that with the breadth of security threats out there, it is difficult to acquire the right skillsets to counter everything, making automation the best answer.
Shin said machine learning can be used to create a "handsfree" type of environment that can automatically escalate mitigation depending on what is happening.
• Scalability – the solution mitigates and defends against attacks of all sizes. Threat intelligence can capture infected IP addresses and dynamically blacklist them.
A10 Networks recently introduced a Threat Intelligence Map that augments anti-DDoS solutions. The map shows existing DDoS weapons, as well as newly-discovered and
deprecated DDoS weapons included in the
A10 DDoS Threat Intelligence
feed.
This ensures that organisations can visualise the scale of DDoS threat agents. Furthermore, the map gathers intel and identifies the geolocation of millions of IP addresses that are commonly used, or potential, DDoS attack agents to help pre-empt future attacks.
"Unlike the attack maps already on the Internet that only show attacks
that have already happened, A10’s DDoS map give you insights into where
the next DDoS attacks will come from. By combining this knowledge with
A10’s actionable DDoS threat intelligence platform, Thunder TPS, you can
take a proactive approach to DDoS defense," explained Shin in a
blog post.
The insights from threat intelligence can only become actionable if they are paired with a DDoS solution that offers precision, automation and scalability, A10 Networks said. Its Thunder TPS products include a DDoS Threat Intelligence service
updated in real-time. The products use the service to blacklist known malicious objects and whitelist trusted objects.
"DDoS defenders don't have to always guess when there is an attack. They can block them proactively based on the reputation of the reflectors that are commonly being used," Shin said. The theory is that if certain devices or IP addresses have a reputation for DDoS attacks, they are likely to be a source of a future attack and so should be blacklisted.
• Distributed visibility. A proactive treatment for DDoS can be expensive for large networks, whereas a reactive treatment has limited visibility into network and application layer attacks. A distributed approach to detection that uses machine learning to automatically learn about and understand downstream infrastructure and their services, can create a scalable, cost-effective DDoS protection model, A10 Networks said.
Shin said that while the industry as a whole is working on improving things, "bad hygiene" continues to plague the Internet and is unlikely to go away. "There is zero reason for memcached servers to be on the Internet but 320,000 of these were publicly exposed during the
Github attack," Shin said. "The Internet is full of terrible hygiene. The IoT is filled with terrible hygiene as well.
"We should make them more secure but bad hygiene will continue to exist and DDoS attacks will contine to grow as a result of that. We need to accept it and we need to develop better technology so that we can build resilience and these are the kinds of strategies that we're trying to outline in these four techniques or ways to improve DDoS resilience."
"It is not a foregone conclusion that DDoS attacks have to be successful," concluded Shin.
Explore:
View the
A10 Networks Threat Intelligence Map. Note that the objects marked as 'drones' refer to known botnets commonly used in DDoS attacks such as Mirai.
No comments:
Post a Comment