By Pierluigi Paganini, Editor-in-Chief, CDM
Jun 10, 2013, 03:00 pm EST
Choosing a DDoS mitigation solution … the cloud based approach
The DDoS (Distributed Denial of Service) attacks have been erroneously considered minor attacks by security community due their supposed limited impact in time, normally victims are forced to interrupt their services for a few hours and no other damage are observable.
Recent events have demonstrated the impact of similar attacks that could cause huge economic losses and of course could have a serious impact also in term of image.
Another phenomenon that has been observed is that attackers are not only targeting web infrastructures but tried to exploit flaws and improper configurations within the Domain Name System (DNS) infrastructures. Arbor Networks’ 2012 Worldwide Infrastructure Security Report indicated that 41 per cent of respondents experienced DDoS attacks against their DNS infrastructure demonstrating the concerning trend.
There isn’t a specific profile of the victims of a DDoS, banking, payment services, mail providers and more in generally every web service provider could be faced with this type of offence.
In a similar manner there isn’t a typical profile of the attacker, cyber criminals, hacktivists and state-sponsored hackers adopt a similar strategy to hit a large scale of targets.
Before speaking about mitigation techniques it could be useful to introduce the principal categories of DDoS used by the security community to classify these dangerous events:
- Volume Based Attacks –The attacker’s try to saturate the bandwidth of the targets flooding it with a huge quantity of data, the category includes ICMP floods, UDP floods and other spoofed-packet floods. This type of attack is very common and very simple to realize thanks to the huge quantity of tools available for free on the Internet, the technique is very popular in the hacktivist underground. Volume Based Attacks magnitude is measured in bits per second (Bps)
- Protocol Attacks –The attacker’s goal is to saturate server resources of the targets or those of intermediate communication equipment (e.g. Load balancers) exploiting network protocol flaw. The category includes SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS and more. The Protocol Attacks magnitude is measured in Packets per second.
- Application Layer Attacks – The attackers target HTTP trying to exhaust the resource limits of Web services. Application Layer Attacks target specific Web applications flooding them with a huge quantity of requests that saturate target’s resources. Application Layer attacks are hard to detect because they don’t necessarily involve large volumes of traffic and require fewer network connections with respect to other types of DDoS techniques. Some example of Application Layer DDoS attacks is Slowloris, and DDoS attacks that target Apache, Windows, or OpenBSD vulnerabilities. Application Layer Attacks magnitude is measured in Requests per second.
Once described as the type of attacks it’s time to speak about countermeasure for a DDoS attack.
The increase of the number and magnitude of DDoS attacks is stressing the need to adopt proper countermeasures and implement mitigation techniques. DDoS detection is a critical phase of the mitigation process, the prompt response of defense systems could limit the damage and in some cases neutralize the threat.
Principal firms that provide solutions for DDoS mitigation follow various approaches for the defense of their customers, the first things to do for a company that need to protect its structures for an attack is to identify normal conditions for network traffic defining “traffic patterns”, this is necessary for threat detection and alerting. The majority of commercial solution provides threshold based alerting mechanisms triggering information gathering modules that try to collect meaningful information on the attack from the logs. Layered filtering is a very common approach, solution providers analyze traffic in layers trying to detect harmful traffic and applying filters to stop the menace on the specific layer, many companies also adopt open source software to limit the incoming number of connections and traffic dimension.
Traditional solutions on which many companies have relied oversize the bandwidth and adopt complex hardware such as firewalls and load balancers. This approach is considered by many experts costly and in many cases ineffective that’s why companies are choosing the cloud-based DDoS protection and direct management of DNS services optimize the response to malicious event. Another advantage of this choice is the sensible reduction of investment in equipment and infrastructure and of course the reduction of the costs of management typical of hardware solutions.
The acquisition of a DDoS mitigation solution is not so simple, the market proposes various choices such as hardware and software appliance and cloud based solutions. Following a short list of features that I suggest to evaluate for acquisition of new product:
- Capacity of solution in term of protocols supported, analysis path implemented and granularity offered for traffic inspection.
- Possibility of traffic profiling, if a company exposes various services it could be useful to define for each one a different policy, this means for example that normal traffic pattern for various services is substantially different, for example the number of visitors of a bank web site will be reasonably different for the portion of it that uses the home banking functions.
- Product flexibility, the possibility to create ad hoc policies and patterns starting from well-known configuration.
- Product scalability, the product has to evolve with the changing needs of the buyer.
- Availability of built-in hardware redundancy features.
- Availability of an efficient reporting/alerting system, various solutions appear very different each other and I suggest evaluating with care those features.
- Reliability of the solution, DDoS is a dynamic menace that varies in time. Be sure to choose a solution provider that is able to provide continuous updates and promptly assistance on his products.
- Bidirectional traffic monitoring, a good solution must be able to control both inbound and outbound traffic to prevent the abuse of network resources by attackers.
- Product reputation and customer reference, this is a crucial aspect that must consider the features of product and maintenance services.
One of most popular mitigation approach is cloud based DDoS mitigation approach, it is very easy surfing on the web site of DDoS mitigation solution providers to find reference to the methods and solutions that implement it.
How the cloud does based DDoS mitigation approach work?
When a DDoS attack is detected the malicious traffic is redirected to a mitigation architecture through the cloud avoiding that user’s website is affected. Principal providers of DDoS mitigation solutions, such as Prolexic, Verisign and the same Incapsula offer cloud based solution. It’s crucial for a successful mitigation to monitor and analyze traffic pattern data real time.
When a DDoS attack is detected by monitoring systems inbound traffic is redirected to the nearest scrubbing center, the centers apply DDoS filtering and routing techniques to reduce DDoS traffic interference. The clean traffic is then routed back to the customer’s network. It’s clear that the capacity of scrubbing centers and the filtering methods adopted are crucial for the provisioning of an efficient defensive service.
Having a clear idea on what I expect from a DDoS mitigation solution I decided to discuss of the market offer directly from an insider, so I contacted the security experts at Incapsula and I had the opportunity to interview the CEO, Gur Shatz.
The company provides solutions to every website, regardless of its size, with enterprise-grade website security, performance and reliability. As stated on the corporate web site Incapsula was spun out of and is financially backed by Imperva, a leading provider of data security solutions.
What are the key criteria for a successful DDoS mitigation service?
Well, there are various factors that concur to a successful DDoS mitigation solution such as
- Network size, you need a mitigation service that can handle the largest attack that will be thrown at you. Since attacks are becoming larger at a worrying rate, anything below 250Gbps of network capacity just isn’t enough
- Automatic detection, there are many ways to launch a DDoS attack and sometime the nature of the attack rather than its size is what makes mitigation so hard. Take for example hit and run attacks which are short bursts of traffic in random intervals over a long period of time. A manual mitigation solution that requires users to turn it on and off on every burst will throw the IT team into a complete havoc. Some solutions, like Incapsula, offer automatic DDoS mitigation taking full responsibility of detecting the attack as well as mitigating it
- Transparent mitigation: DDoS is about degradation of service which can be complete denial of service but also disruptions. If your DDoS mitigation service introduces a large rate of false positives or depredates the normal user experience in any way, the DDoS attack is actually achieving its goal even if your service is still up and running. Unless your mitigation service can offer zero disruption to normal user experience with standing lengthy attacks without damaging your business performance is impossible
- Time and complexity to on board: a major factor is a DDoS service is how fast can you on board the service and what kind of effort do you need to invest. There are various techniques and setups, some complex requiring on premise devices and configuration and some simple requiring only a simple DNS change. When you are under fire making sure you have chosen a solution that can shield your network from that attack with the minimal effort and time.
- Support: a 24×7 team of experts is an essential part of a good DDoS mitigation service. Being user a DDoS attack is one of the most frustrating times an IT manager can be in. You practically have no visibility into what is happening, you have nothing you can do internally and the entire service is down. You need someone on your side that can help you understand what is going on and can help you through while the DDoS attack is going on as an expert.
Based on the observation of DDoS attacks against your clients during the last few months, try to provide me useful info on most common attack methods and an estimation of damage caused. Also do you see any changes/trends during the last few months?
The principal trends that we are observing are:
- Larger and larger network attacks, specifically SYN flood, and DNS amplifications are often the tool of choice.
- Hit and Run attacks – small application layer attacks that don’t last very long, but occur every few days.
This information might be biased, because typically as a cloud provider, we are well suited for large network attacks, and the fact that our users are typically always at the service, means a user with hit and run problem tend to reach us.
I read that you provide a cloud based solution for DDoS mitigation, which are points of strength of your approach?
I believe that our true strength lies in a number of aspects of our service:
- Cloud based service that can be joined with no hardware, software or other integration requirements. Adding a website to Incapsula is done through a simple DNS change which allows us to offer our services to practically anyone regardless of company size, IT manpower or expertise.
- A large network of more than 300Gbps that can handle practically any attack out there.
- Transparent and automatic mitigation of attacks with no negative (and in most cases positive) effect on legitimate users’ experience.
- Having a built in CDN and Web Application Firewall allows customers to be always online and automatically mitigate attacks while improving overall user experience and overall security.
Whatever you choose, you must consider the trade-off between costs and benefits, every company is increasing its exposure on the Internet increasing its surface of attack and downtime is becoming not acceptable to the majority of them.
How the cloud could mitigate an attack?
Principal security vendors provide cloud based solution for DDoS mitigation,
I have all the information you are looking for, in these 2 pages which describe types of DDoS attacks and tools to use for DDoS attacks: http://www.incapsula.com/ddos/ddos-attacks/botnet-ddos and http://www.incapsula.com/ddos/ddos-attacks
I suggest that when you get to talk about ways to mitigate DDoS attacks, you will compare the 2 most popular mitigation solutions used today: Cloud-based mitigation services (as Incapsula) and Appliance-based mitigation services (as Arbor Networks).
For information about the advantages of Cloud-based solution as Incapsula you can use this: http://www.incapsula.com/images/Incapsula_DDoS_ProductSheet.pdf which describes the way Incapsula mitigates DDoS attacks and its advantages, and I can also send you advantages of using an appliance-based solution
First it would be great if you could read our DDoS Product sheet: http://www.incapsula.com/images/Incapsula-DDoS-Mitigation.pdf
Next let’s coordinate a call with our Product director which will explain about our DDoS mitigation service. After that you will be able to write the follow up article. Does that sound good to you?
What’s Arbor Networks product is the direct competitor of your cloud-based DDoS protection service?
Arbor is not a cloud-based solution so I cannot say it is a direct competitor at the level that Prolexic or NueStart are.
Since Arbor provides a hosted solution its sweet spot is service providers which have enough bandwidth to deal with attacks from within their network.
Although Arbor does have an offering for enterprises, it does not fit most companies which have to deal with DDoS attacks form outside their network in order to survive them.