Why DDoS Makes for Risky Business and What You Can Do About It

Transcription

1 Why DDoS Makes for Risky Business and What You Can Do About It 5 Common Misconceptions 1. Firewalls, IPS or content delivery networks are the answer. A single layer of DDoS protection is enough. The odds are we will not become a target, so it s worth the risk. The impact of a DDoS attack does not justify the cost for protection 5. DDoS attacks are not advanced threats Defending organizations networks against DDoS attacks has long been a daunting challenge but now cybercriminals are making it even more so. Consider the following facts: 1 The size of DDoS attacks has grown,900 percent in past 10 years, peaking at 00 Gbps in 01.The number of DDoS attacks over 0 Gbps increased eight-fold last year. The complexity of DDoS attacks are increasing. While hackers remain proficient using flood-based attacks to deny access, they also dynamically combine these attacks with stealthy application-layer attacks. If not protected properly, these sophisticated multi-vector attacks can wreak havoc on organizations. The frequency of DDoS attacks is also rising as 0% experience 1-10 attacks per month. Evidence also shows that DDoS attacks are not independent events, but closely related to or may be part of complex advanced threat campaigns against organizations. Yet even in today s dynamic threat landscape, many organizations still believe that a dedicated DDoS protection solution is not important or that the one they adopted a few years ago still works today. In these instances, organizations are gambling with their network. It s time to debunk some outmoded misconceptions about DDoS. 5 Common Misconceptions About DDoS Protection Let s take a look at five common mistakes organizations make when addressing DDoS and shed some light on these failed practices. 1 Misconception #1: Firewalls, IPS or Content Delivery Networks Are the Answer The evolution of IT infrastructures and the dependency on third-party clouds have created a complex environment that no longer has a perimeter. Traditional perimeter security solutions such as firewalls and IDS/IPS are still vital parts of an integrated security posture. However, because these devices conduct stateful inspection of network connections, they are susceptible to some DDoS attacks which can make matters worse. According to Arbor Networks almost 50% of firewalls or IPS fail as a result of a DDoS attack. 1 Arbor Networks 01 Worldwide Infrastructure Security Report Ibid

2 Data Center Firewall Failures Due to DDoS 9% Yes 1% No 11% These devices are not deployed in the data center Figure 1 Source: Arbor Networks, Inc. Many organizations also erroneously believe that Content Delivery Networks provide a solution to stopping DDoS attacks. The truth is that a CDN merely addresses the symptoms of a DDoS attack. By absorbing these large volumes of data, a CDN actually lets all the information into and through the network providing an all are welcome approach. In addition, most CDN based DDoS protection solutions only focus on absorbing HTTP/ HTTPS DDoS attacks ignoring all others such as NTP/DNS amplification attacks which are very common. And the best place to stop stealthy application-layer attacks is on the customer premises, closer to where key applications or services reside. Misconception #: A Single Layer of DDoS Protection is Enough Because modern day DDoS attacks use a dynamic combination of volumetric, TCP state exhaustion and application-layer attack vectors, industry best practices recommend that organizations take a layered approach to protection. That is, the best place to stop large flooding attacks is upstream in a service provider s cloud before they overwhelm local internet connectivity or on-premises DDoS protection systems. And the best place to stop stealthy application-layer attacks is on the customer premises, closer to where key applications or services reside. Just as importantly, you must have an intelligent form of communication between these two layers backed by up-to date threat intelligence to stop dynamic, multi-vector DDoS attacks. Unfortunately many organizations choose only a single layer of protection resulting in an incomplete DDoS protection solution. Layered DDoS Attack Protection Scrubbing Center Stop volumetric attacsk in-cloud 1 Intelligent communication between both environments Legit Traffic Botnet, DDoS, Malware The Internet Volumetric Traffic Application Attack Your (ISP s) Network Your Data Centers Backed by continuous threat intelligence Stop application-layer attacks on-premise Figure Source: Arbor Networks, Inc. Arbor Networks 01 Worldwide Infrastructure Security Report

3 The impact of a DDoS attack can be immediate and severe. The fact is that many organizations do not conduct the proper risk and countermeasure analysis to help justify the purchase of a comprehensive DDoS protection solution. Misconception #: The Odds Are We Will Not Become a Target, So It s Worth the Risk Then dramatic rise in the number of DDoS attacks is due to two main factors. 1) Ease of launching an attack and ) Multiple motivations behind attacks. It s never been easier in history to launch a DDoS attack. Anyone can simply download a Do-It-Yourself DDoS attack tool for free or pay a small fee to third-party to conduct a DDoS attack as a service. And while the price for launching an attack is in the tens of dollars, the losses for organizations can be in the tens of millions. The motivations behind DDoS attacks are plenty. No longer are DDoS attacks motivated by financial gain or conducted by state sponsored organizations. DDoS Attack Motivations Survey Respondents 0% 5% 0% 5% 0% 15% 10% 5% 0% Figure Source: Arbor Networks, Inc. 6% Political/ideological disputes (i.e. WikiLeaks/anonymous, nationalism, religious controversy, etc.) 0% Nihilism/vandalism 16% Diversion to cover compromise/ data exfilitration 1% Criminals Demonstrating DDoS attack capabilities to potential customers 1% Criminal extortion attempts 1% Inter-personal/inter-group rivalries (individual disputes, schools, sports teams, fan bases, etc.) 1% Misconfiguration/accidental % Financial market manipulation % Flash crowds % Attack motivation Today, all it takes is for someone to simply disagree with your opinion, political affiliation or stance on a topic to launch a DDoS attack using the plethora of tools or services available to them. To make matters worse, if your services are housed in a shared cloud environment, you don t even have to be the target of the DDoS attack to be impacted by the collateral damage. So you have to ask yourself, Do I feel lucky? Misconception #: The Impact of a DDoS Attack Does Not Justify the Cost for Protection The impact of a DDoS attack can be immediate and severe. The fact is that many organizations do not conduct the proper risk and countermeasure analysis to help justify the purchase of a comprehensive DDoS protection solution. Sure, calculating the cost of downtime for a revenue generating service may be a no brainer; but have you consider all the other costs that are associated with a DDoS attack? Arbor Networks 01 Worldwide Infrastructure Security Report

4 Data Center DDoS Business Impact Survey Respondents 90% 80% 70% 60% 50% 0% 0% 81% Operational expense % Revenue loss % Customer churn % Employee turnover 1% Other 0% According to Arbor Networks, 81% of data center operators site operational expenses as the number one impact of DDoS attacks. 10% 0% Figure Source: Arbor Arbor Networks, Networks, Inc. Inc. According to Arbor Networks, 81% of data center operators site operational expenses as the number one impact of DDoS attacks. 5 But there are many other indirect costs that are routinely overlooked such as SLA credits, legal/regulatory fees, PR costs for brand repair, customer churn etc. There are even documented cases where executive or board members have been fired due to their organizations not being adequately prepared to stop DDoS attacks and other threats. 5 Misconception #5: DDoS Attacks Are Not Advanced Threats Yes, technically speaking DDoS attacks by themselves may not be advanced. However, Arbor s Security Engineering and Response Team s (ASERT) 1 years of global research into botnets and DDoS attacks has determined that they are actually very closely related to advanced threats such as malware, RATs, etc. In fact, they may all be used together in what s known as the Cyber Attack Kill Chain. 6 DDoS Used During Farious Stages of Attack Kill Chain Advanced Attack Kill Chain Attack Activities Over Time 1 Research Recon Port Scanning DDoS Port Scanning Initial Comp Weaponization, delivery, installation Phishing DDoS Bad URL PP Zero Day Phishing Attacker Spread Out Exploitation, C&C RAT POS Malware Bot Target Organization Extract Data Complete mission TOR DDoS Figure 5 Source: Arbor Networks, Inc. 5 Arbor Networks 01 Worldwide Infrastructure Security Report 6

5 It s highly recommended that you use global threat intelligence to proactively hunt for signs of compromise or breach before they impact your organization. For example, there have been documented cases where DDoS attacks were used during: The early reconnaissance stage to test an organization s ability to respond to certain threats. The weaponization or malware delivery stage, where they were used to fill security forensic product log and data files; making the search for the planted malware much more challenging. The data extraction stage where the attacks where used as a diversionary tactic. ASERT has discovered even more tangible evidence that proves this interrelationship between DDoS and Advanced Threats. The graphic below is a glimpse into Arbor s ATLAS Global Threat Portal. Its show s a particular threat infrastructure associated with the IP address ( ). Here you can clearly see this threat infrastructure has a combination of DDoS, botnet CnC, and DarkComet malware at its disposal. Data Center DDoS Business Impact Threat Portal SEARCH SEARCH THE ATLAS THREAT DATABASE Historical Threats for % 90% DarkDDoser Confidence: 100 Survey Respondents 80% 70% 60% 50% 0% 0% ATLAS Threat Portal shows of a single threat infrastructure that both DDoS and Advanced Threat malware (DarkComet) at its disposal. Severity: :7 0% DarkDDoser 10% CnC Other DarkComet 0% Threat Severity Confidence Index ARB-ID Policy Class/Group Last Reported DarkComet ARB AIF Standard/Malware Figure 6 Source: Arbor Networks, Inc. So this begs the question Was that last DDoS attack an isolated event or was it part of a more advanced threat campaign against my organization? To hedge your bets it s highly recommended that you use global threat intelligence such as the data shown in the Arbor Threat Portal to proactively hunt for signs of compromise or breach before they impact your organization. 5

6 It s Time for an Intelligent, Multi-Layered Approach to DDoS Protection Using traditional security solutions such as firewalls or IPS or betting against the cybercriminals and hacktivists by doing nothing is a huge risk. Can you afford your critical applications to be unavailable? Can you recover from the costs associated with a breach which exposes millions of customer s confidential data? The reality is you need to protect your organization at all times by taking an integrated, multi-layered approach to DDoS defense. Arbor offers a comprehensive set of DDoS protection products and services which are all backed by their global threat intelligence of ASERT and ATLAS. Diagram Title Trust Arbor to protect your organization from modern day DDoS attacks and other advanced threats. Contact your local Arbor representative to determine which products or services are best for your organization or visit our website at For more complex networks and experienced security teams. Automated detection, out-of-band, customizable mitigation. Used by many MSSPs for in-cloud DDoS protection services. Arbor Cloud Arbor Cloud Scrubbing Center A managed DDoS protection service. Combination of in-cloud and on-premise DDoS attack protection. Terabytes of mitigation capacity backed by DDoS protection experts. Cloud Signal Legit Traffic Peakflow Threat Management System Botnet, DDoS, Malware Volumetric Traffic Application Attack The Internet Your (ISP s) Network Pravail Availability Protection System Your Data Centers Corporate Headquarters 76 Blanchard Road Burlington, MA 0180 USA Toll Free USA T Global visibility and threat intelligence provide situational awareness. ATLAS Intelligence Feed (AIF) arm products with latest, high fidelity, threat protection. Figure 7 Source: Arbor Networks, Inc. + For data centers with less experienced security teams. Always on, protection from (in-bound and outbound) DDoS attacks and threats. Cloud Signaling: Help for volumetric attacks. North America Sales Toll Free Europe T Asia Pacific T Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others can t. and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners. AI/5MISCONCEPTIONS/LETTER/EN/015