BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Though the recent Spamhaus distributed denial-of-service attack garnered much attention for the overwhelming bandwidth employed, DDoS mitigation service providers are increasingly concerned by DDoS attack trends indicating targeted attacks are rising along with bandwidth sizes.
That's what the attackers do is figure out where your least point of resistance is and they use that against you.
VP of global sales engineering and operations, Arbor Networks
San Francisco-based CloudFlare Inc. was the company responsible for cleaning up the Spamhaus attack. According to CEO Matthew Prince, the remediation effort was relatively easy despite reported speeds of 300 Gbps, because the packets could be dropped right at their routers.
In contrast, the "nastiest" attacks the company sees are those that target the underlying application logic, Prince said. Such attacks typically seek to exploit a limitation in an application-layer protocol; for example, a Web server might be able to handle only a certain number of sessions, so an attacker will attempt to exceed that threshold.
Credential systems rank highly among attackers' favorite targets, Prince said. Attackers will continuously send username and password requests to a system, but they're not trying to guess the correct information by brute force. Instead, they simply want the system to deal with a debilitating number of false requests.
"They're using username and password combinations they know are not accurate. Every one of those login requests has to hit the database, and if you send requests that you know to be false, there's no way for the application to know that they're false without checking," Prince said. "So, you have this enormous number of garbage requests coming in and your database falls over and no one can log in."
David Fernandez, information security manager for Hollywood, Fla.-based DDoS mitigation vendor Prolexic Technologies Inc., also sees the growing sophistication of criminal organizations in the way they target the application layer. Data from Prolexic's report on DDoS attack trends for the first quarter of 2013 showed that Layer 7 attacks comprised nearly 25% of the DDoS attack mitigations the company performed. The report also mentions that application-layer attacks, such as HTTP GET floods and HTTP POST floods, have become popular options to be included in DDoS kits, tools that simplify and often automate the execution of DDoS attacks.
Many of these attacks pose a particular challenge because they don't necessarily focus on bandwidth, Fernandez said; instead, they utilize a high number of concurrent connections. "The requests are relatively small in size, and its job is that these are non-spoofed IP addresses, so they pass the three-way handshake and anti-spoofing mechanisms involved, so it's directly connecting to your root page and just continuing and continuing to create more connections," Fernandez said. "[Effective Layer 7 attacks] would be something like 100,000 concurrent connections, which is typical for some of the campaigns that we mitigate against, but the actual value in bandwidth is relatively low." "An attack that would be 2 Gbps would reach … would essentially create 200,000 concurrent connections," he added. "That's impactful for enterprises."
Carlos Morales, vice president of global sales engineering and operations at Burlington, Mass.-based vendor Arbor Networks, said that such low-bandwidth, high-concurrent-connection attacks pose a particular challenge precisely because network bandwidth is minimally affected. He pointed to botnets with lots of hosts that are capable of connecting to Web servers and sending the minimal amount of packets to the server just to maintain the connection, which results in the number of available server connections for other clients dropping.
"From a network perspective, it's really hard to detect it; most of the time, people say, 'Why is my server not working? My network shows that there is no real increase in traffic'," Morales commented. "What they'll then find is 'I normally have 10,000 users at this hour. I'm showing 1.5 million users right now.' Because they just keep connecting."
Morales indicated that attackers are "doing a bit more of their homework" when it comes to understanding the attack surface of a potential target. For example, a bank might serve a lot of SSL-encrypted traffic to its online users, so attackers will employ methods specifically geared toward exploiting that traffic. "That's what the attackers do, is figure out where your least point of resistance is and they use that against you," he said.
Average size numbers vary, but they are growing
Though DDoS attack trends show that the perpetrators aren't relying solely on bandwidth to wreak havoc, the attacks' collective size will still cause problems for unprepared enterprises. To account for the increasing bandwidth available to attackers, CloudFlare's Prince pointed to botnets in the 1990s and 2000s that relied on compromised home computers to launch attacks. Now, he said, attackers are targeting compromised Web servers -- including those for WordPress and consumer applications -- that are connected to relatively "fat pipes."
Swelling geographic diversity also seems to play a part in high-bandwidth DDoS attacks, as criminal organizations look to take advantage of the infrastructure in a variety of countries. For example, Arbor has found that South Korea is the third-highest source of DDoS traffic globally, trailing only China and the United States. Morales attributed that finding in large part to the bandwidth made available by Internet providers in South Korea, where many homes have fiber connections.
Prolexic also has discovered a notable trend emerging in the global DDoS landscape, with five different South American countries placing in the top 20 sources for malicious traffic in its Q1 2013 DDoS report. Fernandez also chalked up this finding partially to the burgeoning Internet infrastructure available in South America, but mentioned that criminal organizations are expanding beyond traditional DDoS-sourcing countries to take over different territories globally.
While the experts agree that DDoS attacks are growing in size, pinning down an average number is difficult. Prolexic is seeing average attack sizes at 48.25 Gbps, whereas Arbor's Q1 2013 data pegged the average size of an attack at 1.77 Gbps. Prince noted that CloudFlare sees DDoS attacks that exceed 30 Gbps to 40 Gbps on a daily basis, though he hesitated to give out averages because "there are just too many variables that are moving."
The discrepancy seems to exist, at least in part, because both Prolexic and CloudFlare are cloud-infrastructure companies focused on DDoS mitigation. That means they generally will deal with an attack only when it's already out of hand. In contrast, Arbor provides on-premises products geared to DDoS detection, with its highest-capacity box containing a 40-Gbps port. Morales pointed out that Arbor's offerings are scalable up to 2 Tbps and that there has yet to be an attack that is capable of overwhelming that sort of capacity, though it's always possible that a particular deployment could be overwhelmed.
Despite Arbor's confidence in its on-premises products, the vendor also seems to have a foot firmly planted in the cloud-based DDoS mitigation arena. Arbor is the driving force behind the Cloud Signaling Coalition, a consortium of Internet service providers (ISPs) and enterprises running Arbor's equipment that are focused on mitigating DDoS threats. Arbor's on-premises devices allow enterprise customers to call cloud providers (in this case, mostly run by the ISPs) for help when bandwidth limits have been exceeded.
"They can basically say, 'Hey, I'm under attack. I need help. Please help me.'" Morales said. "It enables enterprise providers to work extremely closely together to mitigate attacks that would be impossible for an organization with a small overhead."