Q and A session

Denial of Service Q&A with Corero Network Security

Calculating the financial impact of a cyber incident can be a significant challenge when considering both direct costs, such as money, data or IP stolen, and indirect costs like reputational damage, litigation or financial penalties.

But what about the financial impact of having an ecommerce site unavailable for minutes, tens of minutes, or even hours? What would the impact be if employees could not access a corporate system for an extended period?

One of the top reasons for unscheduled downtime is an overloaded system, where demand exceeds capacity, rendering the service unavailable. Consider an ecommerce website during Black Friday or Cyber Monday – the sheer number of users on the system can quickly render the host useless. However, organisations can usually plan for such periods of increased demand and deliver a full service.

Alternatively, unexpected and prolonged downtime could be the result of a denial of service (DoS) or distributed denial of service (DDoS) attack. During such attacks, a targeted system or resource is, usually without warning, deliberately flooded with fabricated traffic designed to overwhelm it. The more requests the host receives, the more thinly resources are spread, until the server eventually reaches full capacity. The result is an exceptionally slow or completely unavailable service, preventing legitimate user access.

While a DoS attack is typically sourced from a single ‘perpetrator’ computer and internet connection, a distributed denial of service (DDoS) attack is sourced from multiple computing devices. These orchestrated attacks are powered by a huge number of ‘zombie’ internet connected machines which can be controlled remotely – usually without the owners’ knowledge or permission. Computers that have been seized in this manner are called ‘bots’ and their dispersed nature makes them much harder to stop.

What is the main purpose of a DoS or DDoS attack?

Like much of the security landscape, distributed denial of service attacks are continually evolving in their sophistication and purpose. Now often used to extort payment from businesses, these types of attacks are also used for political means.

Recent events include a sustained DDoS attack on the news website Business Wire, which lasted for a number of days, restricting access in an apparent bid to damage competitivity. The widely reported Mirai botnet changed the game by compromising hundreds of thousands of IoT devices, to form a DDoS botnet which claimed many victims in the US, including Dyn’s DNS infrastructure and many social media and gaming servers, including PlayStation and Xbox Live.

In each instance the cost of the attack will vary depending on several factors, including the duration of the downtime and the number of users affected. However, a recent report from Gartner calculated that the average cost of downtime can be as much as $5,600 per minute. As a result, many organisations are now looking to protect their service availability with real-time DDoS solutions.

To get some further clarity on DDoS attacks, and how organisations can protect themselves, we spoke to Sean Newman, Product Management Director at Corero Network Security.

Q&A with Sean Newman from Corero Network Security

DoS attacks are typically aimed at the application layer, which does not need a high packet rate, just specially crafted requests. However, these are only around 2% of all attacks and best dealt with close to the application servers, using DoS capabilities available in Web Application Firewall (WAF) products, as these are already required for load balancing and SSL decryption offload purposes.

Unlike DoS, DDoS typically manifests itself as huge volumes of junk packets directed at Layer 3 and 4, with some Layer 7 , designed to overwhelm network links and any stateful infrastructure devices it hits. This Volumetric DDoS makes up around 98% of all attacks and is best dealt with right at the perimeter, to prevent large volumes of junk traffic clogging up internal networks and impacting infrastructure devices, including Routers, Firewalls and IPSs.

Today, attacks are increasingly derived from IoT devices (home routers, webcams, DVRs, etc..) that are recruited into botnets, and often leveraging further amplification techniques, including Domain Name Server (DNS) and Network Time Protocol (NTP) reflection, to increase the scale of the attacks. Exposed Memcached servers were also exploited successfully earlier this year, demonstrating attackers’ continued innovation. However, in this case, once exposed, this attack vector was rapidly neutralised by the host server owners/operators.

Yes, the latest generation of always-on, automatic, real-time solutions can detect and block DDoS attacks, of all sizes, whether they saturate links or present themselves as smaller sub-saturating traffic flows. By inspecting every incoming packet, at line-rate, it is possible to prevent attacks from succeeding by detecting the DDoS flows and surgically blocking only packets which belong to the attack, leaving packets from legitimate connections to continue to their destination. By focusing on detecting DDoS flows, rather than trying to profile the legitimate traffic, any risk of blocking good traffic is virtually eliminated.

The most obvious indicator is when Internet connections fill up solid with traffic.  However, with the amount of internet bandwidth many organisations have today, the effects are often subtler, with servers and web facing applications responding slowly or intermittently and, in the extreme, becoming completely unresponsive.

The best advice is to take a proactive stance and have protection in place before you become the victim of an attack, that way your services and applications stay online.  Without specific DDoS protection, your only option is to block all traffic to the target, which will protect it and enable IT teams to recover, but the service or application will still be offline for the duration of the attack, with all the potentially significant financial and reputational costs that incurs.

Prevention is the best approach, as recovery is time consuming and costly, due to lost business, customer confidence and manpower consumed. Corero’s Half Year 2018 DDoS Trends Report shows that low-volume, short-duration attacks are the most common form of DDoS, with 77% of attacks lasting 10 minutes or less, and 94% of attacks 5Gbps or less in size.

Banking has already been a significant target of DDoS over the past few years – Barclays, Lloyds and others have all been hit – other Critical National Infrastructure impacts could be much more serious.  However, these are much less likely, as they would almost certainly be the result of nation state or terrorist attacks, rather than regular cyber criminals.

There’s no real difference from on-premise attacks – it typically just depends on the applications and services that are targeted.

Read more about cloud environments.

These types of attacks have typically been used for competitive reasons between platforms, or to manipulate trading values. The expectation is that these will still be common motives in the future, as long as cryptocurrencies maintain their popularity.

Smaller attacks can blend in with regular traffic volumes to evade detection by manual or legacy methods, but can be just as damaging.  Attacks of a few gigabits, or less, are still large enough to overwhelm servers and impact application responsiveness and availability.

Read more about smaller ‘sub-saturating’ attacks.

In many respects, the future is now. Compared to only a few years ago, the requirements for an effective DDoS defence have already changed. If an organisation values their online presence, they need to ensure their services and applications are always available and running at peak performance. This is only going to be possible if they have deployed DDoS protection that is real-time and automatic.

Corero Network Security

About Corero Network Security

Distributed Denial of Service (DDoS) attacks continue to rise in size, frequency, and complexity, impacting the security and availability of the Internet. Service providers and the Internet connected business require automatic protection against this evolving threat landscape.

Corero Network Security is dedicated to improving the security and availability of the Internet through the deployment of innovative DDoS & Network Security Solutions. The Corero SmartWall® Threat Defense System (TDS) family of products can be deployed in various topologies, (in-line or scrubbing). the SmartWall Threat Defense System (TDS) family of solutions utilises modern DDoS mitigation architecture to automatically, and surgically remove DDoS attack traffic, while allowing good user traffic to flow uninterrupted.

Corero US headquarters are located in Marlborough, Massachusetts, and its European headquarters are in London, England with additional offices throughout the world.

About Sean Newman

Sean Newman is Director Product Management for Corero Network Security.

Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA.

Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.

Contact Our Team