Devastating multi-vector distributed denial of service (DDoS) attacks continue to make the news. Two complex assaults on internet infrastructure company Dyn late October, that some reports claim to be in the 1.2 Tbps range, took down popular websites including Twitter, Netflix, Pinterest, Paypal, Spotify, Airbnb and Reddit.
Weak devices, soft targets
Dyn officials had noted both attack and legitimate traffic coming from millions of IPs across all geographies, which use the Domain Name System (DNS) protocol. They have confirmed that the attacks relied on compounding recursive DNS retry traffic and at least one botnet that hijacked up to 100,000 malicious endpoints – likely to be internet-connected devices like cameras, printers and home routers – to flood the targeted sites with overwhelming traffic.
The high-profile incident at Dyn was among a host of recent DDoS attacks that leveraged botnets comprising hundreds of thousands of unsecured Internet of Things (IoT) devices. They included a series of DDoS attacks as huge as 800 Gbps that hit European web hosting company OVH. Its CTO Octave Klaba shared on Twitter that the attack was aided by a botnet made up of nearly 150,000 digital video recorders and IP cameras capable of sending 1.5 Tbps in DDoS traffic.
Security researchers have often warned that IoT devices, which typically lack basic security controls, can be easily hijacked by cybercriminals and added to a botnet to launch a DDoS attack.
“It just takes seconds to grab a device and use it as a botnet for a DDoS attack,” says Dr Chase Cunningham, A10 Networks’ director of Cyber Operations, in a blog post. “Just look at the Mirai botnet that has infected more than 150,000 IoT devices. That’s what’s so scary about IoT; security holes and vulnerabilities can literally lurk anywhere – and the most dangerous ones are the ones you don’t even think about, or you didn’t know could be hacked.”
Organizations have invariably become susceptible targets to these IoT-driven DDoS attacks aimed at causing maximum disruption to their business. Hence, the need to protect critical applications and defend against a variety of internal and external threats is greater than ever.
Dyn, for instance, augmented its automated response techniques with additional mitigation tactics to counter the abrupt ramp-up time and multi-vectored nature of the DDoS attack. Its engineering and network operations teams used incoming traffic shaping, rebalanced traffic by manipulating anycast policies, applied internal filtering, and deployed scrubbing services.
In the 2016 IDG Connect DDoS Survey commissioned by A10 Networks, 34% of IT decision makers polled are convinced that the most effective defense solution to handle a multi-vector DDoS threat is a hybrid approach using on-premise protection and cloud bursting. The survey respondents also noted how attacks are increasingly being used in more sophisticated ways, including extortion and as smokescreens that tie up cyber defense resources while criminals carry out other targeted attacks.
According to the IDG report, the average company suffers 15 DDoS attacks per year, with average attacks causing at least 17 hours of effective downtime, including slowdowns, denied customer access or crashes. In response, more than half of them plan to increase anti-DDoS budgets in the next 12 months.
Already, the cost of DoS attacks are trending upward. The average cost of a DoS attack in 2011 was US$187,506 and this increased to $255,470 in 2015, according to Ponemon Institute. The cost of DoS attacks per incident can be as high as $2.35 million with recovery and detection activities representing more than half of the total internal cost.
“DDoS attacks are called ‘sudden death’ for good reason,” says Raj Jalan, CTO of A10 Networks. “If left unaddressed, the costs will include lost business, time-to-service restoration and a decline in customer satisfaction. The good news is our findings show that security teams are making DDoS prevention a top priority. With a better threat prevention system, they can turn an urgent business threat into an FYI-level notification.”
Spurred by that objective, A10 Networks is helping organizations to secure networks and applications against massive IoT-powered DDoS attacks with its Thunder ADC appliances that offer application-level protection and Thunder Threat Protection System (TPS) high-performance solutions.
The A10 Thunder TPS is designed to block multi-vector DDoS attacks – detecting and mitigating them at the network edge and functioning as a first line of defense for the network infrastructure. The high-end A10 Thunder 14045 TPS, for instance, packs 300 Gbps of mitigation throughput capacity or 2.4 terabits per second in a cluster, for service providers, web 2.0 and cloud providers.
Open hybrid path
Organizations can also enable hybrid DDoS mitigation strategies by coupling the Thunder TPS’ on-premise DDoS protection with subscription to Verisign’s cloud-based DDoS Protection Service. The A10 Thunder TPS functions as a DDoS detector and sends signals – using Verisign’s OpenHybrid API – that swing traffic to the cloud service when volumetric DDoS protection is needed.
Leveraging a RESTful API as well as open signaling standards, the Thunder TPS mitigation also integrates easily with existing DDoS detection solutions while DevOps can increase operational agility with event-based scripting.
For smarter DDoS attack detection and dynamic mitigation, the Thunder TPS ensures precision in detecting anomalies by establishing traffic baselines based on multi-protocol behavioral indicators of peacetime network conditions. Dynamic mitigation policies then escalate suspect traffic through progressively tougher countermeasures to minimize legitimate traffic drops.
This is a QuestexAsia feature commissioned by A10 Networks.