Exclusive UBM Tech Research Report
By Wayne Rash
Distributed denial-of-service (DDoS) attacks continue to grow in size, complexity and danger. Witness the recent wave of attacks on major U.S. banks, which knocked websites offline, angered customers and took a grave toll on brand reputations. The lessons of those attacks echo the findings of this report: Previously successful DDoS mitigation solutions no longer work.
UBM Tech conducted research with IT professionals who have suffered DDoS attacks. The drastic changes in attack methodology and motivation in the past few years should be driving them toward purpose-built solutions, that is, comprehensive defenses that can counter even the most sophisticated attacks. Yet many organizations remain committed to the same techniques that failed them, leaving them at continued risk. In an age when attack- ers have access to cheap, powerful and easily available weapons — when virtually anyone can launch a strike — the failure to fully prepare can have disastrous effects.
Distributed denial-of-service (DDoS) attacks have changed, and that’s an understatement. Back in the day, they were launched by people with specialized knowledge for profit or just plain fun. Today, they’re a favorite tool not only of criminal enterprises and political operatives, but also disgruntled customers, ex-employees and social protesters. DDoS attacks have become highly organized and more complex, which makes them harder and more dangerous to fight than ever. Unfortunately, according to recent UBM Tech research, many companies remain at risk because they rely on inadequate defenses.
Why Old Defenses Don’t Work
DDoS attacks have evolved dramatically in three key areas: attack methodology, size (attacks of 20 Gbps are not uncommon) and motivation. For example, attacks often consist of botnets, thousands of infected computers or servers which the bad guys remotely control. This makes it harder for law enforcement to identify the culprit. Also, many attacks now use a combination of vectors, for instance, mixing network floods with application-layer strikes. And while people still attack for money or pure recreation, politics and social protest are playing a bigger role. The wave of attacks on U.S. banks in the fall of 2012 are thought to be the work of an Islamist protest group or an unfriendly government using that group as a shield.
When attacks were less sophisticated, organizations could simply install an appliance to eliminate or lessen the impact. This approach to DDoS mitigation is no longer adequate. Today, high-volume attacks can far exceed the capacity of the victim’s network connection. Even if they’re not directly targeted, all resources behind that connection become unreachable. Responding by buying more and more bandwidth simply costs too much.
Other strategies that once worked, such as relying on an ISP or a content distribution network (CDN) to soak up the attack, are similarly insufficient. If a company is attacked, its ISP may take it offline to protect its other customers. CDNs may be able to handle some attacks, but will bill exorbitantly for the traffic. Moreover, a CDN may not adequately protect the origin server.
That’s why organizations must now look to purpose built DDoS protection solutions. Yet UBM Tech’s research, sponsored by Neustar, reveals that too many companies still cling to old defense methods, despite having been let down by them during a real attack. Of the 396 IT manag- ers and staff surveyed by UBM Tech, 124 had suffered a DDoS attack and were asked to describe the attacks, the methods used to overcome them and the outcome.
The organizations that depended on old approaches, such as firewalls and stand-alone mitigation appliances, found that their solutions were overwhelmed. In many cases, their entire Internet presence went down because the attack consumed all of their network bandwidth.
DDoS Attack Results
Of the 124 respondents that had been attacked, more than two-thirds were hit with bandwidth floods. Interestingly, 41 percent experienced a request flood, a newer attack type that overwhelms servers. Twenty-seven percent experienced an application-level attack tailor made for their websites or applications. Regardless of type, 78 percent of the attacks ended within 24 hours. Most of those attacks (54%) targeted the organization’s primary website (see Figure 1).
he impact of these DDoS attacks included loss of revenue, customer service problems and damage to the organization’s online reputation. Those companies that were affected lost tens to hundreds of thousands of dollars (see Figure 2).
Less than half (43%) of companies attacked reported having had a DDoS mitigation solution. Fifty-two percent depended on firewalls (Figure 3). Fifteen percent relied on their content distribution network, and another 15 percent relied on their hosting company. Only a few used a cloud-based DDoS protection service or a DDoS mitigation appliance — in other words, pur- pose-built solutions designed to handle modern attacks.
Why Firewalls and Routers Fail Against DDoS
Firewalls, even those designed to block DDoS attacks, don’t work against current threats, nor do routers that are config- ured as default-deny devices, as Figure 4 shows. High packet- per-second attacks can quickly overwhelm these devices, and when the bandwidth of the Internet connection becomes the bottleneck, these devices are unreachable, and thus useless.
DDoS mitigation and intrusion detection and prevention (IDP) appliances suffer a similar fate to firewalls (see Figure 5). Although DDoS mitigation appliances may be capable of withstanding an attack, they can’t do anything if they’re unreachable. The same is true with IDP appliances. Those devices also have to be configured properly, and the staffers using them have to be trained to handle the attack. As can be seen in Figure 5, in many cases in-house staff lacked theneeded expertise.
At first look, it would seem that ISPs might be a good alternative. They have full-time network managers, they have a lot of bandwidth and they probably have the necessary security hardware. But Figure 6 shows why ISPs aren’t the best line of defense: ISPs are responsible for protecting their network and all of their customers. When a DDoS attack begins to tax their capacity, ISPs often disconnect the customer being attacked. Some ISPs might even require the victim to show that they had obtained third-party security DDoS solutions before they are reconnected.
Content delivery networks have a different issue. Although the chances of overwhelming a CDN with a volumetric attack are low, the CDN will simply handle the traffic and charge the customer accordingly. In the case of more complex application-level attacks, not only will the CDN charge for the attack traffic, but will also pass it along to the company’s origin servers. Figure 7 shows what happened when a DDoS attack hit organizations that relied on a CDN.
DDoS mitigation at the network edge is no longer as effective as it once was. Even in situations in which the network link to the Internet wasn’t overwhelmed, the DDoS traffic was still able to overwhelm servers with requests and do other damage that effectively brought down all or part of the respondents’ sites.
The Cloud Solution to DDoS Attacks
Seven percent of respondents used the most effective means of dealing with a DDoS attack: a cloud-based DDoS mitigation service. Cloud-based services feature a mul- tilayered DDoS mitigation arsenal paired with highly trained technicians. This means they are up to speed on the latest threats and methods, and they’re familiar with emerging trends in DDoS attacks.
Cloud-based DDoS mitigation redirects web traffic through a change in DNS records or via border gateway protocol (BGP) routing changes. Once the redirect is implemented, all traffic goes to a cloud mitigation site, which filters out bad traffic and lets legitimate traffic proceed.
Customers will typically choose to make the switch at the first indication of an attack. When that happens, cus- tomers are able to change their DNS records themselves or call their provider and ask that their DNS entries be switched. Normally, cloud-based DDoS mitigation services have sufficient capacity to absorb even the largest DDoS attacks, and their staffs have the training to make sure that they filter out DDoS traffic.
Of course, there is one other approach: Do nothing, and simply wait to be disconnected from the Internet at the beginning of an attack. This approach does work, in a sense, by removing the target. But it also defeats the purpose of having an online presence.
Once the attack is over, an organization is faced with the prospect of fixing what went wrong. Among survey respondents, corrective actions depended on the severity of the attack and the solution (if any) they had used. Sometimes the attack itself was the first indication that the organization’s Internet presence was vulnerable. In other cases, the attack may have confirmed that existing defenses worked or, more commonly, that better protec- tion was needed.
Most organizations surveyed didn’t think a DDoS attack would be a problem (see Figure 8). Note that only 16 per- cent lacked confidence in their DDoS mitigation approach. More than half (55%) of those organizations with little confidence in their existing solution didn’t change their protection. They either doubted they would be attacked or that an attack would cause serious damage.
Of course, when the attack did come, those organiza- tions had to take steps to make sure it wouldn’t happen again — at least those that weren’t part of the 5 percent that still chose to do nothing (see Figure 9). Perhaps most notable is the fact that nearly half of all respondents, 41 percent, felt the need to update their DDoS protection procedures. Within the group that had to make changes, the answer many chose was to amp up their defense, for example, implementing DDoS mitigation solutions, adding to existing capacity, adding more equipment or changing to a new appliance (see Figure 10).
A few organizations invested in new services, such as a cloud-based DDoS mitigation service (11%).Others pursued more bandwidth (30%), more protection from hosting providers (30%) or other services.
Seeking a Better Result
Because of the changing nature of DDoS attacks, the solutions that once were adequate no longer work. As a result, some companies lost hundreds of thousands of dollars in revenue and suffered damage to their reputations, their customer service and the confidence of their customers.
Until they realize the futility of wasting money on outdated solutions, businesses remain at risk. Meanwhile, the clock is ticking.
In August 2012, UBM Tech conducted an online survey on behalf of Neustar that explored the state of DDoS protection. The data collected from 124 business technology professionals who work at companies that had been the target of a DDoS attack forms the basis of this report. Survey respondents worked in a variety of industries at companies of all sizes. More than 60 percent of respondents were IT management or staff, and 20 percent had senior level IT executive or corporate management titles.
The greatest possible margin of error for the total respondent base (N=124) is +/- 8.7 percentage points. UBM TechWeb was responsible for all programming and data analysis, and all procedures were carried out in strict accordance with standard market research practices.