While the mobile industry was busy celebrating telecom innovation at MWC18, at the same time, a record 1.35 Tbps DDoS attack was making headlines, writes Michael Schachter, Senior Product Marketing Manager, Allot Communications, a network security product company. This attack, since then surpassed has not only caused disruption but also highlighted the potential for much worse. The attack was successfully fenced off, with manual intervention and the rerouting of traffic.
Like the flu, DDoS is an epidemic, like the flu it is also a worldwide problem. An epidemic of the connected world. If not treated quickly, it can be harmful, and it seems to be getting worse.
In January, Time magazine explained “the flu shot is tweaked each year in an attempt to target what are projected to be the most prevalent strains of the disease, but the process isn’t foolproof.” There lies the major issue related to flu epidemics; the vaccine is anything but a guarantee of immunity. Indeed it is much closer to a static defence that targets specific, projected flu strains. Thus it will, in reality, only be effective against 30 per cent of H3 viruses.
When it comes to the DDoS epidemic, mobile operators are facing the same restraint from their mitigation solutions. Indeed, they only know how to mitigate what they already know; “known knowns”. For both ISPs and enterprises or health professionals, the challenge is the same; they must defend themselves against the non-prevalent strains. In other words, they have to fence off unforeseen DDoS attacks, a new vector, zero-day exploits, put simply: unknown unknowns.
In contrast to the medical world, the world of data communications has a solution. Autonomously adaptive, machine-learning algorithms artificial intelligence techniques can detect anomalous behaviour and set in place mitigation of attack profiles. And it works: in the latest attack on GitHub IT teams noticed an unusual spike in inbound traffic. It was caused by the amplification of UDP traffic reflection through Memcached servers’ default port 11211. Addressing the attack, they rerouted traffic to a scrubbing centre provider that cleaned out the malicious packets. The attack ended shortly afterwards. (See Allot blog.)
The overall service was only disrupted for a few minutes. Not only could it have been much worse, many companies remain unprepared for such an eventuality. Indeed, for many firms, which aren’t the size of GitHub, the cost of scrubbing and latency are prohibitive. Diverting terabits of traffic to external DDoS cleanup services is indeed a financially daunting task. Moreover, as 5G and IoT expand the scale of data communications, so will the problem. Adding to these structural – may we say – problems, many short-term “hit and run” attacks evade external detection due to their short time stamp and will not get scrubbed.
Facing this, another solution can be set forth for networks with high-performance. This solution would unimpede legitimate traffic and discard malicious traffic, importantly without manual intervention. Here is how this works.
In the solution previously highlighted, attacks are automatically detected and surgically blocked within seconds. They are blocked before they disrupt or even threaten network services. This is achieved through an inspection of every packet of data by high-performance, distributed inline appliance instances.
Volumetric attacks are detected with Network Behavior Anomaly Detection (NBAD) technology that recognises the anomalies attacks cause in the normally time-invariant behaviour of Layer 3 and Layer 4 packet rate statistics. Such a dynamic creation of, on the one hand, mitigation rules and of surgical filtering of attack packets on the over not only prevents over-blocking but also enables legitimate traffic to flow unimpeded. This assures network protection and service QoE at all times.
Finally, I would like to tackle an overlooked aspect of DDoS attacks that should be considered. Customers can also be harmed by botnet attacks after service providers have been infected. Such outbound attacks may only be caught by inline systems that inspect all packets, travelling in every direction. Such bi-directional traffic correlation will easily highlight inbound traffic. During the recent Memcached attacks, Allot’s bi-directional, inline DDoS Secure solution successfully detected and prevented such attacks observed in multiple customer networks worldwide. Below is an example:
http://blog.allot.com/wp-content/uploads/2018/03/DDoS-Report-1024×287-optimized.png
So, while this year’s flu season may be winding down, DDoS is just gearing up. New vectors, new vulnerabilities and ever-growing volumetric attacks are just a matter of time. Get protected – inline and on time!
