Know Your DDoS Enemy

Network operators need actionable threat intelligence to block DDoS attacks.

Dark background with a band of blue-to-purple-to-red dots across the middle

A famous quote from Sun Tzu’s The Art of War states that you will be better off in confrontational situations if you know your enemy—or in the best case, if you know your enemy and know yourself. As the Chinese general and philosopher is credited with writing, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

In the security field, specifically regarding distributed denial-of-service (DDoS) activity, this approach can prove valuable in efforts to protect your network from attacks. But unfortunately, knowing your enemy in the DDoS space can be daunting. Although IP addresses are finite in theory, understanding which ones the bad guys are employing is like finding a needle in a haystack. 

Fundamentally, DDoS attacks are increases in system requests that overwhelm the capacity of a connection to the internet from your network or data center or cause a spike in system requests that disables other vulnerable targets on your network that provide the availability to specific business systems. For example, a volumetric attack will send enough requests to your network to deplete your internet circuit bandwidth, making the network unable take any more requests and rendering it unavailable to customers and users. Or, in a flood attack, the requests fill up a state table on a peripheral device such as a firewall so that device can no longer provide access to the resource it is protecting. 

For the bad guys to accomplish these types of attacks, they use machines specifically configured to send a high volume of requests. They also employ other devices that they commandeer on various networks to augment their efforts and meet their needs. These hijacked machines are called bots, and groups of machines (bots) that are designed to work together are called botnets. The use of these botnet armies, especially in Internet of Things (IoT) devices, has increased every year since they appeared on the scene in 2007. 

As the NETSCOUT Threat Intelligence Report for the second half of 2021 reported, “Since 2007, IoT devices have been targeted incessantly by adversaries who try to co-opt them into their botnet armies. Unfortunately, such attacks often are successful because most IoT devices sit behind consumer-grade firewalls—or worse, no firewall at all. In fact, many consumer IoT devices have little to no security, and they’re often installed using only default credentials, thereby rolling out a welcome mat for attackers.”

DDoS bad guys rely on this infrastructure setup to launch attacks. One method for reducing this type of attack that has proven valuable to network operators is collecting the source location or IP address information from which the attacks originate, or the location of the attacking bots, so their team can instantly implement network policies to block all traffic from those locations during an attack. Further analysis of the collected attack data for each DDoS attack source origination point may identify more DDoS botnet members and other network infrastructure they are exploiting to launch attacks, so your security team can employ that collected data to bolster current mitigation efforts as well as quash future attacks. 

Employing this collected data can provide some limited intelligence to assist in knocking down DDoS attacks. That said, if this source IP or bot location data is being collected only during attacks on your network, the data will be very limited. If you can collaborate with other partner networks and collect their attack data as well, the collective threat intelligence will get better. The ultimate threat intelligence for supercharging your leverage against these types of attacks is the verified source data or origin IP addresses from every DDoS attack that is currently active or has been used in the past, globally. 

Attaining this top level of threat intel is not easy: In many cases, network operators must rely on a third-party threat intelligence purveyor to obtain it. Ideally the purveyor you choose will have global visibility into a sizable portion of internet traffic, extensive experience in collecting DDoS attack data, and top-level expertise in analyzing the data collected to produce actionable threat intelligence. 

Due to NETSCOUT’s unique global DDoS attack visibility that extends to more than one-third of all internet traffic, the data collected on millions of DDoS attacks because of that visibility, and the world-class expertise to analyze this data for DDoS suspects, the Omnis ATLAS Intelligence Feed (AIF) provides our customers the actionable threat intelligence they need. AIF’s level of timely, accurate, actionable threat intelligence about current active DDoS botnet attack sources enables surgical, automated blocking of attacks while minimizing the risk of false positives. This includes the ability to block attacks at all layers of the protocol stack, including application-layer and encrypted attacks.

Within AIF’s first days of being released to customers, AIF botnet threat intelligence has blocked DDoS attack sources more than 300 million times.

Sometimes knowing your enemies can mean studying them as they attack and identifying vulnerabilities as the conflict goes on, but preferably it means getting help from other entities that have already done battle and learning from their victories.

See how NETSCOUT’S Omnis ATLAS Intelligence Feed (AIF) provides active threat intelligence.