justinkendra - Fotolia

Hybrid DDoS prevention emerges to counter variety of DDoS attacks

As DDoS attacks get bigger, more frequent, and more varied, new hybrid and cloud-based DDoS prevention methods are emerging, but some fear too much automation in DDoS defense may result in a loss of control.

According to new research from a pair of security vendors, distributed denial-of-service (DDoS) attacks are getting easier to perform, leading to larger, more frequent and more costly attacks against enterprises.

At the same time, a transition may be underway regarding how enterprises defend against DDoS attacks. Though DDoS-prevention tools are increasingly moving to the cloud, experts say security professionals want to retain control over those tools and don't yet trust emerging automated systems.

Reports from Burlington, Mass.-based security vendor Arbor Networks Inc. and Cambridge, Mass.-based cloud security vendor Akamai Technologies Inc. highlight the growing risk that organizations face from DDoS attacks, while focusing on different timeframes.

In its State of the Internet Security report, Akamai compared DDoS attacks in Q4 2014 to Q4 2013, and found a 57% increase in year-over-year attacks. Those attacks were larger, averaging 52% more peak bandwidth, while simultaneously being more efficient, averaging 77% fewer peak packets per second. Akamai also found that application layer attacks were up 51% and multi-vector attacks rose 84%.

Arbor Networks showed the same trends in its Worldwide Infrastructure Security Report, but analyzed attacks throughout 2014 to show how DDoS attacks have evolved over the years. Arbor found that organizations experienced 38% more DDoS attacks per month on average in 2014 compared to 2013, and attacks were much larger, noting a four-fold increase in attacks over 100Gbps, with the largest reported attack at 400Gbps.

DDoS attacks get bigger and more sophisticated

Arbor Networks said that two-thirds of all DDoS attacks in 2014 were volumetric in nature. Gary Sockrider, solutions architect at Arbor Networks, said that means attackers flood a target with packets in order to overwhelm and shut down the entire Internet connection.

Sockriser said one major reason for the increase in DDoS attack frequency is that DDoS tools are far easier to acquire and use.

"Free-to-download attack tools are easy to find, and are essentially point-and-click," said Sockrider. "You no longer need to have knowledge, just grab a free tool, type in the target address, and instigate an attack, or hire someone. You can get a tool to generate a link that you email out; users click and suddenly start a DDoS attack without knowing it. There's even an Android app available."

When looking at the increased size of DDoS attacks, Sockrider points to the increased use of emerging DDoS attack methods that increase efficiency, especially reflection attacks. In 2014, Sockrider said, attackers turned to NTP reflection attacks over previously popular DNS amplification because a small query could instigate a large response. An attacker could spoof his or her source IP when querying an NTP server so the response is routed to the intended target; this way, an attacker with a 1 Gbps connection could theoretically generate more than 200 Gbps of DDoS traffic.

"Half the problem is that NTP servers allow queries from anyone," said Sockrider. "We found 100,000 exploitable NTP servers. There may be admins running NTP servers and they don't even know it. The other half of the problem is that networks aren't properly protected from spoofed addresses. IT is focused on the perimeter security, like firewalls, and doesn't consider things like spoofed traffic."

According to Akamai, another volumetric technique on the rise is Simple Service Discovery Protocol (SSDP) reflection, the use of which increased 214% in Q4; in separate research late last year, VeriSign Inc. found SSDP to be driving up DDoS attack sizes.

While volumetric attacks were the most frequently reported type of attack, both reports also showed a rise in DDoS attacks that target the application layer (aka layer 7) of the OSI model.

"These attacks may not be overwhelming the connection, but they are overwhelming the application," said Marc Gaffan, general manager of products at Redwood Shores, Calif.-based cloud application vendor Incapsula Inc. "If you get 4,000 search requests, it can cause your database to crumble. It's not just about volume, it's also about sophistication."

DDoS prevention evolves

Volumetric attacks and application layer attacks are two different issues, said Sockrider, and have led to the emergence of a hybrid approach to DDoS prevention.

Arbor found that in the 10 years it has been conducting its DDoS survey, 2014 was the first year in which tools purpose-built for DDoS protection, like on-premise appliances and cloud services, were the No. 1 way that organizations attempted to mitigate the problem. Sockrider said on-premice appliances are good for application layer attacks, but fall short on volumetric attacks.

"It is important to have something close to your resources that sees all the traffic, can find more potential threats, and respond faster," said Sockrider. "But, that can't protect you from an attack that exceeds your Internet capacity. Volumetric attacks must be dealt with upstream, possibly with a cloud-based tool."

This has led to the emergence of a hybrid model, according to Sockrider, where purpose-built appliances help to mitigate application layer attacks, while cloud services handle volumetric attacks. Gaffan said proprietary and ad-hoc systems foster interoperability between on-premise defenses and those in the cloud, but there is a question about where control lies when traffic gets routed through the cloud service for scrubbing.

Verisign recently announced OpenHybrid, which is a set of APIs, connectors and open standards to make communication between on-premise DDoS mitigation devices and cloud-based protection services easier and faster. Part of this speed benefit, according to Gaffan, is due to automatically switching traffic from on-premises systems to cloud services, but this is an area where vendors receive push-back from apprehensive security professionals.

"Customers want someone to manually review a threat before deciding to shift traffic to a scrubbing system," said Gaffan. "Security experts want final say. They want their finger on the button, because the determination that a DDoS attack is happening isn't always easy to detect."

Gaffan believes that this hybrid approach is only a stop-gap measure caused by operational and IT restrictions that prevent organizations from moving directly to fully cloud-based DDoS defense services. He said the more risk-averse could adopt a hybrid approach, but DDoS prevention will eventually move completely into the cloud because doing so offers additional benefits in terms of both speed and crowd-sourced information sharing.

"I believe that, in the long term, the hybrid approach will not exist and DDoS protection will live fully in the cloud," said Gaffan. "DDoS attacks are getting much bigger. We see 200 Gbps attacks every week. This means there needs to be a shift to the cloud, because on-premise tools do nothing when your lines of connectivity get saturated."

No matter how companies choose to best protect themselves from DDoS attacks, experts said the growing number and size of attacks make it clear that organizations need more help. Sockrider noted that because of security budget constraints, companies found it difficult to hire and retain talented security personnel. Arbor found that while DDoS attacks were inevitable, only half of respondents felt reasonably prepared for one.

"It's like a natural disaster when it hits," said Sockrider. "Colossal and hard to deal with."

Next Steps

Learn how to protect cloud networks against DDoS attacks.

Learn about the A10 DDoS prevention appliance.

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus