The COVID-19 outbreak has triggered unprecedented changes to the way we work, as companies wrestle with how best to support a dramatic increase in remote workers. Naturally, ensuring the health and safety of employees is priority one. At the same time, keeping the company operational is every bit as important, and this sudden shift has brought some challenges when it comes to defending business continuity. Employees must now rely on VPNs to access critical business applications such as finance, HR, and engineering, making VPN endpoints a critical business lifeline. However, these endpoints are often undefended, and attacks would result in significant business continuity consequences. In the first of a series of webinars on business continuity, NETSCOUT Security CTO Darren Anstee discussed how protect vital VPN endpoints from Distributed Denial of Service (DDoS) attacks.
A Vulnerable Lifeline
“The availability of the remote access systems that give us a route into our corporate networks is really crucial now,” Anstee said. Newly remote workers from functions such as HR, payroll, finance, and engineering must be able to access data and applications that live inside corporate networks, and rely on VPNs to do so. “However, in many cases the remote access endpoints that we’re relying on are vulnerable to DDOS attack, and there are a lot of people out there who are looking to exploit this,” he said. “We are seeing an increase in DDOS attacks targeting the TCP and UDP ports being used by various VPN solutions.”
Unfortunately, attackers have powerful weapons at their disposal. DDoS attacks have been around for more than 20 years, and most businesses are used to defending customer-facing services and applications from such attacks. But, Anstee pointed out, attackers know how to mix and match different DDoS attack vectors to maximize their chances of success:
- Volumetric attacks saturate connectivity, filling up the pipes that connect network and resources together.
- State exhaustion attacks target infrastructure, such as load balancers and firewalls, congesting and overwhelming state tables.
- Application layer attacks target applications at layer seven with queries, authentication requests that chew up resources and grind systems to a halt.
“Today’s attackers have tools that can automatically combine these attack types together into what are known as multi-vector attacks that try to find weaknesses in corporate defenses,” he said. And, at the moment, these attacks can have a much higher impact as back-office business continuity can be affected, bringing an organization to a halt. “If an attack saturates the link to our VPN endpoint or exhausts its state tables then home workers are effectively cut off from corporate resources.”
DDoS Defense for Today
The big question is, how do we defend ourselves and our business continuity in this time of remote work? “We need to apply best practice defenses that many of us have used to protect our customer-facing services to protect our VPN endpoints,” Anstee said. This could simply mean extending current capabilities, making sure that traffic to VPN endpoints is routed through an existing suite of on-premises DDoS solutions, and upgrading licenses if needed to handle additional throughput. Or it could
mean adding new defense capabilities to networks, either physically or as virtual network functions.
Speed of reaction is key, hence the focus around on-premises DDoS protection solutions. “It’s critical to have inline mitigation that can react as soon as an attack begins,” Anstee said. “Our network links and VPN endpoints are running hot at the moment, and even small attacks could cause problems.”
Hybrid DDoS defenses—which combine localized protection with cloud-based backup—constitutes the current best practice for complete protection. “For example, NETSCOUT’s Arbor Edge Defense can work in conjunction with a Sightline TMS-base DDoS protection service,” he said. “It can automatically call for help should an attack escalate to the point where internet connectivity would become saturated. This is what we call hybrid DDOS defense—AED used cloud signaling to allow the two layers of DDOS defense to work together and exchange information to manage any attack.”
Pitlik is a veteran business and technology writer and a frequent contributor to the NETSCOUT blog.