How to Combat the New Wave of High-Volume, 100 Gbps+ DDoS Attacks

The perpetual cycle in which evolving threats to data are countered by a timely response from the IT industry looked to be slowing recently, in the face of steady growth in the nature, volume and sophistication of distributed denial of service (DDoS) attacks by criminal syndicates and hackers. While businesses around the world grow increasingly reliant on the uptime of Internet-connected services, many are finding that legacy security solutions such as firewalls and intrusion prevention systems (IPS) have insufficient capacity to mitigate today's multi-vector DDoS attacks at scale. Organizations are facing the threat of significant revenue loss and brand reputation damage from these DDoS attacks as cyber criminals look to gain from disrupting the availability of essential services. Service availability is at risk. The Internet is a shared medium, and malicious DDoS attacks have increased rapidly in the past few years, originating from and targeted at many different locations. Attacks may be generated by ideological groups (hacktivism) for political reasons, by organized criminal syndicates (cybercrime) for extortion and theft, or by foreign military intelligence agencies. Today, many DDoS attacks are even being generated by novice hackers without much expertise, seeking to take anyone or any service off the Internet. When an organization's services are unavailable to its customer base, it can quickly result in revenue loss, customer frustration and dissatisfaction, and damaged brand reputation.

The changing nature of DDoS attacks

DDoS attacks that use techniques such as SYN Flooding and Fragmentation are evolving rapidly to becoming a big numbers game. Malicious bots or zombie machines are directing massive amounts of traffic in unison towards target victims to consume their bandwidth, in turn making service unresponsive (Figure 1). While high volume DDoS attacks exceeding 100 Gbps are becoming common, effective DDoS solutions need to mitigate at equally massive scale and performance to prevent service interruption. Service availability for Internet-connected applications is critical to enterprises and service providers, yet few good solutions exist that are able to improve the uptime and security of enterprise applications.

Although organizations have strategies in place that mitigate a range of existing security threats, most seem unprepared to address the new breed of DDoS attacks, which leverage large distributed ‘botnet' networks of compromised zombie machines to launch simultaneous attacks using compliant protocols that are very difficult to detect and even harder to mitigate at scale. It is clear that additional solutions are needed to complement existing security infrastructure in a layered defence model (Figure 2). Depending on the DDoS attack type, a victim's Internet connection can become saturated, network security services may become overwhelmed trying to inspect the intense volume of zombie traffic, or application servers can become exhausted trying to respond to the many botnet requests. Solutions are not easy to integrate. Deploying DDoS protection services in an existing network can be challenging since these may introduce choke points and increase latency for the services they are trying to protect. Service providers often deal with many different network architectures and have invested in an existing security strategy. Network operators want to stick to their choice of network analysis and security detection solutions, and require DDoS mitigation devices that can integrate with and complement solutions from different vendors.

Recently, vendors have begun to tilt the cybercrime-vs-security solution balance back in favour of the good guys. The most advanced next-generation threat protection solutions are deployed as the first line of defense, providing high performance, network-wide protection against DDoS attacks and ensure service availability against a variety of sophisticated application attacks (Figure 3).Their multi-level DDoS protection is aimed at dramatically improving service availability. They protect against multiple classes of attack vectors, including volumetric, protocol, resource and advanced application-layer attacks, which can be detected quickly and mitigated to prevent a service from becoming unavailable.

How new technology helps

Advanced solutions allow a baseline of normal traffic to be established, so that traffic anomalies can be recognized quickly. In addition, customized actions can be taken against advanced applicationlayer (L7) attacks as needed with deep-packet inspection (DPI) scripting technology. Most of all, the next-generation threat protection solutions are required to provide performance scalability to meet growing attack scale. With DDoS mitigation capacity ranging up to 155 Gbps, DDoS attacks can be handled effectively. The best of these solution are equipped with highperformance field programmable gate array (FPGA)-based flexible traffic acceleration technology that allows the immediate detection and mitigation of 30-plus common attack vectors in hardware (SYN cookies, for example) without impacting on core system general-purpose CPUs. More complex application-layer (L7) attacks (HTTP, SSL, DNS, etc.) are processed by the latest CPUs. Scaling can be maintained by distributing multi-vector detection and mitigation functions across optimal system resources to mitigate application-layer attacks such as Slowloris.

Next-generation technology can be integrated easily into network architectures of any size, and interact with custom or third-party detection solutions. Some also provide robust support for bestin-class third-party security service integration, and can be utilized in allow lists, deny lists, and other rule sets. To ensure that data centre resources remain available, high performance and sophisticated features are provided in the most efficient hardware form factors, to mitigate the largest and most complex DDoS attacks. The combination of high performance in a small form factor result in lower operating expenditures through significantly lower power usage, reduced rack space, and lower cooling requirements.