Distributed denial of service (DDoS) attacks are hitting data centers hard. Here’s why
Today’s commercial data centers are under attack, and in the worst possible way – distributed denial of service (DDoS). Denying services to customers strikes at the financial heart of a commercial data center, especially now when most operators are guaranteeing clients 100 percent uptime.
Source: Thinkstock / bestdesigns
There are various types of attack (see Fact File), but in the simplest terms a DDoS attack is where an individual or group has decided to harm a data center, or client/s of the data center, by making it appear that the entity under attack cannot provide advertised services. To do this, the attacker will flood the provider with a stream of apparently legitimate requests, far too many to deal with, so the service will simply fail.
An analogy might be a wood chipper. Shoving a single branch – data center’s normal traffic – through the wood chipper, not a problem. Whereas trying to chip the tree’s entire trunk at one time – DDoS attack – would render the wood chipper inoperable.
With the advent of massive, rentable DDoS botnets, criminals of any ilk can overwhelm an entire data center’s resources. So it is possible that, even if the attackers are only after a specific organization, it might be easier to target the entire data center.
The first glimpse outsiders had into the seriousness of DDoS attacks against data centers came in 2013 when the Ponemon Institute, sponsored by Emerson Network Power, released its white paper, The Cost of Data Center Outages. Ponemon researchers asked more than 560 organizations to take part in the survey. Of those, 83 agreed, and 50 organizations (67 separate data centers) permitted onsite benchmark analysis. One interesting statistic surfaced in the report: cyber crime based on DDoS was the only root cause for data center outages to get worse between 2010 and 2013.
In March of 2015, the Ponemon Institute took another look at DDoS attacks, interviewing more than 640 individuals who worked in IT operations, IT security, IT compliance, or data center administration, with a responsibility for detecting and or containing service-denial attacks. This time sponsored by Akamai Technologies, the Institute published its findings in The Cost of Denial-of-Service Attacks. The report listed the following as key findings:
Monetary costs: Companies in the study reported an average of $1.5m in costs related to service denial over the past 12 months. On average, these companies withstood four service-denial attacks in the same time period.
Causes downtime: 34 percent of the respondents said service-denial attacks shut down the entire data center, while 48 percent said the data center was partially shut down. On average, respondents said their systems were shut down nine hours during the past 12 months due to one or more DDoS attacks.
Attacks will increase: 44 percent of respondents said service-denial attacks increased over the past year; 49 percent said they will increase over the next 12 months.
DDoS attacks attempt to take sites and services offline; however, there are different levels at which they can strike. The Ponemon Institute lists the following as the most effective:
- Volume-based attacks UDP floods, ICMP floods and other spoofed-packet floods – the goal is to saturate the bandwidth of the attacked site.
- Protocol attacks SYN floods, fragmented-packet attacks, Ping of Death, and Smurf DDoS – these types of attack consume actual server and/or network equipment resources.
- Application-layer attacks Slowloris, Zero-day DDoS or DDoS attacks targeting Apache, Windows or OpenBSD vulnerabilities – when a large quantity of seemingly legitimate requests try to crash web servers.
Effective attacks make use of networks of machines to carry it out. Most usually, these are botnets, where the attacking machines are computers that have been subverted with malware that implants a remote control attack agent.
The consequence: 64 percent of respondents said the biggest consequence of a service-denial attack is reputation damage.
Imperva, a provider of data-security solutions, has released more specific information in a 2015 white paper called Global DDoS Threat Landscape. “Of attack-vector types, large-SYN flood (packet-size of 250 bytes and above) displays the most damage potential, followed by UDP flood,” it states. “The latter is the most common type, used in over 55 percent of all documented DDoS attacks on the Incapsula network during the period of the report.”
Imperva also finds that attack duration is increasing, with the longest attack lasting more than 64 days. More than 20 percent of the recorded attacks were over five days. The Imperva report also claims, in what I at first thought was a misprint: “In the second quarter of 2015, we continued to see an increase in DDoS attack volumes from 2014, with the largest network layer assault peaking at over 253 Gigabits per second.”
Source: Thinkstock / bestdesigns
How do commercial data centers deal with that amount of unwanted traffic, plus normal client traffic, and still stay in operation, especially if an attack lasts more than 60 days?
To find out how data centers fight back, I spoke with Tim Parker, vice president of network services at ViaWest, who confirms that service-denial attacks are indeed a huge problem: “It is ongoing, and the threat hurts everyone.”
Mitigating the threat
But there are ways to reduce the impact, he says. ViaWest uses a Threat Mitigation Server (TMS) to monitor and deflect service-denial attacks. The server tracks normal traffic patterns, allowing it to identify anomalies. If an anomaly is detected, the TMS analyzes packet strings to differentiate attack traffic from client traffic, scrubs the unwanted attack traffic, and forwards the cleaned traffic to the proper client – all automatically.
It would take a huge amount of equipment to handle “perfect storm” DDoS attacks, in the range described by Imperva, and keeping this on standby in every data center would not be economical. The answer is to outsource the problem. If the TMS is close to being overwhelmed, traffic is rerouted to a company that specializes in DDoS-attack mitigation, where the attack traffic is removed. Parker said it may take up to two minutes for the traffic to be cleaned and returned, but the delay is preferable to “blackholing” all traffic addressed to the client under attack.
He says each side is trying to outmaneuver the other. To gain an edge, most commercial data center operators belong to North American Network Operators’ Group, an organization that allows members to share what works and what doesn’t, including their biggest nemesis – DDoS. But the dark side is also sharing its own “best practices” in the digital underground, so the cat-and-mouse game continues.