After a surge by attackers, DDoS defenders are battling back
Distributed denial-of-service attacks have been getting bigger and lasting longer, and for the past few years defenses haven’t kept pace, but that seems to be changing, Gartner analysts explained at the firm’s Security and Risk Management Summit.
Gartner tracks the progress of new technologies as they pass through five stages from the trigger that gets them started to the final stage where they mature and are productive. The continuum is known as the Hype Cycle.
DDoS defense had reached the so-called Plateau of Productivity – the final stage – in 2012, but then has moved backwards in the Hype Cycle in the past few years into the previous stage – the Slope of Enlightenment – says Gartner analyst Lawrence Orans.
That fall, DDoS attacks were 10 times as large as any then seen hit Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank using botnets of compromised servers to generate high volumes of traffic against not only HTTP and HTTPS but DNS as well. They also went after protocols including TCP, UDP, and ICMP.
That was followed up in 2013 by the use of NTP amplification attacks that used Network Time Protocol servers to swamp networks with responses to requests made from spoofed IP addresses in the target network. “That set DDoS back on its heels,” Orans says.
But security vendors and service providers that offer DDoS protection have caught up, and Gartner’s Hype Cycle rating for DDoS defenses will shift again back toward the maturity end of the scale, he says.
That’s encouraging because the number of DDoS attacks from the first quarter of 2015 to the first quarter of 2016 more than doubled, according to Akamai’s latest State of the Internet Security report, and mega attacks hit hundreds of gigabits per second.
Attacks of 300Gbps and above can be handled by leading DDoS vendors, Orans says, and given the ready availability of DDoS attack kits, it’s important for corporations to pay for this type of protection.
Competition among DDoS mitigation providers is increasing, so prices have dropped, he says. Flat fees per month were the norm for DDoS protection services, but now there are more flexible plans.
Protection can come in three models. Providers sell access to scrubbing centers, where traffic during a DDoS attack is redirected to a provider’s network where the attack traffic is dropped and only good traffic returned to the customer network. This can cost $5,000 per month and up. Some providers he mentioned: Akamai, Arbor, F5, Neustar, Nexusguard, Radware and Verisign.
Some ISPs offer this type of service at a 15% to 20% premium over bandwidth costs, he says. Some ISPs are better at it than others, so customers should check them carefully, particularly newer and regional ones.
Many businesses have multiple ISPs, so they should do the math to see if it makes sense to use this option, he says. Some ISPs he mentions: AT&T, CenturyLink, Level 3 and Verizon.
Content-delivery networks can also help mitigate DDoS attacks, he says, by virtue of their architecture. CDNs distribute customer Web content around the world so it’s as close as possible to end users. That distribution makes it harder for attackers to find the right servers to hit and diffuses their capabilities.
This option isn’t for everyone, he says. It’s not as effective as the others and it doesn’t make sense unless a business needs a CDN anyway to boost its response time.
Web application firewalls can help mitigate those DDoS attacks that seek to disrupt use of Web applications. They can be deployed on premises with gear owned by the customer, but internet-hosted and cloud-based WAF services are emerging, Orans says. Cloud-based WAF is fastest growing for mobile devices that must be deployed quickly, he says.