Experiencing a distributed denial-of-service (DDoS) attack is like having your home flood. Without warning, attackers can upend your enterprise. Every moment counts, but unfortunately by the time some DDoS solutions identify and report the attack, the damage is already done. You need a faster, more immediate means of threat detection to prevent severe damage.
When a DDoS attack hits your network, a long time can pass before the security/network staff fully realizes it is actually a DDoS attack that is affecting the services, and not a failing server or application. Even more time may pass before the actual mitigation of the threat starts to take effect.
Volumetric attacks, though devastating, take a while before users and internal service monitoring systems notice their effects. Application layer attacks are much harder to detect, as they tend to fly under the detection radar because of their low-volume profile.
When mitigation starts too late, the damage may already be done: the firewall state table may be overwhelmed, causing reboots, or worse, it locks up, making the DDoS attack effective from the attacker’s perspective. The service is no longer available to legitimate users.
Deployment Methods and Detection
A variety of methods allow security teams to gain insight into what’s going on in a network. One of the more popular approaches is flow sampling as virtually all routers support some form of Flow technology, such as NetFlow, IPFIX, or sFlow. In this process, the router samples packets and exports a datagram containing information about that packet. This is commonly available technology, scales well, and is quite adequate to indicate trends in network traffic.
For in-depth security analysis purposes, however, relying on samples is a serious concession; you miss a large piece of information as you only receive one packet out of a thousand, or worse. A flow analytics device has to evaluate the behavior of a traffic stream over a longer time period to be sure something is wrong, and to avoid false positives.
Common DDoS protection deployments use a flow analytics device, which reacts to the discovered incident by redirecting the victim’s traffic to a mitigation device and telling it what action to take. This method scales well for gathering traffic to be analyzed, and the reactive model only redirects potentially bad traffic, which allows for some bandwidth oversubscription. But this is risky business as the mean time to mitigate can run into minutes.
For the most insightful detection and fastest mitigation, you can’t beat in-path deployment of a high-performance DDoS mitigation device that is able to detect and mitigate immediately. In-path deployment allows for continuous processing of all incoming traffic (asymmetric) and possibly also the outgoing traffic (symmetric). This means the mitigation device can take immediate action, providing sub-second mitigation times. Care should be taken that the mitigation solution is able to scale with the uplink capacity, and the real-world performance during multi-vector attacks.
As an alternative to in-path detection and sampling, mirrored data packets provide the full detail for analysis, while not necessarily in the path of traffic. This allows for fast detection of anomalies in traffic, which may have entered from other entry points in the network. While setting up a scalable mirroring solution in a large network can be a challenge, it can also be an excellent method for a centralized analysis and mitigation center.
Watch your performance metrics
Bandwidth is an important metric for most people. When shopping for home Internet connection, people most often compare the bandwidth metric. While it is important, as with many things, the devil is in the details. Networking devices ultimately process network packets, which typically vary in size. Small packets use less bandwidth, while large packets amount to larger bandwidths. The main limitation of the networking node is set by the amount of packets a device can process within a second. By sending many small packets at a high rate, an attacker can stress out the infrastructure quite quickly – especially traditional security infrastructure such as firewalls, or Intrusion Detection Systems. These systems are also more vulnerable to stateless, high-rate assaults such as many flooding attacks, due to their stateful security approach.
Verizon’s 2014 Data Breach Investigations Report notes that the mean packet-per-second (pps) attack rate is on the rise, increasing 4.5 times compared to 2013. If we carefully extrapolate these numbers, we can expect 37 Mpps in 2014 and 175 Mpps in 2015. These are the mean values to show the trend, but we have seen many higher pps rates. While the mean value demonstrate the trend, to properly prepare your network, you should focus on worst-case values.
Assure your Scalability
As DDoS attacks, and especially volumetric attacks, enter the network with extreme packet-per-second rates, you need a mitigation solution with adequate packet processing power
Scaling the analytics infrastructure is also an important consideration. Flow technology scales rather well, but at a massive cost: it compromises granularity and time-to-mitigate.
If your vendor provides performance numbers that match your network size, be aware that the real-world performance may be lower. The current trend is that attacks use multiple attack vectors; multiple attacks methods are launched simultaneously. Datasheet performance figures provide a good indicator to match the product to your needs, but it is advisable to test your prospect mitigation solution, and validate it through a series of tests to see how it holds up against a set of attack scenarios in your environment.
The multi-vector attack trend illustrates the importance of validating performance. Running a basic attack such as a SYN flood puts a base stress level onto the CPUs – unless, of course, the attack is mitigated in hardware. Making the system simultaneously fight a more complex application-layer attack such as an HTTP GET flood attack could push a system over its limit.
Periodic validation of your network’s security performance is critical to ensure that your security solutions will hold up during various simultaneous attacks, and to ensure that your network investments are up to the task in a growing, secured network.
Network flooding does indeed have a lot in common with a home flooding. The sooner you know it is happening, the sooner you can take action. Just make sure your sandbags are up to the task!