protecting against modern ddos threats

50 Years of Growth, Innovation and Leadership

A Frost & Sullivan White Paper

www.frost.com

Why Anti-DDoS Products and Services are Critical for Today’s Business EnvironmentProtecting Against Modern DDoS Threats

http://www.frost.com

Frost & Sullivan

CONTENTS

Executive Summary ............................................................................................................... 3

Introduction ............................................................................................................................ 4

What is DDoS? ....................................................................................................................... 4

Volumetric Attacks ................................................................................................................ 5

TCP State-Exhaustion Attacks ............................................................................................ 6

Application-Layer Attacks ................................................................................................... 6

The Growing DDoS Problem ................................................................................................ 7

Broader Spread of Attack Motivations and Targets ........................................................... 8

Volunteer Botnets ................................................................................................................. 9

Increased Impact on Organizations .................................................................................... 9

Complex Threats Need a Full-Spectrum Solution ............................................................. 9

Integrity and Confidentiality vs. Availability....................................................................... 9

Protect Your Business from the DDoS Threat ..................................................................... 10

Cloud-Based DDoS Protection ............................................................................................ 10

Perimeter-Based DDoS Protection ..................................................................................... 10

Out-of-the-Box Protection .................................................................................................. 10

Advanced DDoS Blocking .................................................................................................... 11

Botnet Threat Mitigation ..................................................................................................... 11

Cloud Signaling ..................................................................................................................... 11

The Final Word ....................................................................................................................... 11

Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

3Frost.com

EXECUTIVE SUMMARY

The perception of distributed denial of service (DDoS) attacks has changed dramatically in the past 24 months. A series of successful, high-profile attacks against enterprises, institutions and governments around the world has driven home the importance of availability and the need for layered defenses. These attacks have also driven home how quickly the pace of innovation has accelerated on the side of the hackers.

In today’s environment, any enterprise operating online—which means just about any type and size of organization—can become a target because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. The widespread availability of inexpensive attack tools enables anyone to carry out DDoS attacks. This has profound implications for the threat landscape, risk profile, network architecture and security deployments of Internet operators and Internet-connected enterprises.

The methods hackers use to carry out DDoS attacks have evolved from the traditional high-bandwidth/volumetric attacks to more stealthy application-layer attacks, with a combination of both being used in some cases. Whether used for the sole purpose of shutting down a network, or as a means of distraction to obtain sensitive data, DDoS attacks continue to become more complex and sophisticated. While some DDoS attacks have reached levels of 100Gbps, low-bandwidth application-layer attacks have become more prominent as attackers exploit the difficulties in detecting these “low-and-slow” attacks before they impact services. The methods botnets use to carry out these attacks have also shifted. Botnets used to be made up of compromised PCs, unwitting participants controlled by a botmaster. In the age of the hacktivist, people are opting-in to botnets and even renting botnets for the purpose of launching attacks.

Network administrators are finding that traditional security products, such as Firewalls and Intrusion Prevention Systems (IPS), are not designed for today’s complex DDoS threat. These products focus on the integrity and confidentiality of a network. However, DDoS targets the availability of the network and services it provides.

In today’s complex and rapidly changing threat landscape, enterprises need to take control of their DDoS risk mitigation strategy by proactively architecting a layered defense strategy that addresses availability threats. The issue of availability is taken into account as part of risk planning for site selection, power failures and natural disasters. Given today’s threat landscape, DDoS planning should now be part of any enterprise risk mitigation strategy.

Arbor Networks’ Pravail Availability Protection System (APS) is the first security product focused on securing the network perimeter from threats against availability—specifically, protection against application-layer DDoS attacks. Purpose-built for the enterprise, it delivers out-of-the-box, proven DDoS attack identification and mitigation capabilities that can be rapidly deployed with little configuration, even during an attack.


Frost & Sullivan

4 Frost.com

An added benefit for customers is Arbor’s unique visibility into DDoS botnets because of its ATLAS infrastructure, which combines a darknet sensor network with traffic data from more than 100 service provider customers around the world. The ATLAS Intelligence Feed delivers DDoS signatures in real time to keep the enterprise data center edge protected against hundreds of botnet-fueled DDoS attack toolsets and their variants.

Overall, the Arbor Pravail APS provides what other perimeter-based security devices cannot, and that is the ability to detect and mitigate DDoS attacks proactively.

INTRODUCTION

Black Friday brings to mind the vision of hundreds of shoppers lined up at stores, ready to pounce on deals and do business. A more recent holiday shopping addition—Cyber Monday—brings to mind a different vision of a global audience armed with a computer and Web browser, clicking away at the best deals at their favorite online retailer. While these two visions may seem very different, the need to enable customers to make purchases is critically important.

The concept of business continuity is not new. Organizations have worked on business continuity planning for a long time. Unfortunately, in today’s always-on environment, the challenge of business continuity is greater than ever before. Consider the ease with which criminals can conduct a crippling attack on an organization. With attackers having the ability to generate significant amounts of traffic from the botnets they control, and sophisticated attack tools at their disposal, even an organization with a high-capacity Internet connection can have its Internet services, and business, disrupted.

This paper will look at DDoS attacks in detail. It will illustrate the attack vectors being used and describe why the threat to organizations is greater than ever before. This paper will then detail why traditional firewall and IPS solutions fall short in protecting organizations against today’s sophisticated DDoS attacks. Finally, this paper will present the Arbor solution—a complete, purpose-built solution that Frost & Sullivan believes can provide protection against the wide range of DDoS attacks that can target the corporate data center.

WHAT IS DDOS?

A DDoS attack is simply an attempt by an attacker to exhaust the resources available to a network, application or service such that genuine users cannot gain access. It is an attack formulated by a group of malware-infected or volunteered client computers that attempt to overwhelm a given network, site or service with their combined actions. However, not all DDoS attacks operate in the same way. DDoS attacks come in many different forms. These forms include flood attacks, which rely on high volumes of traffic/sessions to overwhelm a target, e.g., TCP SYN, ICMP and UDP floods, and more sophisticated application-layer attack vectors/tools, such as Slowloris, KillApache, etc.



5Frost.com

1 http://www.securelist.com/en/analysis/204792189/DDoS_attacks_in_Q2_2011

DDoS attacks can be classified as volumetric attacks, TCP State-Exhaustion attacks or application-layer attacks. In Kapersky’s DDoS attacks in Q2 2011 report, HTTP flooding was the most common DDoS vector, which is an example of an application-layer attack.1 The dominance of application-layer attacks illustrates the rapid evolution of DDoS away from traditional volumetric attacks.

88%

5.4%

2.6%

1.7%

1.2%

0.2%

�HTTP Flood

�SYN Flood

�UDP Flood

� ICMP Flood

�TCP Data Flood

�DDoS on DNS

Attacked Vectors¹

Volumetric Attacks

Volumetric attacks flood a network with massive amounts of traffic that saturate and consume a network’s bandwidth and infrastructure. Once the traffic exceeds the capabilities of a network, or its connectivity to the rest of the Internet, the network becomes inaccessible, as shown in Figure 1. Examples of volumetric attacks include ICMP, Fragment and UDP floods.


Frost & Sullivan

6 Frost.com

Regular Traffic

Malicious Traffic

Malicious Traffic

Regular Traffic

Regular Traffic

Malicious Traffic

Malicious Traffic

Malicious Traffic

ISP1

ISP2

ISP3

SaturationRouter

Firewall

Target Applicationsand Services

Volumetric Attacks

TCP State-Exhaustion Attacks

TCP State-Exhaustion attacks attempt to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls and the application servers themselves. For instance, firewalls must analyze every packet to determine whether the packet is a discrete connection, the continuation of an existing connection, or the completion of an existing connection. Similarly, an intrusion prevention system must track state to carry out signature-based detection of packets and stateful protocol analysis. These and other stateful devices—including load balancers—are frequently compromised by large session flood or connection attacks.

The Sockstress attack, for example, can quickly overwhelm a firewall’s state table by opening sockets to fill the connection table.

Application-Layer Attacks

Application-layer attacks use far more sophisticated mechanisms to achieve the goals of the hacker. Rather than flooding a network with traffic or sessions, application-layer attacks target specific applications/services and slowly exhaust resources at the application layer. Application-layer attacks can be very effective at low traffic rates, and the traffic involved in the attacks


7Frost.com

can be legitimate from a protocol perspective. This makes application-layer attacks harder to detect than other DDoS attack types. HTTP Flood, DNS dictionary, Slowloris, etc., are examples of application-layer attacks.

MaliciousTraffic

Regular Traffic

Malicious Traffic

Regular Traffic

Malicious Traffic

Malicious Traffic

ISP1

ISP2

LowBandwidthRequests

Made

MaliciousRequestsBypassSecurity

Applications

RouterFirewall

IPS

Target Applicationsand Services

Application-Layer Attacks

ServicesSlowly

Exhausted

THE GROWING DDoS PROBLEM

In recent years, DDoS attacks have become more sophisticated. The attack vectors hackers are using within their attacks are more complex. Hackers now use a combination of volumetric and application-layer DDoS attacks, as they know this increases their chances of disrupting availability.

Volumetric attacks are also getting larger, with a larger base of either malware-infected machines or volunteered hosts being used to launch these attacks.

As represented in Figure 4, in a survey conducted by Arbor Networks, the size of volumetric DDoS attacks has steadily grown.2 However, in 2010, a 100 Gbps attack was reported. That is more than double the size of the largest attack in 2009. This staggering figure illustrates the resources hackers are capable of bringing to bear when attacking a network or service.

2 Arbor Networks — Worldwide Infrastructure Security Report, Volume VI

Frost & Sullivan

8 Frost.com

0

10

20

30

40

50

60

70

80

90

100100 Gbps

2005 2006 2007 2008 2009 2010

Ban

dwid

th (

Gbp

s)

DDoS Attacks by Gbps²

As organizations face these new challenges, network administrators have to look for a solution with the sole purpose of deflecting and mitigating these new hacker tactics.

Broader Spread of Attack Motivations and Targets

The emergence of hacktivism has changed the view of DDoS in the security community. Once primarily viewed as a method for reputational or financial gain, attack motivations have moved on. While the attacks motivated by extortion, etc., still exist, DDoS attacks are now being used as a form of political activism (“hacktivism”) or to prove how unsecure networks are. Media organizations, social networks, governments, etc., have been targeted heavily by these types of DDoS attacks.

Two well-known hacker groups garnering attention are Anonymous and LulzSec. Anonymous aims to attack organizations it believes are participating in injustices of discouraging Internet freedom and freedom of speech. LulzSec, on the other hand, has built its reputation on exposing security flaws in networks and websites.

While LulzSec aims to expose vulnerabilities in networks with no motivation other than revealing the vulnerabilities, there have been other instances where the reasoning behind attacks has been less clear. According to Kapersky’s DDoS Attacks in Q2 2011 report, social networks are targeted because they allow the immediate exchange of information between tens of thousands of users. In 2011, a Russian virtual community named LiveJournal experienced a series of attacks. The botnet behind the attacks was named Optima. To this day, no one has claimed responsibility for the attacks.


9Frost.com

Volunteer Botnets

Hacktivist groups have shown how easy it is to build a botnet of volunteered, rather than malware-infected, machines. Hacktivist groups are known for their recruitment of members through social media networks, and it appears than only minimal persuasion is required to recruit participants. Regardless of computer hacking capabilities, anyone can be part of one of these movements. This alarming trend poses serious problems for the industry, as highly skilled hackers and novice users now have access to some of the same sophisticated DDoS attack tools.

Increased Impact on Organizations

The growing dependence of businesses on datacenter and cloud services has resulted in a renewed focus on the security of these services. Once an afterthought, security in the cloud has moved to the top of the priority list. Businesses should look at security capabilities as one of the key factors they evaluate when deciding upon a provider of cloud or datacenter services, as the business impacts of an attack can be significant.

The business cost to an organization of a DDoS attack is multi-faceted. We should consider everything from the operational costs of dealing with the attack, to the potential long-term revenue impact that might arise due to brand damage if an attack is successful. As an example, in April of 2011, a cybercriminal was sentenced, in Germany, for attempting to blackmail German bookmakers during the 2010 World Cup. While the ransom request was not significant, the bookmakers estimated that within the few hours their site was down, they lost between 25,000-40,000 Euros for large offices and 5,000-6,000 Euros for smaller offices. The punishment in Germany for computer sabotage is now up to 10 years in prison.

Another worrying development is the use of DDoS as a means of distraction. In the case of the Sony breach, a DDoS attack was allegedly used as a distraction so that other criminal activity, which resulted in the loss of passwords, usernames, and credit card information, could take place. This potential threat further justifies the need for solutions that mitigate the latest DDoS attacks and methods.

COMPLEX THREATS NEED A FULL-SPECTRUM SOLUTION

Given the threat complexity and the business impact of DDoS, a full-spectrum solution is required. A common response by many administrators to the challenges of DDoS is the belief that their firewall and IPS infrastructure will protect them from attack. Unfortunately, this is not true. Firewalls and IPS devices, while critical to network protection, are not adequate to protect against all DDoS attacks.

Integrity and Confidentiality vs. Availability

Many administrators rely on firewalls and Intrusion Prevention Systems, which have extended capabilities to deal with DDoS attacks. Firewalls and IPS devices focus on integrity and confidentiality. These products are built for other security problems (enforcing network policy and blocking intrusion attempts). These capabilities are not readily extensible to deal with

Frost & Sullivan

10 Frost.com

threats targeting network and service availability—the focus of DDoS attacks. Firewalls and IPS devices cannot stop widely distributed attacks or attacks using sophisticated application-layer attack vectors. In fact, it has been found that many DDoS attacks target firewall and IPS devices.

Firewalls and IPS can be targeted by DDoS attacks because they are stateful. Stateful devices track every packet in a connection that comes through a network to look for malicious activity, and have a set of built-in mechanisms to protect against known threats. Due to the state-exhausting nature of many DDoS attacks, firewalls and IPS devices can fail during an attack. For example, sockstress DDoS attacks, which open sockets to fill the connection table, can overwhelm both firewalls and IPS devices.

Protect Your Business from the DDoS Threat

A complex threat like DDoS requires a layered security solution. First, enterprises must protect themselves from volumetric and state-exhaustion DDoS attacks, which can saturate their Internet connectivity by utilizing the cloud-based protection services offered by some Internet Service Providers or Managed Security Service Providers; second, they must have protection from application-layer DDoS attacks using a perimeter-based solution. Moreover, a perimeter-based solution empowers enterprises by enabling them to take control of their response to the DDoS threat.

Cloud-Based DDoS Protection

Enterprises must work with upstream ISPs and MSSPs to have protection from large flood attacks. Because a large percentage of DDoS attacks remain volumetric or flood attacks, enterprises should demand clean pipes from their providers.

Perimeter-Based DDoS Protection

Arbor Networks’ Pravail Availability Protection System (APS) has been developed to meet the DDoS threat, protecting other perimeter-based security devices and infrastructure from the impact of attacks. With the sole purpose of stopping availability threats, Pravail APS provides the ability to detect and block application-layer, TCP state-exhaustion and volumetric attacks. Utilizing a combination of mechanisms, including the real-time ATLAS Intelligence Feed, Pravail can protect and resolve the most complicated DDoS attacks. However, as it is a perimeter solution, it cannot deal with attacks that saturate Internet connectivity; to deal with these attacks, we need to utilize cloud-based protection and the Pravail APS can automatically request this using Arbor’s Cloud Signaling protocol, ensuring complete protection from complex, multi-vector threats.

Out-of-the-Box Protection

In many cases, the deployment of a new security device necessitates tuning and a lengthy integration process. Pravail APS has been developed to give administrators the ability to install the product and immediately stop any attacks with minimal configuration. Although protection for common DoS/DDoS attack types is automated, there are manual configuration options available for advanced users. The ATLAS Intelligence Feed (AIF) also provides information to


11Frost.com

the device on emerging attack vectors so that they can be dealt with automatically. Pravail APS provides real-time reports on attacks, blocked hosts and service traffic. Administrators will be able to better understand the nature of their traffic and any attacks that target their services.

Advanced DDoS Blocking

Pravail APS meets the challenge administrators are increasingly facing in dealing with DDoS attacks. Using a variety of counter measures, Pravail APS detects and puts a stop to DDoS attacks, especially those that are difficult to detect in a cloud environment.

Botnet Threat Mitigation

Backed by the Arbor security research team, Pravail APS receives updates of new threats automatically, without software upgrades. This is done through the AIF. These threats can then be proactively blocked before they impact services.

Cloud Signaling

Pravail APS provides a comprehensive solution to efficiently detect and stop all DDoS attacks, as it enables a tight integration between the perimeter and cloud-based services via cloud signaling. To this end, Arbor has launched the Cloud Signaling Coalition with a long and growing list of ISPs and MSSPs, who stand ready to receive cloud signals from Pravail APS.

THE FINAL WORD

It is clear that DDoS attacks are continuing to increase in both size and complexity. Furthermore, the motivations behind attacks have also broadened to include ideological hacktivism and Internet vandalism. This has put everyone from social networks to governments at risk of attack. The number of DDoS attacks continues to increase, and DDoS remains a growing threat.

Administrators need to understand that traditional security devices are not enough to protect a network or the services it provides. Trying to extend the capabilities of these products to defend against DDoS attacks has proven to be ineffective. It is important to note that these products are essential for an organization’s defense system, but a product for protection against DDoS attacks, on-premise and in the cloud, is very different. Enterprises must have the right perimeter-based product but must also have the right solution in the cloud. The icing on the cake is being able to unite the perimeter and cloud solutions in a seamless and automated manner.

877.GoFrost • [email protected]://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company’s TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth-focused culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50 years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com.

For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041

Silicon Valley 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Tel 650.475.4500 Fax 650.475.1570

San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas 78229-5616 Tel 210.348.1000 Fax 210.348.1003

London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343

Auckland Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Dhaka

Dubai Frankfurt Hong Kong Istanbul Jakarta Kolkata Kuala Lumpur London Mexico City Milan Moscow

Mumbai Manhattan Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Silicon Valley Singapore

Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC


protecting against modern ddos threats

Technology