Intelligently Automated DDoS Defense

Intelligently Automated DDoS Defense
Kevin Whalen

Many business organizations struggle to detect and mitigate Distributed Denial of Service (DDoS) attacks in a timely and efficient manner. The cost of downtime, which for most organizations can run more than $500 per minute, is not the only risk. DDoS is increasingly being used as part of broader attack campaigns which include ransomware and downloading malware targeting the theft of valuable information assets.

Neustar commissioned an independent global study of over 1,000 directors, managers, CISOs, CSOs, and CTOs, over half (51%) found their organizations took more than three hours to detect and identify a DDoS attack. These numbers show a marked deterioration from 2016. Almost half (48%) took over three hours to respond to a DDoS attack once detected, an 8% increase over 2016.

Intelligently Automated DDoS Defense Growth Chart

DDoS Attacks Are Growing in Size and Sophistication

DDoS attacks have changed significantly in size, frequency and, most importantly, sophistication. They’ve also changed in terms of duration. For example, according to Arbor’s 13th annual Worldwide Infrastructure Security Report, the average duration of a DDoS attack in 2017 was around 46 minutes, down from 55 minutes last year. However, do not equate length with risk because the impact could last much longer. For example, say a front-end website is brought down by a DDoS attack. The multiple back-end systems which rely upon it to communicate can take much longer than 30 minutes to synchronize and come back up. Also, unlike malware which lies dormant inside an organization for months at a time; a DDoS attack hits without warning and the impact is immediate.

An example of increasing sophistication can be found in the emergence of multifaceted botnets leveraging the Internet of Things (IoT). Millions of unsecure devices connected to the internet have created a perfect ‘breeding ground’ for large and dynamic botnets that challenge traditional protection strategies. The Mirai botnet alone is estimated to have compromised more than half a million IoT devices worldwide.

The botnet is capable of launching not only large volume but also much more complex, multi-vector attacks, including:

  • SYN-flooding
  • UDP flooding
  • Valve Steam Engine (VSE) query-flooding
  • GRE-flooding
  • CK-flooding (including a variant intended to defeat intelligent DDoS mitigation systems, or IDMSes)
  • Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’ attacks)
  • HTTP GET attacks
  • HTTP POST attacks
  • HTTP HEAD attacks

These attack techniques go well beyond straight-forward volumetric attacks. Mirai and its derivatives can simultaneously target:

  • GRE-tunneling (used in some DDoS mitigation architectures for scrubbing traffic)
  • Potentially vulnerable third-party vectors (like DNS services)
  • Applications directly via Layer7 (HTTP GET/POST)

Intelligently Automated Mitigation

But being “automatic” and intelligently automated are two different things. Today’s DDoS protection best practices call for intelligently automated on-premise and cloud-based mitigation strategies. On-premise components (placed before stateful devices like firewalls and WAFs) are well suited for quickly mitigating the majority of attacks, especially the harder-to-detect application-layer attacks. Cloud-based DDoS protection is ideal for mitigating truly volumetric attacks upstream, before they saturate your connection to the internet.

A hybrid DDoS defense deployment combines on-premise with cloud-based mitigation offering the most comprehensive protection against today’s multi-vector DDoS attacks. Here’s an example of what is meant by intelligent automation. On-premise DDoS solutions are customized to protect specific applications running in a specific data center. This customization includes policies with specific white/black lists, geo-location information etc. These local, customized policies are continuously sent to a cloud-based DDoS protection service — before an attack occurs — in other words during peace time.

common misconceptions against DDoS attacks

When an attack larger than the capacity of the on-premise protection occurs, a digital signal is sent to the cloud-based DDoS protection. In which case, attack traffic is automatically rerouted to an appropriate cloud-based scrubbing center where previously sent customized protection policies, amongst others, are automatically applied to the attack traffic. This more intelligent method of attack traffic diversion and auto-mitigation using previously sent customized policies is an example of intelligent automation.

Automated, actionable threat intelligence and, where practical, leveraging automated processes are critical to the rapid detection and mitigation of today’s multi-vector, sophisticated DDoS attacks. Only by knowing more about the scope and inner workings of attacks can the enterprise achieve both rapid and efficient DDoS protection.

Truly Actionable Threat Intelligence

Truly actionable threat intelligence is characterized by:

  • A source of continuous real-world network traffic and threat data beyond the enterprise. The larger the sample of current, real world data the better.
  • The enhancement of this raw data with context: the ‘connecting-the-dots’ of what data points are related to attack campaigns and relevant to a specific threat.
  • A high level of confidence. Intelligence that spawns false positives is not intelligence.

By looking at cyber attack data from multiple sources and focusing on persistent malware characteristics, truly actionable intelligence identifies not only singular points of compromise, but data that is related as part of a campaign. Incorporating this broader context — the underlying command and control infrastructure, the historical, associated tactics, techniques and procedures (TTPs) — data becomes more reliable, actionable threat intelligence.

Such reliable intelligence is critical to power more automated, faster DDoS detection and effective mitigation. Automated identification based on current, actionable threat intelligence can be used regardless of attack volume. There’s no need to wait for an attack to reach a volume threshold before initiating mitigation. You can identify multiple types of DDoS attacks, including ‘low and slow’ application-layer attacks. Automatic detection of certain categories of botnets can stop them from compromising the network while enabling other security devices to do the jobs for which they are designed.

Many DDoS countermeasures can be automated — such as blocking specific types of attacks targeting bandwidth, applications and protocols. Automation can accommodate multiple levels of protection to align with risk profiles and confidence levels. Detection and identification of attacks can be communicated automatically with your security service provider or ISP, leading to faster, more effective upstream DDoS mitigation.

Marrying actionable intelligence with intelligently automated processes allows you to better manage the sheer volume of today’s attacks. Automation also allows you to deploy security resources more efficiently and focus them on threat triage: detecting, identifying and thwarting real threats faster. For example, automatically pre-populating SOC investigations with contextual, reliable threat intelligence (e.g., IP reputation data and currently active malware and TTPs) can speed up and enhance effective threat management for DDoS and beyond.