Distributed denial of service (DDoS) attacks can be devastating because the end-targeted system as well as all systems maliciously used and controlled by the hacker are affected. Lipsin, Arbor Networks' VP of partners and alliances, offers advice on providing comprehensive protection against new and evolving threats. —Jennifer Bosavage
Distributed denial of service (DDoS) attacks are making headlines around the world as they disrupt Web sites in online retailers, banks, governments and virtually every organization that depends on their online presence.
For years, enterprises have seen DDoS attacks as a nuisance, something that could and should be handled by their Internet Service Provider (ISP). That is true of volumetric DDoS attacks, which simply try to overwhelm a connection with data, making it unavailable. If a volumetric attack reaches the front door of an enterprise, it is too late to deal with it as effectively as catching it beforehand.
These types of DDoS attacks continue to be a menace. In fact, they are increasing in frequency and size. In 2001, Microsoft, eBay and Yahoo! were taken offline by what back then was considered “large” volumetric attacks that were, incredibly, in the 300M range — a relatively low volume attack. Today, Arbor Networks has seen sustained DDoS attack sizes exceeding 100G. To put that in perspective, that is ten times the size of most Internet backbone pipes today. To deal with DDoS attacks of this magnitude, ISPs are offering “clean pipes” ensuring enterprises are able to focus on other operational security issues such as data integrity, confidentiality and compliance.
In 2010 however, there was a dramatic shift in DDoS, shifting from primarily large volumetric attacks to smaller, harder-to-detect attacks that target the very infrastructure of the enterprise itself. With the rise of “hacktivism” and inexpensive opt-in DDoS tools, enterprise data centers are under attack like never before. They are finding, in the most painful way possible, that existing security infrastructure is unable to protect data center assets from these small, harder-to-identify application-layer DDoS attacks. That has led to some very high profile takedowns of Fortune 500 companies, as well as government organizations. Those successful attacks have led to more attacks against data centers that are perceived by hackers as vulnerable.
Enterprises are coming to the realization that data integrity, confidentiality and compliance are all critical aspects of a layered security strategy – but everything starts with availability itself. If data center assets are unavailable to users, all the other layers of security become inconsequential. In short, they need help from their trusted solution providers, value added resellers and system integrators.
IPS And Firewalls Can’t Do It Alone
Intrusion Protection System (IPS) devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices and firewalls effectively address network integrity and confidentiality, but they fail to address a fundamental focal point of DDoS attacks—network availability. Adding to the security threat, IPS devices and firewalls maintain state status information for every session established between a client on the Internet and the corresponding server in the data center. That means they are vulnerable to DDoS attacks and often become the targets themselves, serving as chokepoints.
When it comes to protection against DDoS attacks, many enterprises and data center operators have a false sense of security. They believe they have secured their key services against attacks by deploying IPS devices or firewalls in front of their servers. In reality, such deployments can actually expose these organizations to service outages, having a direct impact on customer satisfaction and, therefore, revenue.
Typical users of data center and cloud services expect on-demand services. When business-critical services are not available, enterprises and data center operators can lose millions of dollars and potentially damage important customer and partner relationships. Solution providers have a tremendous opportunity to educate enterprises about dedicated Intelligent DDoS Mitigation solutions that serve as infrastructure protection for existing products and complement solutions such as firewall and IPS.
Availability Protection Requires a Purpose-Built Solution
To provide sufficient protection against impactful application-layer DDoS attacks, it is important to deploy a dedicated DDoS mitigation solution that provides comprehensive protection against new and evolving threats, secures the availability of services, provides excellent visibility across the whole infrastructure and detects emerging threats by looking beyond the network edge.
However, because these low-bandwidth, application-layer attacks are so difficult to detect, enterprises will look to their trusted advisors and solution providers to help them understand the solutions available to best suit their needs. Solution providers can build on the existing relationships they have with customers and act as their trusted advisor when deciding on which DDoS mitigation solution best suits their needs and then offer to manage the overall security of the solution. They must be able to demonstrate that they have the ability and capacity to protect against new and evolving threats, that they can guarantee availability of services to customers, and that they have excellent visibility across the customer’s entire network to ensure that threats are identified and stopped quickly. Solution providers that grasp this opportunity can extend their leadership position, while providing a necessary level of protection that the majority of their customers are missing today.