2 March 2019

3 new defense tactics to slow overwhelming attacks

By: Tony Bogovic  

The first major cyberattack was an unintended distributed denial-of-service (DDoS) attack carried out by a Cornell graduate student in 1988. Thirty years later, DDoS remains among the most destructive cyber challenges facing military, enterprise and public network infrastructure.

With our growing reliance on cyber infrastructure across all sectors, the risks and dangers of DDoS attacks are greater than ever. For government, DDoS could be particularly harmful as mission operations increasingly depend on reliable network access. We’ve seen DDoS attacks hit political campaigns and the Pentagon has faced attacks of 600 gigabits per second (Gbps), a figure that was unheard of a few years ago.

The real question: How are defensive measures evolving to deal with the problem?

Types of DDoS attacks


DDoS attacks are largely botnet-induced, volumetric attacks on key targets. Mirai botnet is perhaps the most notable attack in recent years because it used internet-connected DVRs and webcams to shut down Twitter, Facebook, Reddit and Amazon. These volumetric attacks can push hundreds of Gbps of malicious traffic to a single target, making defending against them and protecting critical cyber infrastructure extremely difficult.

There are also low-volume, or protocol and application-layer DDoS attacks that aim to exhaust the resources of targets. This is usually done by sending malformed network traffic in particular ways. That is, either at the packet level (send bad packets to a target system and force it to react anomalously) or at the protocol level (misuse a protocol’s valid exchanges and cause resources to be exhausted).

For example, Slowloris is a common protocol attack where a single machine creates multiple partial HTTP connection requests to a target server but doesn’t complete them. By holding the connections open, the targeted server eventually reaches max capacity, thus creating a denial of service.

Current DDoS defense

Most DDoS defenses use a filtering as a service or “traffic scrubbing” as a service approach, often delivered through a third party or internet service provider (ISP). These scrubbing services aim to stop attacks by filtering out illegitimate malicious traffic. While these services can be effective, they have weaknesses and cannot solely be used to combat modern DDoS attackers.

For example, large volumetric attacks can overwhelm the filter capacity. To respond, the scrubbing service increases its bandwidth, which requires more resources and increases costs. This becomes a costly arms race between the scrubbing service and the attacker, and fundamentally, attackers will always outpace over-provisioning as a defense.

These scrubbing services generally cannot completely filter the bad traffic without also dropping some of the legitimate traffic.

Also, DDoS response and recovery processes can be manual rather than automated. For instance, a victim might notice their network service quality is poor because they’re facing a high-volume attack. The victim then notifies the scrubbing service to activate filtering out the bad packets of traffic. But because this can be expensive, victims (including agencies) may turn off the scrubbing service once an attack subsides, leaving them vulnerable again and setting up the cycle to repeat. This is a reactive, slow process at a time when identification and mitigation speed is critical.

New approaches to defense

To improve protection against DDoS attacks, government agencies and industry must find new tactics and technologies to provide comprehensive defense against both high-volume and more precise, low-volume attacks. Cyber infrastructure designs inherently need to withstand DDoS attacks to the extent possible.

Three strategies for delivering a comprehensive DDoS defense include:

* Disperse high-value network assets: DDoS attackers target a systems’ most valuable information assets, centralized servers that include email, chat, login or DNS servers that are valuable sources of data. This makes it easier for attackers, only needing to identify these data hubs. One tactic to combat this is to decentralize or disperse the log data or DNS IP information an adversary wants to target. This will make it more difficult for attackers to target data assets and minimize the impact of attacks.

* Deceptive defense: One the best ways to defend against a predator is to trick them. Agencies can do the same to defend against DDoS attackers. Through game-theory planning, real-time analytics and sophisticated network maneuvering, adversary attack activity can be tracked, and appropriate counter maneuvers can be implemented. For instance, an attacker could be fooled into thinking their attack is successful when it’s not.

* Sensor-driven response: Organizations need an adaptive DDoS capability to identify and mitigate attacks, especially zero-day precision attacks that happen in real time which exhaust targeted servers’ computing capacity while flying under the radar of scrubbing techniques. With high fidelity sensors, organizations can quickly detect potential malicious activity, send an alert that will trigger an investigation and initiate appropriate mitigation responses.

Where do we go from here?

Current DDoS solution techniques are not enough. Attackers have proven they can overpower and sneak past traditional scrubbing services.

To survive, organizations need network and information systems whose designs are fundamentally more resilient to DDoS, not just patches and filters to blunt the attacks.

Innovative and adaptive strategies to confuse, confound and outwit attackers can be both more effective and less costly than an escalating arms race.

Tony Bogovic is vice president at Perspecta Labs.

No comments: