As we head into 2017, network managers should be aware that while distributed denial of service (DDoS) attacks cannot be prevented, harnessing the power of cloud and big data can help to even the odds in this challenging confrontation with high-powered internet threats.
The recent massive global DDoS attacks that took down popular websites such as Twitter and Netflix spotlighted the vulnerabilities created by the deployment of millions of horribly insecure Internet of Things (IoT) devices across the net. The powerful DDoS strike on Oct. 21 was caused by Mirai malware that had colonized huge numbers of IoT devices into botnets that were then used to launch a DNS “water torture” attack on Dyn, a company that provides managed DNS services to many large websites.
Even though they weren’t attacked directly, payment processors were also affected, causing hundreds of millions of dollars in lost e-commerce during the attack. Industry analysts warn that further widespread DDoS attacks are inevitable since there are millions of new devices deployed annually and there is no easy fix to the already-compromised IoT devices.
Raising your DDoS defensive game
While DDoS has been an ever-present scourge for internet-based businesses going back many years now, many enterprise IT leaders are less familiar with it. It’s time to develop systems and expertise to deal with this threat, particularly as enterprises launch more internet-based digital initiatives and increasingly rely on cloud resources.
DDoS attacks cannot be handled by typical security tools like firewalls and Intrusion Prevention Systems (IPS). These tools utilize their processor and memories to statefully track connections to examine them for security threats. Unfortunately, that very statefulness makes them vulnerable to any sort of volumetric denial of service attack. A high-volume DDoS attack will quickly overwhelm the memory of these devices, often crashing them and accomplishing denial of service for internal as well as external resources. So the best plan is to employ some sort of purpose-built DDoS detection and mitigation solution. There are a few options.
In some cases, Content Delivery Networks (CDNs) can provide good enough protection. Specifically, if attacks only come against the “front door” Web properties and are HTTP, HTTPS and DNS, a CDN alone can usually keep sites up. CDNs today are not as good at completely protecting APIs, and if the attackers find the site origin or the border of your corporate network, a more full-spectrum DDoS protection solution will be required.
If you’re already outsourcing most of your network functions to a managed service provider or ISP, in many cases it can make sense to simply purchase a “clean pipe” service from them. The only downside is that since they’re intercepting and scanning every single packet of your traffic, whether good, bad or indifferent, you will pay the absolute maximum possible for this type of service when engaged, and the most if you use it in an always-on configuration. So you’ll often need a hefty budget for this approach, with on-demand pricing starting at $5,000-$15,000/month and typical always-on pricing from $25,000/month and up.
However, organizations that really need to own their defensive posture, such as those running significant e-commerce or other lines of business that depend on monetized transactions over the internet, may need a more sophisticated approach. In these cases, investing in a layered, hybrid-cloud approach makes sense. This approach provides strong in-depth network visibility, analytics, and anomaly detection, combined with appliance and SDN-based mitigation at the edge of the network, backed up by cloud services for larger attacks than the capacity of your distributed network edge.
Leveraging cloud and big data
It used to be that to assemble a defense against DDoS required deploying and maintaining a ton of on-premises metal gear for multiple functions. You had to buy a DDoS detection device, a pile of mitigation devices, then separate devices for collecting and analyzing network traffic flow data. But things have changed and you no longer need to be so capital intensive.
Now it’s possible to utilize cloud-based, big data-powered network analytics solutions that offer both DDoS detection, in-depth network visibility, plus automated triggering of hybrid mitigation solutions. Hybrid mitigation means that you can invest in a baseline amount of on-premises protection and burst to cloud-based services when that’s not enough.
It’s fairly exciting that big data analytics is now practically useable for DDoS detection, because it offers far greater accuracy than earlier, appliance-based approaches. Big data systems can analyze huge datasets in real-time with a depth of examination that was never possible in older appliance-based systems with limited computing resources.
For example, to perform baselining, most appliance-based systems can only look at a portion of the network’s traffic at any given time. This means that when a server comes under attack by traffic coming through multiple routers, the traditional system might not notice because the traffic coming through each router may only appear as a small increase.
Cloud-based big data engines face no such computing constraints. They can scan the full flow of network-wide traffic to identify any attacks missed by appliance-based systems. In addition to being more comprehensive, big data systems have the computing power to perform more sophisticated, adaptive approaches to baselining.
For example, instead of baselining for a static set of administratively defined individual IP addresses (or even worse, averaging analyses across a large set of addresses, which heavily skews analytical results), a big data system can adaptively include any IPs of interest in baselining based on traffic volumes within a given time frame. This organically changing set of IPs can then be individually evaluated for anomalies against their own baselines. This doesn’t require artificial intelligence, but it does require far more intelligence and scale than the cruder approaches of yesteryear’s detection appliances.
Depending on big cloud vendors
In most cases, the biggest cloud providers including Amazon, Microsoft, Google and IBM provide more security than any private IT group’s network practices. That’s because the big guys have invested so much in sophisticated automation, compliance and governance technologies to protect their client systems and to uphold their own brand reputations.
Still, network managers cannot overlook their responsibility to thoroughly review the security practices of any outsourced cloud providers, including the internet giants. It’s critical to gain an understanding of what will happen if your applications and services get attacked while running on that outsourced infrastructure.
And if you are running your services on public Infrastructure-as-a-Service (IaaS) providers, their default will be to mitigate attacks against you by either shutting you down or rate-limiting your traffic – good and bad.
Also remember: if your internet connectivity is shut down, you won’t be able to access your cloud services. So it’s worth ensuring that your team understands how traffic actually is delivered to your internal and external users. In some cases, investing in a direct connection to your cloud provider may make sense.
Resolving to upgrade your DDoS defense plans
Every IT manager should make a New Year’s resolution to have a clear and sustainable plan for defending against DDoS attacks. Understand your internet communications dependencies and assume that typical security tools won’t be enough on their own. Study and decide what type of DDoS defense you need. And if you’re looking to deepen your protection, look into how cloud and big data approaches can help you keep up with the growing DDoS threat.
Avi Freedman is CEO of Kentik. Avi has decades of experience as a leading technologist and executive in networking. He was with Akamai for over a decade, as VP network infrastructure and then chief network scientist. Prior to that, Avi started Philadelphia’s first ISP (netaxs) in 1992, later running the network at AboveNet and serving as CTO for ServerCentral.