How next-generation threat protection counters DDoS attacks

The perpetual cycle in which evolving threats to data are countered by a timely response from the IT industry looked to be slowing recently, in the face of steady growth in the nature, volume and sophistication of distributed denial of service (DDoS) attacks by criminal syndicates and hackers.

While businesses around the world grow increasingly reliant on the uptime of Internet-connected services, many are finding that legacy security solutions such as firewalls and intrusion prevention systems (IPS) have insufficient capacity to mitigate today’s multi-vector DDoS attacks at scale.

Organizations are facing the threat of significant revenue loss and brand reputation damage from these DDoS attacks as cyber criminals look to gain from disrupting the availability of essential services.

Service availability is at risk. The Internet is a shared medium, and malicious DDoS attacks have increased rapidly in the past few years, originating from and targeted at many different locations. Attacks may be generated by ideological groups (hacktivism) for political reasons, by organized criminal syndicates (cybercrime) for extortion and theft, or by foreign military intelligence agencies.

Today, many DDoS attacks are being generated by novice hackers without much expertise, seeking to take anyone or any service off the Internet. When an organization’s services are unavailable to its customer base, it can quickly result in revenue loss, customer frustration and dissatisfaction, and damaged brand reputation.

DDoS attacks using techniques such as SYN Flooding and Fragmentation are evolving rapidly to becoming a big numbers game, with malicious bots or zombie machines directing massive amounts of traffic in unison towards target victims. While high volume DDoS attacks exceeding 100 Gbps are becoming common, effective DDoS solutions need to mitigate at equally massive scale and performance to prevent service interruption. Service availability for Internet-connected applications is critical to enterprises and service providers, yet few good solutions exist that are able to improve the uptime and security of enterprise applications.

Although organizations have strategies in place that mitigate a range of existing security threats, most seem unprepared to address the new breed of DDoS attacks, which leverage large distributed ‘botnet’ networks of compromised zombie machines to launch simultaneous attacks using compliant protocols that are very difficult to detect and even harder to mitigate at scale. It is clear that additional solutions are needed to complement existing security infrastructure in a layered defense model.

Depending on the DDoS attack type, a victim’s Internet connection can become saturated, network security services may become overwhelmed trying to inspect the intense volume of zombie traffic, or application servers can become exhausted trying to respond to the many botnet requests.

Solutions are not easy to integrate. Deploying DDoS protection services in an existing network can be challenging since these may introduce choke points and increase latency for the services they are trying to protect. Service providers often deal with many different network architectures and have invested in an existing security strategy. Network operators want to stick to their choice of network analysis and security detection solutions, and require DDoS mitigation devices that can integrate with and complement solutions from different vendors.

Recently, vendors have begun to tilt the cybercrime-vs-security solution balance back in favor of the good guys. The most advanced next-generation threat protection solutions provide high-performance, network-wide protection against DDoS attacks and ensure service availability against a variety of volumetric, protocol, resource and other sophisticated application attacks. Their multi-level DDoS protection is aimed at dramatically improving service availability. They protect against multiple classes of attack vectors, including volumetric, protocol, resource and advanced application-layer attacks, which can be detected quickly and mitigated to prevent a service from becoming unavailable.

Advanced solutions allow a baseline of normal traffic to be established, so that traffic anomalies can be recognized quickly. In addition, customized actions can be taken against advanced application-layer (L7) attacks as needed with deep-packet inspection (DPI) scripting technology.

Most of all, the next-generation threat protection solutions are required to provide performance scalability to meet growing attack scale. With DDoS mitigation capacity ranging up to 155 Gbps, DDoS attacks can be handled effectively.  The best of these solution are equipped with high-performance field programmable gate array (FPGA)-based flexible traffic acceleration technology that allows the immediate detection and mitigation of 30-plus common attack vectors in hardware (SYN cookies, for example) without impacting on core system general-purpose CPUs. More complex application-layer (L7) attacks (HTTP, SSL, DNS, etc.) are processed by the latest CPUs. Scaling can be maintained by distributing multi-vector detection and mitigation functions across optimal system resources to mitigate application-layer attacks such as Slowloris.

Next-generation technology can be integrated easily into network architectures of any size, and interact with custom or third-party detection solutions. Some also provide robust support for best-in-class third-party security service integration, and can be utilized in blacklists, whitelists and other rule sets.

To ensure that data centre resources remain available, high-performance and sophisticated features are provided in the most efficient hardware form factors, to mitigate the largest and most complex DDoS attacks. The combination of high performance in a small form factor results in lower operating expenditure through significantly lower power usage, reduced rack space, and lower cooling requirements.

Hayato Koeda is Vice President Asia Pacific Japan, A10 Networks