It's time to research new ways to fight DDoS attacks
- 07 April, 2015 05:01
Almost 1-in-5 (18-per cent) of businesses experienced a distributed denial-of-service attack within a year-long timeframe, according to the Global IT Security Risks Survey 2014 - Distributed Denial of Service (DDoS) Attacks from Kaspersky Labs and B2B International.
The data applies to the period from April 2013 to May 2014. The survey's 3900 respondents represented very small to very large companies from 27 countries.
According to the same survey, on average, 61 per cent of businesses felt it was the responsibility of their own IT departments and management teams to defend them against DDoS attacks. Twenty-one per cent of those surveyed believed it was the responsibility of their network service provider or their website/hosting provider to protect them from the threat of Distributed Denial of Service.
"Large businesses were much more likely to rely on internal resources, whereas small businesses were more likely to expect help from these external service providers," the Kaspersky / B2B International survey said. But none of these entities, neither NSPs, web hosts, IT departments, nor enterprise management teams are necessarily equipped to mitigate DDoS attacks.
Damages per DDoS incident range up to $444,000, according to the survey data. It will surely pay enterprises to adjust their assumptions about who should fight DDoS attacks and to take other action.
This couldn't be more true given that criminal hackers are already weaponizing IoT devices to add them to the botnets they use to launch these attacks, making the onslaught of DDoS larger and more complex. Case in point, the hacker group known as the Lizard Squad used a botnet of personal home routers to launch a DDoS attack on both the PlayStation Network and Xbox Live, according to Dave Larson, CTO, Corero Network Security.
With a current installed base of active wireless connected devices exceeding 16 billion last year and projected to reach 40.9 billion by 2020, according to ABI Research, the number of devices certainly warrants sounding the alarm on the potential size of IoT enabled DDoS botnets.
How big is the threat posed by DDoS attacks that use botnets that include IoT devices? Are NSPs, webhosts, and internal resources enough to combat these attacks?
The threat of DDoS with IoT botnets
DDoS attacks have grown in size and complexity as hackers add IoT devices to the machines they already incorporate into their botnets. IoT device fleets give criminal hackers access to virtually unlimited botnet armies.
Hackers are using rootkits with weaponized payloads to infect embedded Linux on IoT devices such as cell phones, thermostats, and smart appliances, which vendors have equipped with ARM processors. Due to the sheer numbers of IoT devices out there, 16-billion per the aforementioned ABI Research data, these botnets could grow to many times the size of legacy botnets.
Case in point, massive botnet attacks that foreign hackers perpetrated from September of last year through at least February globally recruited IoT devices as well as x86 servers running Linux.
Based on the attack source code, the command and control IP addresses, and the payload, these botnet attacks appeared to be a new attack vector for spreading an ELF DDoS'er threat variant, according to a blog post from members of the anti-malware group called "Malware Must Die!" in Germany, who first uncovered these attacks.
Here is the story of one series of these attacks: On Nov. 15, 2014, a botnet hit FireEye servers using brute force SSH attacks, according to "Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited", FireEye. By the close of January, the botnet had attacked each server with almost 1 million login attempts, according to FireEye. During this period, the attacks accounted for nearly two-thirds of traffic to Port 22 on those servers, according to FireEye data.
According to FireEye, the China-based culprits behind the attacks, Hee Thai Limited intended the SSH brute forcing campaign to infect systems with the XOR.DDoS malware. Unlike most DDoS bots, XOR.DDoS is multi-platform, enabling attackers to recompile the C/C++ source code to target many platforms, so far at least 41 different platforms, according to FireEye.
Why NSPs, Webhosts and internal resources aren't enough
Some large NSPs such as big telcos have cloud-based tools and services to re-route and scrub customer traffic to remove DDoS attacks. But where enterprises use two or more Internet providers to satisfy regulatory requirements for example, all these NSPs must be able to combat today's vast and complex DDoS attacks.
"Not all large telcos have efficient protection against these sophisticated layer-7 attacks," said Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Labs.
Since large, overwhelming DDoS attacks--those that use more bandwidth than an enterprise has available--require solutions with a lot of bandwidth that is specifically targeted to the issue, webhosts, IT departments, and enterprise management are also unprepared to filter out DDoS traffic.
"When bots act like real users, such as with making login attempts, businesses must have extremely granular tools and accompanying experts to detect and filter out sophisticated DDoS attacks while ensuring a low rate of false positives," said Vigovsky. These layer-7 / application layer attacks can be too complex for NSPs that don't have the proper resources.
Mitigating the morphing DDoS botnet attack landscape
Specialists dedicated to anti-DDoS protection are an alternative to big telcos. There are several firms in this field such as Kaspersky Labs, Corero Network Security, Imperva's Incapsula, and Akamai's Prolexic. Such anti-DDoS providers should have cleaning / scrubbing centers, anti-DDoS experts, and anti-DDoS as a core business, said Vigovsky.
Traffic differentiation is an important part of what anti-DDoS firms can offer. To determine whether incoming traffic is malicious, enterprises must differentiate between solicited and unsolicited traffic, IP addresses that are and are not part of the user base, and baseline and anomalous traffic behaviors, according to Larson.
Enterprises must then harden the network edge against such attacks. Due to the varied nature and purpose of different sizes of attacks--smaller attacks may simply cover the tracks of an APT, for example--the enterprise should mitigate all sizes, types, and complexities of attacks.
"Our recommendation is to use hybrid cloud and on-premise DDoS mitigation strategies," said Larson. On premise, use layered security measures including a network edge appliance targeted at DDoS protection that can inspect packets in real-time.
The secondary element of protection is a tightly-coupled signal between the on-premise edge appliance and the cloud DDoS protection provider, said Larson. "In cases where an attack is larger than your available bandwidth and will stop all your traffic, you need to reroute traffic through the cloud-based scrubbing element in real-time."
Investigate your options
Where on premise DDoS tools or NSP resources are not enough to combat the massive new DDoS attacks, there are a number of DDoS protection firms that specialize in this area, each with unique approaches. Examine and compare them all before making a selection.