The push toward digital transformation has inadvertently opened several new doors for state-exhaustion distributed denial-of-service (DDoS) attacks, requiring organizations to rethink their mitigation strategy to include intelligent DDoS mitigation systems. Let’s look at three examples:
- Stateful firewalls. As part of digital transformation projects, many organizations deploy network-based cybersecurity stacks that are often fronted by stateful, next-generation firewalls (NGFWs). (Stateful firewalls monitor and track the state of all network traffic and analyze traffic patterns to find possible threats.) Unfortunately, the very nature of these stateful NGFWs also creates new vulnerabilities. State-exhaustion DDoS attacks can be targeted at stateful firewalls, effectively breaking down defenses and/or disrupting communications to the services behind them. According to the 16th annual Worldwide Infrastructure Security Report, 83 percent of survey respondents reported that their firewalls were targets, failed, or contributed to outages caused by DDoS attacks.
- The stateful connections of stateless applications. Next-generation applications offer another example. Such applications are often designed to be stateless, thus running without the need to reference past iterations of the process. But the truth about these applications is that some form of state is in fact being tracked. A prime example of this is when a web application tracks the status of users who have previously logged in to their accounts but perhaps have briefly navigated away. Typically, these sessions can be tracked via cookies or tokens, or state may be otherwise maintained in the client. Moreover, stateless applications often depend on stateful roots. We are seeing increasing use of containerization technologies such as Kubernetes to increase scalability. (In fact, IDC expects to see almost two billion container instances to be deployed by 2020.) However, the supporting network infrastructure continues to depend on routers and stateful devices such as NGFWs, web application firewalls, intrusion-prevention systems, and load balancers. These systems remain highly susceptible to state-exhaustion DDoS attacks, which can be just as crippling to a business as their volumetric attack brethren.
- The shift to remote work. As enterprises shifted to a work-from-home posture due to the COVID-19 pandemic, many were compelled to make significant investments in remote work infrastructure. In many cases, this included virtual private networks (VPNs) and conferencing systems. This has led to a greater reliance on cloud services to meet the needs for scalability and accessibility. DDoS attacks that disrupt workflows to the stateful VPN concentrator or cloud can cripple a remote workforce. The need for intelligent, stateless DDoS mitigation that can keep remote user access to internal and cloud-based services up and running is clear.
Putting the Right Mitigation Strategy in Place
Being able to block state-based attacks requires unique capabilities. Intelligent DDoS mitigation systems, which operate in a stateless/semi-stateless manner, should be deployed in front of stateful devices to protect them and the state-minimized application services behind them from state-exhaustion attacks.
Intelligent, stateless DDoS mitigation offers enterprises and service providers several important benefits and strategic advantages. With the rapid growth of online commerce, consumers expect uninterrupted network performance. Simply put, DDoS attacks can prove a serious threat to the online customer experience. Mitigating those threats is critically important for any business that relies on network connectivity and the availability of their business-critical applications or services.
Similarly, communications service providers and cloud service providers are under constant pressure to deliver fast, reliable service that fulfills service-level agreements (SLAs). Any network downtime due to DDoS attacks can be costly. Intelligent DDoS mitigation offers a means for reducing the threat from such attacks.
For service providers and enterprises alike, state-exhaustion DDoS attacks represent a clear and present danger to business operations and profitability. While threats to stateful infrastructure are not new, digital transformation has expanded the threat surface and unleashed numerous new attack vectors, which should raise red flags. As a result, cybersecurity professionals must focus on designing next-generation IT environments that are resilient to state exhaustion attacks.
- Service Provider