Akamai Diversity

The Akamai Blog

DDoS, as simple as your ABC's

DDoS tool kits, and DDoS-for-hire along with some bitcoins, anonymous email, a TOR connection and a sense of purpose, has made it trivial for individuals, hacktivist collectives and cyber criminals to launch an effective DDoS attack.
The net result is an increase in frequency, sophistication and volume of DDoS attacks. Prolexic's (now part of Akamai) Global DDoS attack report for Q1 2014, shows a 47% increase in DDoS attacks in Q1 compared to the same quarter a year ago. Also detailed in the report is the wide variety of industries that have been attacked, supporting the observation that DDoS is becoming a very effective and commonly used 'hammer' in the cyber adversary's toolbox.

Enter the Internet

In less than a blink of an eye in the story of man, the Internet has had an immeasurable impact on our world. Mankind through the Internet has created a new frontier for research, collaboration, commerce and now war.

As with many inventions, the Internet has evolved to barely resemble for what it was originally designed. Born out of the work of military and scientific research, transitioning through academia and then finally into the commercial world were its uses are limited only by imagination.

The Internet of everything, wearable technology, integrated control systems that manage power and water supplies, financial systems, streaming music, mobile connectivity, social media, all of these services and systems connect to the Internet. The reality for most of us is that we don't 'go online' anymore, we are 'online' and so are those that wish to do harm.

Distributed Denial of Service - the disruptive weapon

DDoS is not new in terms of cyber attacks. Since the late 90's and early 00's it has been used effectively to disrupt many commercial organisations and government websites. However, the early DDoS attacks were limited in terms of size and sophistication and often could be effectively blocked at the perimeter edge or by the Internet Service Provider (ISP).

As quickly as walls are being built, the cyber adversary is able to build taller ladders.

Attacks can be volumetric in nature, saturating network bandwidth that connects the targets network to the Internet, or attacks can target inherent weaknesses in protocols and applications, thus rendering them unusable, denying legitimate users access to their services.

Old is new again - reflected and amplified UDP attacks

As with fashion, what was once old is new again, but with a twist. The beauty of UDP is that it is a fire and forget protocol. It's designed to be fast and efficient, but neither secure nor reliable. However given the 'general' reliability of Internet communications it is the preferred protocol for many 'core' services of the Internet such as DNS (Domain Name Service) and NTP (Network Time Protocol).

I'm not who I say I am - spoof the packet

Because UDP based services such as DNS and NTP will respond without doing the three-way handshake that exists with the layer 4 protocol of TCP, it will blindly respond to whatever the source IP address of the request is. Unfortunately for us, this trivial to forge, and here in lays the first part of the problem - the attacker using the victims IP address as the requesting IP address.

I ask a simple question, but I get a 'big' answer - amplification

The second part of the amplification attack is the type of request that is made of the service. Think of it as the 'life question'. The attacker asks a simple question 'what is the meaning of life?' and gets a complicated answer, unless we're talking about the book 'hitchhikers guide to the galaxy' where of course the answer is 42.

So here we have an attacker asking on the behalf of the victim to many well-intended people at the same time - 'what is the meaning of life?' The response of course overwhelms the victims systems, network or even their ISP, all with the same result - denial of service.

My firewall can deal with you - legacy approach

The first approach to the problem is that your firewall can deal with this. As nice as it would be, often such attacks are so large or sophisticated in nature that either the network links connecting the data centre to the Internet are flooded with attack traffic, or if the attack is more of an application an attack, designed to look legitimate and go right to the website.

For example, what's the difference between the traffic spike of a very popular website or an attacker asking for the same content thousands of times per second? Is your firewall able to distinguish between the good and the bad when they both look exactly the same? Get enough of these so called legitimate requests and the first problem of the network link being saturated becomes a reality.

My ISP has your number - legacy approach

So let's shift the problem up to the ISP shall we? Challenge here is that some attacks are now as large if not larger that 400Gbps. Furthermore; larger enterprises like to have multiple ISPs for redundancy and load balancing. Such a configuration would require both ISPs to offer a like-for-like mitigation capability, and your IT department would need to coordinate between both ISPs to ensure that mitigations were being applied consistently - troublesome at best.

Why would anyone wish to attack me? I like dogs - the motivation

Now we get the real crux of this topic - why would anyone want to DDoS you? Well depending on the nature of your business, the answer varies. If you're a government agency it could be because of your policies or because of the nation you represent. If you are an ecommerce retailer or financial institution it could be because of cyber racketeering (extortion) or again who you represent.

The reality is nowadays motivations are varied and almost anyone could, if possessing the will power, arrange to have your site attacked. The means and opportunity exist for everyone; it's often just a case of motivation.

I give up - what can I do? The solution

My first piece of advice for anyone and organisation wanting to address the threat of DDoS is to think through what your response and recovery strategy is. If a DDoS attack were to take your business and organisation offline, what would be your response? Would you need to engage proactively with the media? What would be the financial impact if any? How long could you be offline before there was a real material impact to your business? What would be your response to your shareholders, stakeholders, and partners? Could you conduct your business via an alternative means? How would you recover from this?

All of these questions (and more) do need to be thought through and answered before you start investing in mitigation capabilities.

Know that you've decided that you wish to deal with this threat, what is the best approach?

Separate out what makes you money from what doesn't
,br> Too often I see organisations that put all of there ecommerce, revenue or brand generating traffic through the same Internet links as their non-critical applications such as outbound browsing, email and the like. Make the effort, prioritise your applications, group them, and then separate them.

Single Point of Failure - the weakest link

Whilst it's an old saying that you're only as strong as your weakest link, it is so true for defending against DDoS. Attackers are able to with relative ease, work out what is your weakest link and tailor an attack that exploits this.

A distributed threat needs a distributed defense

Being able to apply 'your' security defenses at the edge of the Internet is a huge boost in being able to combat distributed threats such DDoS. If all you are 'publishing' is a website then why would you need to accept inbound DNS or NTP traffic? Akamai has the largest globally distributed defensive platform in the world. Imagine the power of having 'your' security policy inside the ISP where your attackers are connecting? The ability to block the bad, but accelerate the good at the edge of the Internet is hugely powerful.

Protect your origin

If you are unable to separate your traffic or even if you could you want to protect everything, then protecting the entire data centre is a sensible strategy. Having a plan to route your traffic through a purpose designed and built DDoS mitigation service, such as Akamai's Prolexic service will allow you to defend against all types of DDoS attacks, from volumetric to the more sophisticated application layer attacks.