What’s true and what’s myth about DDoS attacks? Hear from Neustar’s experts. They’ll fill you in on who’s attacking and why; new tactics the bad guys are using; why firewalls and other old-school defenses are increasingly ineffective; and why mobile is the latest DDoS battleground. Separate fact from fiction and be better prepared.
We’re going to spend a little time today talking about a report that we put out called 2011 DDOS Attacks; Top 10 Trends and Truths.
Neustar is in a unique position to be able to see the threat landscape and the DDOS attack landscape due to the fact we’ve been mitigating DDOS attacks for a very long time. We’ve got a mitigation cloud and a DNS network that is 100% available and so we’ve got this unique kind of window into the DDOS threat landscape and we’ve got other solutions that kind of allow us to enhance and broaden that view.
We see a lot of attacks on a day to day basis and we have a very interesting viewpoint from our DNS network and DNS is a crucial piece that is part of the equation here. So we’ve taken that knowledge and on an annual basis we’re commenting on trends, on what we’re seeing in our own mitigation network and some of the comments that other industry reports are alluding to. So before we get started talking about our trends, I want to take couple minutes to outline a DDOS attack briefly for those that may not know what a Distributed Denial of Service (DDOS) attack is.
A DDOS attack is when an attacker attempts to prevent legitimate users from accessing a computer resource. So very literally it’s denying legitimate service to users and these days so much of an organization’s infrastructure is connected to the Internet that the threat has grown significantly over time. So there are severe impacts to your business potentially. As I said the DDOS threat has grown in scope and the Internet powers almost every aspect of your business these days so when you’re hit with a denial of service attack or there’s a risk of a denial of service attack your whole enterprise is at risk and it can translate into very tangible impact like crippling your sales, your productivity, and kind of a long term aspect of damage to your brand equity.
We’re really talking about, as I said, the immediate stuff, you know you’re looking at stuff like lost revenue, potentially you’re under attack, your call center is potentially in code red, you’ve got a lot of calls that are coming in, emails, support issues, and so forth, and long term you know the brand equity aspect there’s really a permanent record potentially out there on the Internet of the fact that you’ve been attacked. So with the prevalence of social media you know it’s all out there; it’s all very easy to reach in terms of consumers or users can easily find this information out about attacks that have gone on and they can start making inferences that if an organization has been attacked, regardless of whether it has anything to do with hackers or so forth, consumers can start making inferences in terms of “Is my data safe”, “Am I under threat” potentially, and these organizations have to worry about that and the long term damage to the brand potentially.
So it’s not just the immediate costs, it’s the long term costs as well, the tarnished reputation. We saw a report from the Yankee Group that estimated that an average attack on a mid-size enterprise could cause losses of 150 thousand dollars, obviously for a large e-commerce company we’re talking about a severe loss of revenue associated with down time and again, back to the long term damage, the brand equity which is a huge issue. We’ll talk very briefly about a couple of attack scenarios before we get into trends and I’ll actually allude to a third a little bit later on.
There are obviously a lot of different ways to attack infrastructures but we’re just going to give you a very high level overview of a couple. The first has to do with simply flooding infrastructure with as much bandwidth as possible, so literally clogging up an organization’s internet connections and not allowing legitimate users through. That’s kind of one way to go about it. These days we’re seeing attacks in the tens of gigabits; the largest attacks reported are in the hundred gigabit range so bandwidth attacks are a big issue and these days it’s become a lot easier to source bandwidth and we start to see that in our own network, we’re starting to see other hosts being used as amplifiers to do these large bandwidth attacks so it’s a lot easier to aggregate bandwidth and generate the bandwidth necessary to flood someone off just by simply doing a bandwidth type attack.
Another common scenario is actually more of about the CPU. Potentially an attacker can flood or can send enough requests to a bit of infrastructure and overwhelm it’s capacity to process requests and these aren’t necessarily, it doesn’t necessarily mean you’ve clogged up someone’s internet connection but potentially you’ve overwhelmed the router or you’ve driven the CPU or router to 100% or a web server to 100%, especially as you get to the application level attacks which we’ll get to a little bit later. But these aren’t necessarily about bandwidth, they’re about processing power. So those are 2 common scenarios that are observed in the DDOS world.
As we talk about the trends and what we’re seeing over the last year, the number of attacks are growing. I think we’re all in agreement there. You know, some assessments are showing that there’s even up to 45% growth in the frequency of attacks. Now some industry reports are attributing the rise in DDOS attacks to hactivism. Hactivism is essentially, for those who don’t know, organizations or groups of people that are protesting for a cause and have a legitimate cause so over the last few months you may have heard about the Stop Online Piracy Act; you may have heard about denial of service attacks on government websites like the Department of Justice website, triggered by groups like Anonymous. But frankly we don’t necessarily agree with other reports that are claiming the rise in DDOS attacks has to do with hactivism because frankly, most DDOS attacks go unreported. So when we look at the attacks that we mitigate on our network, and we have obviously the hactivism component as a part of that, but the large majority of the attacks are for other reasons: extortionists, cut-throat competitors, people who are out to strike a profit. Hactivism is very public. To launch attacks they require people’s help. It’s a part of the picture but the growth we don’t feel attributes to that specifically. Again because most of the attacks we see on our network, day in and day out, are unreported and not verified to be related to hactivism.
Sophisticated attacks are definitely on the rise so, in 2011 there’s been a notable increase in application level attacks and these hit applications, webservers, and essentially what these are, for those who don’t know, are custom tailored attacks that are very much custom-tailored to the attacked organization infrastructure. I’ll just give you a very quick example. If I am a person with medium level or some level of software development or web development experience I can examine a website or components of a website and make some educated guesses at which pieces of a particular website, as an example, might be back ended or speaking to a database, which parts or components of a website are making expensive CPU requests to a database or to other systems . Then I can potentially, based on an educated guess, make a custom tailored attack that is just attacking a very specific component of the website, based on my knowledge, and potentially take a website out with as little as ten requests per second with the right wording, with the right attack on a search page or a log in page or the right API call which we’ll talk about a little bit later.
These sophisticated attacks that are custom tailored to an organization’s infrastructure are difficult to detect by hardware and kind of require that additional level of expertise or staffing expertise to deal with those. We absolutely agree that sophisticated attacks are on the rise and you know, we see that increase in custom tailored attacks in the attacks that we deal with and mitigate against on our network. While some attacks were down in size, so in 2011 we saw that the largest reported attacks were actually smaller than the attacks that were reported in 2010, but then bandwidth attacks are still obviously important and you know, when we observe in our own network the large attacks, 10 gigabytes per second or more are still about 15% of all attacks on our network that we see and observe. And it’s interesting actually; I alluded to this a little bit earlier, on how easy it is to source bandwidth. We see on a day-to-day basis, we’ll see a lot of attack sources from other hosting providers, hacked accounts elsewhere, you know that people are leveraging high bandwidth connections and kind of bridging them together and you only need 4,5,6,7 hacked accounts to be able to generate multi-gigabit traffic so it’s not just necessarily based on large botnets.
The attackers have gone smart and they’re using amplifiers. High packet per second attacks grew in popularity and we feel that the cloud makes a lot of sense in terms of leveraging the power of the cloud to mitigate these attacks because frankly, it’s an arms race. You can’t really overprovision your way out of the problem. You’ll never be able to source enough bandwidth and if you really want to do that, it’s very expensive. To actually be able to leverage and mitigate all threats, you’ll have to buy all sorts of different kinds of hardware and it gets very expensive, very quickly. While attacks are global in nature they are hard to trace. So we see a lot of reports out there discussing sources of attack traffic, so there are reports out there that talk about China, Ukraine, India, and the United States being big originators of attack traffic. But we don’t necessarily agree that the geographic information potentially can tell us a lot because of the issue of spoofed IP addresses.
Tracing an attack’s origin doesn’t always contribute substantially to the mitigation and I’ll tell you that we see a significant amount of attacks coming from spoofed IP addresses and they might look like they’re coming from China but when the experts in our Security Operations Center look at this stuff, it looks like it may be coming from China, for example, but you know that it’s spoofed and you start seeing, for example, that you’re getting sources or IP addresses that look like they’re coming from China coming into, for example a node in the Midwest, as opposed to the traffic coming in through an Asian infrastructure or through our west coast infrastructure so we start to see that the traffic isn’t coming in from where it should be coming in from, if it actually was from China or from the Ukraine.
We see spoof IP addresses as a very big issue in terms of attack traffic and while an attack looks like it’s coming from a certain place it may not actually be coming from the place it looks like it’s coming from. Firewalls, intrusion detection systems and intrusion prevention systems can actually be a part of the problem during an attack. We see that a lot of organizations have invested in this type of infrastructure, especially intrusion detection and IDS/IPS systems. There is a very legitimate need for them; obviously the intrusion threat has also grown in scope over the last few years and it’s important to be diligent and deal with that and have a strategy to deal with that, but during a DDOS attack, as it turns out, these systems can actually cause bottlenecks and trigger a lot of false positives.
We’ve been in a lot of situations where we’ve enacted an attack defense and the defense strategies that have been enacted might have been forced by the intrusion protection systems which ended up blocking a lot of legitimate traffic. So in fact, typically what we recommend to people during an attack is that they put their IDS/IPS systems in detection mode so that they can detect possible threats but we ask our customers to disable the automated actions that go along with those because potentially with acting on the threats potentially during an attack, the IDS/IPS systems can yield a lot of false positives. They can be used as amplifiers again and help achieve the attacker goal of shutting you down.
DNS continues to be an extremely weak link in the chain. For those of you who may not necessarily know too much about DNS or the domain name system, it’s the crucial system that translates your host name to domains to IP addresses so that users can visit your site. When attackers want to take you offline, they’re going to try any way they can to do this. Most people don’t really think about their DNS servers. They have DNS servers, they do their job, but you know, they’re typically kind of an afterthought in the equation. But if you take out your DNS, if you take out someone’s authoritative DNS servers, you’re effectively knocking them offline, I mean no one’s going to be able to get domain resolution for their domains which means essentially that people are off the Internet. So it’s not just necessarily to just attack a website or an API or a piece of infrastructure the DNS is a very crucial component and it needs to stay up.
In our own network what we’re seeing is somewhere in the neighborhood of 10% of all the DDOS attacks target DNS infrastructure. DNS attacks are hard to mitigate, it’s in fact some of the hardest attacks to deal with, so it’s important to have resiliency on DNS. Everything kind of relies on it. It’s this crucial backbone of your Internet infrastructure that most people overlook. Typically organizations may not even be running their own DNS servers or they’re getting their DNS just from the registrar where they purchased the domain. If you’re in that situation and your DNS server gets attacked, most likely your registrar will black hole you and take you offline. It’s important to really think about DNS and your business continuity strategy and ensuring that you’ve got a strategy for DNS.
DNS and websites are oft discussed or definitely websites are oft discussed but they’re not really the only targets. As we look at attacks, we’re starting to see more over the last year, attacks on other pieces of infrastructure such as your APIs, such as your voice over IP system. Obviously not having phone service is a huge issue for an organization and we’re starting to see more attacks on VOIP infrastructure as well as APIs. APIs typically at some businesses or organizations rely on them to do business to business transactions and attacking people’s APIs. A lot of the times there’s published documentation on APIs that organizations make available so it’s very easy for attackers to digest that stuff and essentially craft very targeted attacks at the APIs and that is lost sales and customer support issues because your customers can’t necessarily connect to your APIs. We’re starting to see that as a growing attack vector.
Most DDOS solutions can’t really handle IPV6 traffic. There was some press last year about World IPV6 Day and it sort of came and went. There was some press about it for a very brief amount of time and companies are still not able to handle IPv6 traffic. And typically there are a lot of DDOS solutions out there that haven’t made the upgrade either so these attacks are definitely not in the main stream. They did start cropping up in 2011. And while IPv6 is in the process of gaining acceptance you need to make sure that your DDOS solution is ready for that.
Attacks on encrypted traffic can spell a lot of trouble. In terms of what we observe we see that on our own network there’s still less than 5% of all attacks that we see at the application layer but kind of the common vector there is HDPS or secure socket layer floods, GET or POST. To be able to deal with those attacks you really have to have infrastructure that allows you to do what is called deep packet inspection. The issue is that the traffic is encrypted so you can’t easily get to the unencrypted traffic to be able to craft the right signature filters and mitigation strategies to fend off those attacks. You have to have infrastructure that can actually let you decrypt the packet and filter accordingly. Otherwise, your only other solution or way you can deal with encrypted traffic is at the network layer, at the layer 3- 4 levels. At that point you’re looking at rate limiting, bandwidth throttling, blocking IPs and so forth. If you’ve got infrastructure that can allow you to observe encrypted packets and do the deep packet inspection for you, you’re in a way better place in terms of being able to deal with those attacks.
Mobile is emerging as a part of the battleground. What we’re starting to see is, some of you may have heard of the more common denial of service attacks tools that some of the hactivists use, like the Low Orbit Ion Cannon (LOIC). There are web versions of LOIC; so there’s web scripts out there that are very easy to access through a web page you can pretty much put in a host name IP address and hit go and really launch an attack. These mobile operators have become accidental ISP’s. They’re transporting data as they move into long term evolution and the 4G technology there’s more bandwidth available from phones and then beyond that you’ve got phones that are connected a lot of times to WIFI networks. So if you’re connected to a WIFI network you’ve got the same power in the palm of your hand than a laptop. People have been launching attacks just using web LOIC from phones, there’s android malware is starting to proliferate and android devices are now starting to be seen or we’re starting to observe android devices within botnets, so it’s kind of an emerging threat. As the power of the phones increase and the amount of bandwidth they have access to is growing, they’re starting to be a part of the attack equation as well. We’ve started to see those signatures in 2011.
Summarizing the trends that we spoke about, obviously large attacks that use a lot of bandwidth are a big issue and you need to be able to deal with those. More targeted attacks are on the rise and they’re just as deadly. The attackers are smart, they’re getting smarter. A person with average level web development experience can potentially do a lot of damage and you really need to have the diversity in your network to deal with those threats, large and small, from the application level attacks that are not necessarily high bandwidth to the high bandwidth attacks as well. We feel it makes a lot of sense to use a cloud provider to combat the DDOS mitigation threat, again, going back to the fact that it’s kind of an arms race, that it is economically unfeasible to deal with for most organizations. You really can’t overprovision or provision your way out of the problem. It becomes an ongoing and growing cost as the threat of the attacks, as the threat landscape changes and as vectors increase over time. It really requires significant amounts of up front investment and constant investment, so in that sense we feel that it makes sense to go talk to a cloud provider about this because at that point you can source the necessary mitigation capacity when you need it rather than have it all in house.
There are resources that Neustar makes available to help inform organizations on DDOS attacks such as our Neustar SiteProtect webpage. The URL is there, so feel free to take a look at it and learn a little bit about DDOS. We’ve got literature out there on our solution as well. There is a DDoS Cost Calculator on our website that is kind of an easy way for you to show the nature of the threat and how it can possibly impact your business. And, as I said earlier, we’ve got a Resource Center there with a lot of information on denial of service attacks, the threat landscapes, what the options are out there for people and there’s a lot of really useful and good information there for people to peruse and read.