Fortinet’s Steve Mulhearn talks DDoS attacks and how to fight them off and keep your website online.
Ransomware has been the most hyped cyber threat of 2016, but over the last few weeks high-profile distributed denial of service (DDoS) attacks have been giving it a run for its money as the public enemy number one in cyber security.
A DDoS attack involves a website being flooded with traffic, designed to overwhelm the resources of the site to crash or suspend its services.
Security blogger Brian Kreb’s site KrebsOnSecurity was hit in one of the largest DDoS attacks of all time in September, peaking at 620 Gbps. The site stayed online with help from Akamai until Akamai was forced to abandon its protection; it went offline before relaunching with site from Google’s anti-censorship programme Project Shield.
“That’s equivalent to about 60,000 fast home networks all turning their entire bandwith onto Krebs at the same time, or a whopping 600,000 regular ADSL connections at once (assuming a one megabit per second upload speed),” said Sophos in a blog post.
OVH, a hosting provider and DDoS mitigation service, was also targeted in a DDoS attack a few days later, with the combined brunt of the attack amounting to around 1.1 Tbps.
Why these sites were targeted is unclear, although Krebs said he believed it was a reprisal for reporting he had done on a DDoS-for-hire service, while OVH suggested their attack could have been carried out by competitors.
But the danger seemed to escalate further when the Mirai source code used to hack the devices was made public.
Bruce Schneier, CTO of Resilient, has also warned that several internet companies, unnamed, had been hit by DDoS attacks which had started at a certain point and then been steadily ramped up before stopping. The attack would later resume at a higher point and continue.
Schneier suggested that a major nation state was behind this activity and that it could be calibrating its tools for a potential cyber war.
Whatever the motives, the escalating attacks indicate the increasing danger of DDoS, a field in which the attackers are sharpening their toolkit.
The OVH and KrebsonSecurity attacks were new types of DDoS powered by large networks of captured devices (botnets). Low security internet-enabled devices, including web cams and routers, were captured by hackers and then used to fire huge volumes of traffic at the targeted websites.
It is the huge numbers in these attacks that capture the headlines. However, according to Steve Mulhearn, Fortinet’s Director of Enhanced Technologies UKI & DACH, these figures are misleading for several reasons.
“Always take the values they give you with a pinch of salt; a lot of those values come from the vendors that sell the solutions,” says Mulhearn, who has worked to battle DDoS attacks throughout his previous career at Arbor Networks.
To Mulhearn, the focus on the size of the attack is misleading anyway. He advocates focusing on “whether it was successful.”
“DDoS we’ve historically quantified as size because that’s been the most important thing. We shouldn’t do that,” he says.
“The challenge that we have is that resource exhaustion: all the bad guys have to do is find one chink, one exhaustible resource, and they win.”
Mulhearn says that successful attacks are “granular, small, and sneak under the volumetric stuff.”
Rather than simply throwing large volumes of traffic at the website, they choose a particular type of traffic.
For example, this could involve sending the exact database queries that are the most processor-intensive.
Unfortunately, as Mulhearn says, DDoS requires an entirely different approach to most security problems, which he describes as a case of “good and bad”.
DDoS, by contrast, is a choice between shades of grey rather than black or white.
What he means is that there is no telling which traffic is legitimate and which is malicious. For example, Apple’s servers went down when the latest iOS update was released.
“Is it a DDoS? Yes! It’s not malicious but it is a distributed denial of service,” says Mulhearn.
He emphasises “visibility”, to look for a change of behaviour indicating a resource is going to be exhausted.
Following this, Mulhearn describes a “tiered approach”, conceptualising the DDoS attack in terms of outcome:
“Is it better for most of the people to have some service or all of them to have none? It’s about keeping the service available, because their goal is to not have it available.”
The first line of defence is the basic mitigation in network equipment. This is then followed by dedicated customer premises equipment (CPE) devices and finally, cloud integration.
Mulhearn also argues that technologists need to learn to communicate the business ramifications of DDoS attacks, whatever the cause.
“We’re not very good at talking in terms of business logic,” says Mulhearn. “If you break it down as threat and risk to business and communicate that to the business, they can quantify it.”
“The problem we have is it is an extremely technical subject.”
However, ultimately the decisions over defining a DDoS attack and combatting it need to be made by technologists.
“They’re the guys that have the visibility, look at what changed from the norm,” says Mulhearn.
If the worrying trends in DDoS attacks continue, having a strategy in place to combat them will increasingly be necessary for all organisations.