On 21 October a complex and sophisticated global DDoS attack was launched against US DNS provider Dyn, using a botnet of just 100,000 IoT devices. Despite Dyn’s quick response, countless customers including some of the world’s biggest internet companies were taken offline.
Cisco partner Arbor Networks recorded an average of 124,000 DDoS events per week over the past 18 months. And a 73 per cent increase in peak attack size from 2015 to 1H in 2016, with the US pegged as a top target.
And carrying out these attacks is now easier than ever, as research from Cisco partner Radware discovered. With a host of websites now offering ‘DDoS for hire’ for as little as $9.99 a month, it’s accessible to anyone. Many of the sites investigated in the study had more than 20,000 registered users.
Your business lives and dies on the quality of the service you provide, and even minutes offline can cost you and your customers dear.
Find and Fix
So with DDoS attacks growing in frequency, volume and complexity, what steps can you take to wrest back control? Put simply, it’s all about being able to see the problem, and then effectively mitigate it.
First, this means building up an understanding of how the network operates in ‘peace time.’ With this, you can develop policies to investigate further if network behavior deviates too far from the norm. By collecting and analysing information from appliances, endpoints and networks in real time, you can build a better picture of what’s going on. Some of the more advanced tools act like a kind of ‘network DVR,’ enabling you to forensically analyze network flows one at a time.
Once you’ve spotted the problem, it’s time to mitigate. Best practice is to do this as close to the source as possible to avoid bringing ‘dirty’ traffic across the network. These controls can be put into the network where it makes sense – at the CPE, the network edge and even into the infrastructure of the cloud/service provider.
Defense in Depth
DDoS attacks are usually a hybrid of volumetric and application based threats. These require a defense in depth approach with a portfolio of solutions, marrying threat context to network context. The portfolio includes, but is not limited to: visibility systems, and network infrastructure that feeds those systems the information; DDoS protection systems; content controls; cloud, network and premise-based malware and botnet controls; next-generation firewalls; and email protection.
Different attacks will require different combinations of assets, that provide visibility and mitigation control services. With these systems in place you can find and remove malware as it moves through the network. The result? A major reduction in the density of attack IP addresses.
4 Tips for DDoS Defense
- Know the threat. Gain visibility of the network in peace time.
- Mitigate as close to the threat as possible. This will minimize collateral damage.
- Create mitigation policies well before an attack. You don’t want to do this while trying to resolve an existing problem.
- See and disable botnet/malware as early as possible. This calls for a coordinated response between endpoints, networks and the DDoS applications consumed.
Are you prepared?
Cisco and its partners have a broad range of tools and services designed to help you “find and fix” and apply defense-in-depth strategies to overcome DDoS. The aim throughout is to make the “mean time to mitigation” as short as possible. To find out more, watch our webcast, DDoS Protection for the Network.
Timely advice!
Enterprises should not leave all DDoS mitigations to the Service Providers, only. Steps should be taken to Secure the Enterprise network from DDoS attacks as well.
I agree 100%. It must be done as a defense in depth mitigating the threat as close to the source as possible to minimize collateral damage. That means that for some DoS oriented threats that originate from the inside and not the outside, for example, an “on prem” solution is quite a valid and often deployed option. Good for you to point this out!
Also great for hosting and service providers who want to block DDoS attacks at the edges of their networks at their peering and transit points.