Security experts and members of the media have spent years saying that companies should take distributed denial-of-service (DDoS) threats seriously, often to little avail.
Now, with revenue streams increasingly under threat, the tide could finally be starting to turn.
A sea change
“We’ve been saying that scale, frequency and complexity of DDoS attacks will continue to increase for a while,” Darren Anstee, chief security technologist at Arbor Networks, told DCD.
“Last year we were really trying to emphasize it because the rate of increase appears to be accelerating, which is fairly frightening: Since 2013 those things had been growing fairly quickly anyway.”
Every year, Arbor releases its Worldwide Infrastructure Security Report, based on survey data and its Atlas threat analysis network. “What this year shows us is that they really are accelerating,” said Anstee.
And the stats in the report are sobering - the company tracked 558 attacks over 100Gbps last year (up from 223 in 2015), and 87 over 200Gbps (up from 16).
“That’s a massive jump in both the size that we’re seeing, and also the frequency of those very, very large attacks. These big attacks used to be considered as kinda black swan events,” he continued.
“The way that I see things right now as a security professional is that it’s getting much, much worse,” said Yousif Hussin, global information security engineer at Equinix.
Data center operators are rarely the target of a DDoS attack, but Anstee pointed out: “Data centers have long been a magnet for attack activity because a lot of the things that attackers want to go after tend to be in them.”
This has led to a “significant increase in those seeing revenue loss, up from a third to 42 percent. And a third of them also saw customer churn this year due to DDoS attacks. So they are a big problem from a business perspective.
“Nearly three quarters of data center respondents told us that they’d seen between one and twenty attacks that actually impacted their service.”
The tools of war
How have things gotten so bad? One major problem is how much easier launching an attack is becoming day by day: “The tools that are available on the Internet today are less than the ones we’re going to see tomorrow,” Hussin said. “It’s not rocket science right now to be a hacker and break everything on the Internet, and it’s going to get a lot easier.”
Take multi-vector attacks, which - as their name suggests - are multiple attack vectors launched at the same target at the same time. “Those kinds of complex attacks used to be restricted to people that really knew what they were doing, and could kind of manage the different attack vectors through different botnets and things like that,” Anstee said.
“The problem we have today is the weaponization of DDoS. There are lots of bots out there today, even Internet of Things (IoT) bots, that can launch multiple attack vectors at the same target at the same time, with a single command from the botnet controller. So complex multi-vector attacks are now accessible to virtually everybody.”
IoT botnets, a perennial bogeyman for the cyber security journalist, finally hit public consciousness late in 2016, when the open-sourced Mirai botnet was used to launch the largest attack of its kind in history against DNS provider Dyn.
Without warning, much of the US found itself unable to connect to its favorite online services. Poorly secured IoT devices in hundreds of thousands of homes were enslaved to pull off the attack.
“There are lots of devices out there,” said Anstee. “Various numbers put it between six and 10 billion, growing at millions per day, that people don’t think about as Internet-connected computers. What’s really changed this year is the mass recruiting of them.”
He added: “Given the rate at which attacks are growing, the ease at which these very large attacks can now be generated, this is a key problem for data centers.”
The good news is that this ramp up in attacks, especially the ones that affect companies’ bottom lines, has “increased the awareness of DDoS and the impact it can have, which is driving an improvement in the defenses that are being put in place,” he said.
“We’re seeing some very encouraging developments in terms of roll-outs of intelligent DDoS mitigation systems, roll-outs of hybrid defense - combinations of network perimeter and cloud-based defenses to deal with both the application layer and large-scale volumetric attacks efficiently.”
A work in progress
But Andrew Shoemaker, founder of DDoS testing company NimbusDDOS, believes that defenses still have a long way to go.
When his company is hired to do a risk assessment “it’s usually an abysmal setup,” he said.
“We do simulated attacks where we attack their production network using real world DDoS attacks. The number of people who have some failure in that baseline test is probably 90-95 percent. The number that completely fails is more like 60 percent.”
He continued: “Even in large businesses that we work with, like large banks, which know about DDoS risk and have hardware in place, there’s usually something we can find that has been overlooked. Part of it is because their environment is so massive, it’s hard to keep tabs on everything that’s going on.
“There’s always something that we can find and exploit.”
A real concern is the fact that a lot of his customers fail the test despite already having mitigation solutions in place, he said: “There’s issues where people can configure it wrong, where people maybe don’t understand the processes for activating the service.”
Another problem is that “90 percent of the people that come to us only do so after they’ve been attacked, even though our whole business model is about preparedness,” he added. “Nobody takes it seriously until it happens to them.”
Shoemaker said that he doesn’t “know if the DDoS problem is something that is completely solvable, without some massive fundamental changes to how the Internet is constructed.”
But he noted that while “it’s almost impossible to be 100 percent protected against DDoS, what you can do is make it extremely challenging for the attacker. You can make it so that it’s not worth their time and effort to bother focusing on you.”
For most companies it’s best to have some on-premise mitigation hardware that “you can use to block any attack that’s smaller than your in-bound data pipes.”
But really large attacks, which could take out even regional or national ISPs, can only be handled by cloud based mitigation vendors, he said.
There is another, perhaps simpler, way to prevent crippling DDoS attacks - avoid customers that attract them. “That’s been happening for a couple of years now,” Anstee said. “Some gaming and gambling sites have been asked to move around from data center to data center because they are magnets for attack activity.”
Shoemaker also knew of this habit, adding: “They may not remove you as a customer, but what they’ll do is black hole your network addresses.”
But troublesome customers could become an extra revenue source: “If one of your customers is being attacked, you have the option of getting rid of that customer, or blocking them.
“Or, if you build the infrastructure to support that customer, then you can actually get more money out of them by selling additional DDoS mitigation services.”
A version of this article appeared in the February/March issue of DCD magazine.