Distributed Denial of Service (DDoS) attacks have been around for quite a while and their profile was raised again last month when Dyn Inc., one of the largest DNS provider sites, was hit with a very large scale (tens of millions of zombie agents) attack that affected more than 65 key Internet sites on the East coast of the U.S., including Twitter, Reddit, and the NY Times. This attack was unique in its scale, and also in the fact that the perpetrators apparently leveraged a botnet based on millions of compromised IoT devices such as IP cameras, baby monitors, and residential gateways.
A Denial of Service (DoS) attack is one that prevents legitimate users from accessing a network resource. A Distributed Denial of Service (DDoS) attack is a variant that uses multiple network entities to attack the target. By utilizing many network devices to mount the assault, the traffic is amplified over what a single attacker could reasonably generate. In addition, the use of many attacker nodes can help conceal the identity of the attacker and complicate the task of mitigation since it can be difficult to separate the normal “good” traffic from the attack traffic.
The attacker will typically have access to a very large number of Internet-connected computer systems – referred to as the zombie agents or a botnet – that can be controlled centrally to send out the desired attack traffic. In most cases, these zombie machines are simply computers or other devices that have been hijacked for this purpose, often without the owners realizing it.
The attacks are designed to have the biggest possible impact on the target’s network, servers, and resources (e.g. consuming a large portion of the compute and/or memory resources to reduce the server’s ability to respond to legitimate users). Volumetric attacks are the most commonly seen and they rely on an approach of flooding the target servers with an overwhelming number of packets. Various attack vectors fall into this category, including SYN flood or ICMP attacks, the latter of which for example might involve a PING flood sending a huge number of ICMP Echo Requests to the attack target. Application Layer attacks (the type used in the recent DNS DDoS event) can be more effective as they cause specific applications running on the server to expend resources and therefore compromise the system’s ability to respond to legitimate traffic.
As with many security threats, the problems are compounding as skilled hackers are posting easy-to-use tools used to mount DDoS attacks, enabling a wide field of potential less skilled adversaries.
There are various approaches to defending against DDoS attacks, including cloud services that filter traffic through a DDoS-screen before the packets are forwarded to the application servers or appliance solutions that can be positioned at the edges of a network. The appliance solutions include custom DDoS-mitigation devices, firewalls or Intrusion Prevention Systems. In some cases IT operators use server configuration tools to help limit the attack surface by allowing the servers to ignore certain sources of traffic or types of messages.
However, many of the old DDoS protection methods do not stand up in the face of the massive scale of recent attacks (note that the DNS one used tens of millions of IP addresses in the “zombie bot-net” to initiate the attack.) These types of attack are likely to increase with time as the proliferation of Internet-connected devices continues. IoT devices are particularly vulnerable to being compromised as unwitting “zombies” since they are often not designed with strong security features and whatever features ARE installed by the factory may not be updated in the field as new threats appear.
Furthermore, with the co-mingling of users and applications in the cloud, the older model where DDoS attacks originate from “out there” is breaking down. In cloud-based deployments, threats can originate inside the data center and so the model of protection has to change as well. An externally-hosted DDoS scrubbing web service will not protect against the internally-sourced threats.
A hybrid DDoS protection approach is proving to be the answer to the evolving threat landscape. Externally sourced volumetric attacks can be mitigated through Cloud DDoS offerings – powered either by large numbers of servers capable of absorbing and filtering the attack or by very high performance DDoS networking appliances.
To address sophisticated application layer attacks – as well as threats originating on the inside – a distributed defense within the datacenter is called for. This means, having DDoS protection in front of, and within the network and switching fabric as well as at the servers themselves.
This approach has the following advantages:
With a distributed deployment, an SDN (Software-Defined Networking) model can be followed. Monitoring and telemetry on the network activity is done at many nodes throughout the data center and reported back to centralized DDoS controllers. The controllers then respond to attacks by programming filtering rules into the distributed DDoS protection agents located throughout the data center. Decoupling the control and data-planes has been shown to have numerous benefits in the switching and routing arena and those same advantages also apply to security services.
In the next blog in this series, we’ll explore ways in which Mellanox technology can be utilized to implement next generation DDoS protection solutions.
Please also sign-up for our webinar to be held on this topic on Dec 13th at 10:00am PST.