In the past, cybercriminals lurked in the dark shadows of the Internet quietly scanning target systems, evading detection eventually to launch a silent attack. The era of silent attacks has evolved to tidal waves of volumetric traffic coming from literally everywhere and everything, hitting like a ton of bricks.
When scanning for vulnerabilities, botnets exhibit aggressive behavior triggering DDoS mitigation systems without even initiating the attack. Cybercriminals are creating an abrasive world of distributed mass-scale attacks. We have seen what insecure DVR and IP cameras can do but what do you think is going to happen with the introduction of millions of insecure Internet of Things (IoT) light bulbs? It’s going to affect you if it hasn’t done already. It’s just a matter of time. The attack surface is amplifying; getting stronger and more dangerous.
The following discussion takes you on a journey through the ever evolving world of DDoS attacks. It addresses how current protocols and the way they are deployed dramatically fall short for DDoS enforcement. We live in a world of global reachability, insecure protocols and no license to rule. Combined with distributed IoT botnets, attacks now present the capabilities to take offline any network not scaled and designed efficiently.
It’s all downhill
In a recent Akamai report, nineteen Mega DDoS attacks exceeded 100 Gbps, with six exceeding 200 Gbps. DDoS-for-hire services with Booter and Stresser botnets lower the barriers to entry and continue to account for a significant portion of mega style attacks.
In 2015 DDoS we entered a new age of attacks peaking at 602 Gbps against the BBC, only two years later we are experiencing Terabyte scale. It’s not stopping; attacks are growing at an alarming rate.
It’s easy to launch a destructive attack and variants of the Dirt Jumper DDoS toolkit seem to be in every crack and corner. Infrastructure-layer DDoS attacks are by far the most common attack vector and are initiated with a simple point and click operation.
We need Leadership
In times of crises, leadership is required but where does leadership for a global problem come from? There is no single source of truth. The Internet will never be rebuilt securely, and network hygiene will always be a problem. We have to lead ourselves to rethink network-based security. Do existing integrated defense mechanisms have the required resource to combat today’s cyber criminals?
Significant events have happened that change the way we look at security. Providers are forced to reevaluate how to protect against volumetric DDoS attacks. We can’t predict the future but if the past is anything to go by we must examine the current approach to security and DDoS mitigation.
Security disaggregation is an improved way to effective enforcement offering the ticket to deflect any scale of DDoS attack. It assumes all the challenges below exist and prepares Providers for the most aggressive attacks. Without a new style of thinking, security professionals will be left idle once the next wave of attacks arrives. Nobody knows what’s coming next.
How did we get to all this mess?
But before getting to how we need to rally to put up the right DDoS defenses for large volume networks, it is worth taking stock of how we ended up where we are today.
- Global Reachability
The Internet’s connectivity model is based on global reachability – if you have the IP address of an end host, you can reach it. Exposing the IP address opens up the potential for direct malicious activity. The design changed slightly with the introduction of Network Address Translation (NAT) but the foundation principles stay the same, even today.
The Internet’s global footprint is the key ingredient and DNA for many Internet-based services that rely on this type of global reachability. The connectivity model is ingrained in how business operates and forms the culture to our communication. It may seem like a good idea, but if everyone can reach everyone, then everyone can attack everyone. Global reachability enables botnets to spread like worms using the default username and password to scan the entire Internet for vulnerable systems to infect.
Unfortunately, the world relies on this type of connectivity and the protocols that build upon it so it’s going to be hard to change anytime soon.
- Insecure Protocols
The Internet that rides on top of Internet Protocol (IP) was built without security in mind. IP by itself has no built-in security mechanisms and cannot validate the source of an incoming packet. IPSec and other protocols were added later but they are just security kludges added, certainly not performance oriented. Unfortunately, over time, the Internet became a breeding ground for malicious activity. And as security was an afterthought, it becomes harder to protect companies’ infrastructure adequately.
Core Internet protocols like Domain Name System (DNS) has unique viewpoints acting as the Internet’s control plane. Due to the unique perspective, it’s often misused to manage and launch various exploits. 93% of Malware use DNS for exploits.
Initially, DNS was designed without security in mind, as a result. It offers a perfect breeding ground for large-scale DDoS attacks. It has as huge blast radius providing cyber criminals with an easy to use launchpad for destructive volumetric based DDoS attacks. Recent DDoS attacks are crippling infrastructures and won’t stop unless we reinvent the Internet and the protocols it uses.
Old mitigation solutions are not coping with this volume, and it’s certainly easier to design an efficient DDoS mitigation solution rather than reinvent every wheel ever invented.
- Inadequate Hardware
The magnitude of attack is now very significant, and there is only so much that can fit and scale internally with traditional DDoS mitigation appliance hardware components. Old architectures and security appliances are hitting scalability limits unable to cope with the blast radius IoT and other avenues employed by cyber criminals.
Inadequate equipment has a crippling effect on all Industry types – Media & Entertainment, Gaming, and Software and Technology. As a result, the most fault tolerant and resilient networks are falling victim. Each fall has an adverse impact on organization’s brand and market value.
- Push to the cloud
Services that were locked inside an Enterprise or Multiprotocol Label Switching (MPLS) network are now increasingly driven to the Internet to take advantage of its global footprint. If the application is cloud adaptable, the chances are it will eventually get pushed to the public cloud.
Remote workers need access to these systems over an unprotected network. Now, we have business critical high-value systems on the Internet as this is the way people expect to connect.
- Network hygiene
The Internet is packed with poorly engineered networks, inefficient ingress filtering, open resolvers and Domain Name System (DNS) proxies. Network hygiene is at an all-time low, and there is no license to rule. Internet Service Providers (ISP) are just transiting traffic; end hosts have no idea they are compromised and part of a Botnet.
Everywhere we look there are pockets of security risks. We need to accept these drawbacks and take proactive measures to protect both network and server infrastructures from the security flaws that arise due to global reachability, insecure protocols and the way we work today.
And then add in IoT and the botnets
IoT-fueled botnets will take you down
IoT-fueled botnets are heading to a new era of Terabyte volumetric attacks overwhelming the most important network and security designs. There is no first prize for having the most secure IoT device resulting in security being an afterthought in the product development cycle.
Network connectivity is easy; it’s securing the device that is the hard part. Security is not a once off function; it’s a continuous line of events of patching and security updates. This is a challenge especially for small spec devices such as IoT light bulbs and devices that sleep in a far-flung location. It’s alarming that unsecured IoT light bulbs are rolled out by the millions.
Some devices have no intelligence, entirely un-securable and will remain vulnerable until removed from service. Others like an IoT fridge have intelligence with a fully-fledged web server for display and stream purposes. There is a lot of IoT variation with little or no security rule.
Similarly to how the Internet of “people” was designed with security as an afterthought, now with the Internet of “things” security is still an afterthought. With the introduction of recent IoT device scandal, a speedy time to market is often more important than security.
There is a new generation of malware types and IoT botnets. Investigation of the distributed heavy-hitting Mirai Botnet revealed over 50,000 unique IP’s spread over 150,000 countries.
Rather than using reflectors, Mirai uses compromised IoT systems and generates traffic directly from those devices.
Once a system is infected, it connects to the command and control (C2) structure to get a list of instructions. The Mirai Botnet is highly distributed, and investigation shows commands from over 30 C2 IP addresses. It’s operations use a combination of network layer – SYN, ACK and GRE floods along with GET and PUSH floods at an application level.
Attacks are usually in parallel with two payload types. Small regular-sized packets combined with larger packets. The smaller packet size increases the Mpps packet rates, while the larger packets are used to scale the attack capacity. This type of traffic is not hard to detect, but when you get everything thrown at you over 100 Gbps, mitigation is a challenge by itself.
Today’s DDoS attack are throwing a range of artillery breaching secure network gates. The volume of source distribution and Mpps packet rates makes it difficult to mitigate with traditional methods and traditional security appliances.
This leaves everyone in an unpredictable environment; billions of unsecured endpoints forming a Botnet army along with global reachability.
Rally around a better network security model
We would not be in this state of affairs if we had some network hygiene and global control. We can’t control the uncontrollable, and it seems everything at some stage is going to be connected to the Internet with global reachability and insecure protocols. The map of the Internet from 1976 is considerably different to what we have today. No one is to blame; it’s just grown this way.
Security seems to be turning back the clocks, and this is evident with SSHowDowN Proxy attacks using a 12-year-old vulnerability in OpenSSH. It has become a cat and mouse game; traditional DDoS mitigation techniques are clearly not adequate.
Corsa’s disaggregated security model is the first of its kind to stand up and say the current model and approach to security is not working. We have to leverage all the smarts of DDoS detection and analysis software and run separate, dedicated mitigation hardware to keep up with the escalation in number and size of attacks. It’s a bold statement, but if we don’t improve network security architectures, we are going to be stuck with rigid ASIC, unscalable NPUs, too much state, limited architectural options and risky deployments that will lead to costly loss of services.
Understanding the details of today’s network security shortcomings is the first step to getting on the right track to making positive change. Join us for our next blog series as we delve deeper into the inadequacy of current DDoS mitigation strategies. We will discuss the key elephants in the room causing networks to fail and which you absolutely must avoid if you want network security that scales and adapts with the growing attacks.