Nmedia - Fotolia
Gamers last Christmas got an unwelcome surprise when distributed denial-of-service attacks prohibited them from using the Microsoft Xbox Live and Sony PlayStation networks. While customers were disappointed, the bigger shock may have been how long the outages lasted. Denial-of-service attacks have caused serious disruptions for over 15 years, but a 2014 SANS report showed that 40% of enterprises remain unprepared to mitigate such attacks and recover business services. Almost one in four didn't even have a plan in place at all. Since the same report showed an average of over four DDoS attacks per year, unprepared companies are at high risk of business interruption -- as Sony learned when its PlayStation Network was brought down and remained offline for several days.
Having a response plan is a start, but of those enterprises that did have DDoS mitigation processes in place, fewer than 50% had tested those capabilities. Failure to regularly test those processes can lead to inadvertent amplification of an attack. When one large enterprise came under fire and switched its network traffic to a contracted cloud-based DDoS mitigation service provider, the company lost all connectivity to the Internet -- a problem that would have been found and solved earlier with minimal interruption if the enterprise security team had tested the switchover process.
And denial-of-service interruptions aren't just problems for financial institutions and gaming networks. DDoS attacks are spread across all industries and company sizes, and happen at all times of the year. A 2014 report by data security provider Incapsula, now a division of Imperva, showed a 240% increase in bot-based DDoS attacks over 2013. Reports by other service providers show similar statistics, with the intensity and complexity of DDoS attacks growing along with the sheer number of attacks. The motivation for the attacks ranges from hactivism to extortion, with attackers often threatening to escalate the attacks if payments are not made.
The bottom line is that denial-of-service attacks represent a high risk for almost all enterprises. Proper planning for DDoS mitigation requires cooperation between IT, network operations and security groups -- CISOs need to play a leadership role in making sure DDoS mitigation and response processes and responsibilities are defined, understood and regularly tested.
Not just brute force anymore
Cyberthreats evolve at pretty much the same pace as technology, and denial-of-service attacks are no different. The Morris worm of 1988 used simple exploitation of well-known operating system vulnerabilities in VMS and SunOS to take down close to 25% of the servers connected to the Internet. In February 2000, Amazon, eBay, Yahoo and other sites were hit with brute force DoS attacks. The Code Red/Nimda and Slammer/Blaster worms of 2001 and 2003 used slightly more sophisticated techniques to exploit unpatched Windows PCs and servers and cause widespread denial of service of millions of PCs and servers.
The earliest denial-of-service attacks were not complex, and mitigating them was relatively simple. Since the attacks came from a small number of sources, basic IP address blocking could be used, ideally at the Internet service provider (ISP) level, but even at the perimeter firewall or load balancer. However, by 2005 attackers began to launch DDoS attacks, using hundreds and thousands of compromised PCs and servers (botnets) to act as denial-of-service relays. DDoS attackers eventually added fast flux DNS techniques, which enabled botnets to rapidly and continually change source IP addresses.
DDoS mitigation vendors and service providers began to add detection techniques to augment IP address blocking, with rate-based anomaly capabilities and signature detection of common flood techniques to differentiate high volume traffic from DDoS attacks. This caused attackers to up the ante in both sheer bandwidth and frequency of occurrence. They also began to research the application logic of the target's websites.
A new form of DDoS attack known as "resource depletion" attacks consumed all of a server's processor cycles or memory space without requiring high volumes of traffic from the attacker. These types of attacks start user authentication processes, launch site-wide searches or initiate multiple account creation processes to bring server response to a crawl or even crash the target server. The result is denial of service that evades rate-based detection techniques.
Advanced DDoS attacks blend all of these techniques, which makes detection and response planning more difficult. A brute force flood attack can usually be handled purely by the network operations group, while application-layer attacks generally require cooperation by application owners, database analysts and webmasters.
The "Operation Ababil" attacks against U.S. banks in March 2013 combined three attack techniques to get around DDoS defenses:
- DNS query application-layer attack
- GET and POST application-layer attacks on both HTTP and HTTPS
- Brute force using UDP, TCP Syn floods, ICMP and other IP protocols
The mix of techniques does not remain constant, which creates more challenges for DDoS reponse planning and testing. Cloud-based DDoS mitigation provider Prolexic's Quarterly Global DDoS Report showed that the use of application-level attacks decreased in Q2 2014 after high levels of growth in previous quarters. Over the same period, infrastructure or flood-based attacks increased again.
Attackers tailor the mix of these attack "primitives" to create threats that are customized for the intended target -- much the same way advanced targeted attacks (often called advanced persistent threats) create customized malware to breach enterprise defenses.
Disruptions and damages
While simple DDoS attacks may cause more annoyance than business interruption, the impact of today's more complex DDoS attacks is widespread. Initially, business services are interrupted for some period of time. There are other costs (response, cleanup, opportunity cost, brand reputation) associated with a DDoS attack, but for most businesses the interruption of revenue is the largest cost. The magnitude of that cost depends primarily on two factors: (1) the length of the outage and (2) the loss of revenue per unit time from unplanned downtime.
The unplanned disruption is experienced, often by customers, for the period of time that the DDoS attack goes unmitigated. The Prolexic report showed an average duration of 17 hours for DDoS attacks. The SANS survey indicated an average attack length of 8.7 hours.
Organizations without DDoS defenses in place could experience down time for the entire duration of an attack: One enterprise, whose security management was interviewed for the SANS report, lost its Web presence for a full two days. However, organizations that can respond rapidly and mitigate a DDoS attack can reduce the length of the outage; the SANS report showed an average down time of 2.3 hours.
The cost of unplanned downtime varies widely by industry, company and business service. A 2013 Cost of Data Center Outages survey by the Ponemon Institute showed that the cost of a data center outage averaged $474,000 per hour. Gartner estimates a slightly lower cost of $336,000 per hour. For some businesses a full data center outage may be more costly than a DDoS attack that only impacts Internet-exposed systems. However, many data center outages do not affect all Internet-facing systems, and for businesses in which revenue is tightly coupled to website availability, the cost of a DDoS outage may actually be higher than that of a data center outage.
For illustration purposes: If the cost of a successful DDoS attack is $400,000 per hour, a 17 hour outage would result in an average business disruption cost of $2.8M. By mitigating that attack to the average 2.3 hour outage duration (shown in the SANS report), the business cost would be reduced to $920,000 -- a savings of almost $2M.
This analysis is analogous to the calculations CIOs must make around business continuity and disaster recovery investments. A successful DDoS attack is similar to a power outage or natural disaster that brings down IT systems: The event cannot be avoided but investments in processes and technology can be made to reduce the impact to an acceptable level.
Several approaches are available to enterprises for reducing the effect of a DDoS attack. In order of increasing effectiveness, organizations should consider the following:
- Use of existing infrastructure. Existing firewalls, routers, load balancers and other network components to mitigate DDoS attacks are rarely an effective solution, as even the lowest level DDoS attacks will likely overwhelm those resources and seriously impact network performance. However, for small enterprises that have over-provisioned these components, relying on the existing infrastructure to protect itself may be the only choice when budget constraints do not support any dedicated DDoS mitigation technologies.
- Local DDoS protection products. DDoS mitigation appliances are sold by companies such as Arbor Networks, Corero Network Security, Fortinet and Radware. These products can be effective in keeping DDoS traffic from impacting your network and servers without affecting legitimate traffic, but since they operate at your end of the Internet connection, large-scale brute-force attacks can still consume all of your available Internet bandwidth and disrupt customer traffic.
- ISP "Clean Pipe" services. All major ISPs (and Web hosting providers) offer DDoS mitigation services that offer service-level agreements for various levels of DDoS filtering. The performance of ISP-based DDoS mitigation services varies widely -- the ISP your network group has selected may or may not be very good at DDoS filtering. If you have multiple ISPs in use, you will need to contract for services with each service provider.
- "Man in the Middle" DDoS mitigation services. Companies such as Akamai Technologies, CloudFlare, Imperva/Incapsula, Neustar and VeriSign provide DDoS mitigation services from their cloud-based "scrubbing" centers. When you detect a DDoS attack, you reroute traffic through the DDoS service provider. The service provider uses a variety of techniques and technology to filter out the attack traffic and forward legitimate traffic to you. Another more expensive option is to have your traffic always flow through the service provider for fully automated detection and mitigation. This mitigation strategy is very effective but does introduce additional latency and complexity into Internet connection and routing. This approach can be used to provide DDoS protection to cloud-based services, as well.
Which of these services is best depends on the architecture and configuration of your Internet connection. Large enterprises with complex use of the Internet, and trained staff, will usually find that a mix of some on-site DDoS mitigation capacity combined with the use of a cloud-based DDoS mitigation provider is the most effective and efficient approach. Smaller organizations may find that using ISP services is sufficient and requires the lowest expenditure in both procurement costs and staff training and time.
Process, process, process
Whichever approach to DDoS mitigation you choose, CISOs will need to both define the processes to follow once a DDoS attack is detected and regularly test those processes -- just as they have to do for disaster recovery services. Processes (and responsibilities) need to be defined in several areas:
- Detection. What parameters will be monitored to detect the onset of a DoS attack? What thresholds will be used on different business processes to determine if response is required?
- Response. The best response to an attack will vary depending on what systems are affected and what type of attack is underway. Response plans for critical systems should be defined as well as responsibilities for making decisions on engaging mitigation capabilities or disconnecting systems.
- Reporting. CISOs should define processes for notifying corporate management, business partners and customers, as well as for making the decision whether or not law enforcement should be involved.
- Lessons learned. After an incident, processes should be reviewed and updated where required.
These processes will generally require a mix of security and network operations personnel, and often website administrators, as well as any third-party DDoS mitigation providers that are involved. Testing DDoS mitigation processes at least twice per year is necessary to ensure smooth operation when a real attack occurs. Ideally, DDoS processes should be tested at the same time as disaster recovery processes such as emergency power generators.
Nothing stays static in cybersecurity and DDoS attacks are no exception. Attacks will continue to increase in quantity, intensity and complexity. The next wave will likely include attacks against mobile devices and applications, and the use of vulnerable devices on the Internet of Things to launch even more widely distributed and complex attacks. Your ISP is a great source of information for the latest information on DDoS attacks, as are the periodic threat reports the DDoS mitigation providers put out.
About the author:
John Pescatore is director of emerging trends at SANs Institute. A former vice president and distinguished analyst at Gartner, Pescatore has over 30 years of experience in computer, network and information security. Prior to Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems and a security engineer for the U.S. Secret Service and the National Security Agency.