Maya Canetti, Director of Product Marketing at network security firm Allot Communications, offers the most common threats to service providers and how to combat them.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have plagued commercial and enterprise networks for nearly three decades. Defined as one or many systems attacking a target with a ‘flood’ of incoming messages and overwhelming the system, these cyberattacks have been frighteningly successful, damaging network infrastructure, service continuity and business reputations. And unfortunately, they’re on the rise. According to Cisco, the number of DDoS attacks grew by a staggering 172pc in 2016 and that number is expected to reach 3.1 million globally by 2021.
The availability of simplified attack tools, DDoS for-rent services, and for-hire attackers as well as the Internet-of-Things (IoT) proliferation have made it easier to launch flooding attacks and to increase the scope of damage on mobile operator networks, who can no longer afford to take a reactive stance. So why now? What is driving mobile operators to start thinking about DDoS protection? In short: it’s the rise in the probability of attacks on one hand and the relationship service providers with their customer especially business customer who reply on the service provider’s cloud for their data and IT services on the other. In other word, protecting against DDoS means protecting their business.
Two common types: TOS Flood and SYN Floods
TOS Floods are an all-too-common type of DDoS assault. Attackers use the ‘TOS’ field of your IP header to launch one of two types of attacks. By spoofing ECN (Explicit Congestion Notification) packets, individual connections are reduced or completely limited. The server may then appear to be unresponsive or out of service. Legitimate users are unable to connect to their server.
In the second type of TOS attack, DiffServ class flags are manipulated to increase priority for malicious traffic over regular traffic. The risk is that your server will become totally unusable for your customers or at the very least applications that need a strong connection will become unreliable. Any VoIP such as Skype or online meeting software or video streaming will become completely compromised.
A SYN Flood, often generated by botnets, is designed to consume the resources of the victim’s server, such as firewall or other perimeter defense elements, in an attempt to overwhelm its capacity limits and shut it down. The target receives SYN packets at very high rates, which rapidly fill up its connection capacity. This results in disconnections, dropping of legitimate traffic packets, or even worse – element reboot.
SYN Floods exploit the TCP (Transmission Control Protocol), three-way handshake process to wreak havoc. The attack floods multiple TCP ports on the target system with SYN messages requesting to initiate a connection between the source system and the target system. The target responds with a SYN-ACK message for each SYN message it receives and temporarily opens a communications port. The attacker never sends the final ACK and therefore the connection is never completed. The temporary connection will eventually time out and be closed but not before the targeted system is overwhelmed.
Crafty criminals
Cyber-criminals continually hone their methods and change their tactics to avoid detection. Increasingly service providers are becoming more threatened by DDoS attacks and need to improve and augment protection strategies, especially when they are seeing revenue growth from business customers migrating their data centers and IT infrastructure to the cloud. Business services come with SLA-defined service capacity, availability and performance and must be protected against attacks. All-important quality of experience (QoE) is also critical to retaining and attracting customers. Sluggish downtime is risky and service downtime is a death knell.
Guarding
Effective protection means detecting an attack and responding quickly enough so there is little or no impact on the network infrastructure or its hosted targets. Solutions must have real-time detection that lasts no more than seconds, can zero in on an attack that has never been seen before, and can handle the evolving tactics and massive volumes. Such solutions are even more important in the face of pulsing DDoS attacks – those designed to inflict maximum damage in a long series of short-lived massive bursts.
The good news is that there are scalable solutions that can handle large-scale volumetric attacks and mitigate them on the spot. Solutions that allow service providers to identify both inbound and outbound threats, facilitate network optimization by enforcing acceptable use policies, and at the same time sustain users’ QoE (Quality of Experience). A highly effective approach that can stop DDoS cybercriminals in their tracks.
