New Year, More of the Same: DDoS Attacks Will Increase - Is Your Defense Ready?

Blog Post created by charliekraus on Jan 6, 2017

Note: This blog is the first of a series of covering protection of your content, applications, and access to them and will discuss the state of DDoS attacks and defense strategies.


Are You Ready for a Safe and Secure 2017? 

Distributed Denial of Service (DDoS) attacks were prominently in the news in 2016 and they are not going away any time soon.  Most observers expect the frequency and size of DDoS attacks will increase during 2017. Part of the reason being the ease by which DDoS attacks can be launched using the Mirai tool, made famous by the attack against internet infrastructure company Dyn, and several large telecom and financial institutions in Europe.


Several aspects of the Dyn attack attracted significant  of attention. First was the massive scope of the attack – a sustained 1.2 Tbps over the course of 24 hours. Second was that the attack was against internet infrastructure – the Dyn DNS service, which brought down access to websites of organizations that relied on Dyn. Third is that the Mirai tool comes with access to compromised internet connected devices to launch attacks from. It’s quite possible the Dyn attack was a “weapons test,” trying the capabilities of the Mirai botnet, and to observe the reactions and recovery strategies, in preparation for future usage against an organization.


Defending Against DDoS Attacks

Before discussing defenses against DDoS attacks, it’s important to have a good understanding of what DDoS attacks are and how they are constructed. There is an excellent primer from digitalattackmap that explains how attacks are launched and an interactive live map showing global attack activity. If you’re not aware of the massive scale of attack activity, a few minutes spent viewing the live map will be enlightening and frightening.


There are two fundamental ways to protect against attacks: On premise defense nodes, and cloud-based protection. Hardware based network nodes deployed between the internet and an organization’s network have been a popular solution. These devices contain software that can detect the signatures of attacks, and only pass legitimate traffic through to the network. The problem today is the attack volume can be so large that the defense node cannot keep up, resulting in user access to a website being blocked. The reality is on premise DDoS defense nodes are now passé.

What is rapidly becoming the go to solution is cloud-based protection. Defending against massive volumetric attacks such as Mirai requires a large defense surface, exactly what is provided when DDoS attack interceptor technology is integrated with a Content Delivery Network (CDN). This is effective because multiple defense nodes are deployed globally within a CDN. Spreading out the attack detection in combination with a CDNs capability to absorb attacks before they reach the target, provides robust attack mitigation.


While cloud-based defenses are effective today, the sophistication of Mirai and the large number of internet connected devices result in escalation of attack volume that may exceed the ability of even the best cloud defenses to protect against.


What’s the Core Problem Here?

The Mirai tool and its variants have changed the security landscape because there are millions of devices that are connected to the internet as potential targets to be taken over and used as an instant "army" for attackers.  While the number devices still vulnerable to being infected may be reducing as software patches are developed and deployed, recent attacks show the impact that this tool can have and the importance of ensuring that security is a fundamental pillar of all system, software and service delivery. In recent cases there has been an attack targeted at home broadband routers and other consumer devices, specifically those with internet facing management interfaces that have been left unsecured and therefore allow a version of  Mirai to infect them.


There seems to be a few significant issues at play here. Firstly there is the fact that internet facing interfaces on some manufacturer's broadband routers are being left unsecured, allowing for remote, administrator level management with no authentication, and secondly it has been reported that some of the devices contain functionality that is vulnerable command injection.


What’s the Solution?

Internet-connected device manufacturers in particular are now seeing that their consumer & CPE devices are vulnerable to being infected and taken over to be used as part of very large scale attacks.  What must be done here is to re-assess how devices are configured before they are sent to consumers, what the default security options are for all interfaces and how individual software components operate within the devices. It is no longer appropriate to assume that interfaces can be left unsecured when shipping equipment to customers, or that the authentication and system will not be compromised, or that these devices are not of interest to attackers. This shift in the paradigm of online security thinking requires significant review of how the software and services that are running on the devices are architected. With the growing popularity of “Internet of Things” devices, allowing these to connect to the internet with default passwords and configurations is simply not acceptable!


Best Practices Right Now

It will take time for the necessary security improvements to internet connected devices to reach the installed base. In the meantime there are steps organizations can take to protect themselves.

  • Implement the latest state of the art DDoS attack defenses. This means at the very least cloud-based protection integrated with a CDN. 
  • Redundancy of critical infrastructure such as webserver content origins and DNS service. The Dyn customers who recovered rapidly from the DDoS attack had a secondary DNS service and switched over.


More to Come

The next blog in this series will cover web application protection with a Web Application Firewall. Also as part of this series will be updates on events that may occur related to security issues.  See you here next week!