sb-nz logo
Story image

Arbor Networks: Beware of headline risk with DDoS attacks

05 May 2017

A term you will frequently hear in the stock markets is “headline risk” and it occurs when a news story adversely affects a stock's price. Tesla knows this only too well, as its stock was impacted by headline risk after there was a fatal crash with a Tesla in autopilot mode in the US last year.

Its outspoken CEO Elon Musk subsequently warned journalists about negative coverage of Tesla crashes, as he believes that the headline risk of AV crashes could have negative long term consequences to the adoption of self-driving cars.

Headline risk can also impact the performance of the world’s stock markets, such as when banks and markets across the globe were caught off guard after the shock “Brexit” win, and this uncertainty will continue as negotiations with the EU get uglier.

When you consider headline risk in the context of distributed denial-of-service (DDoS) threats today, headlines pose a risk of a different sort. They can alter an organisation’s perception of the real issue and limit the options available to protect their business.

Since first emerging in the late 1990s, DDoS attacks have had the reputation of being a basic flood attack that tries to overwhelm a connection with traffic. Recent headlines about DDoS attacks haven’t helped change that perception.

This trend towards very large attacks has been driven using reflection and amplification techniques that can magnify the amount of traffic at the hands of the attacker. For example, DNS resolvers are often used by attackers to spoof victim IP addresses.

By sending DNS queries to open resolvers the response sent to the victim’s server may be 50X the size of the original query. In fact, this year’s Worldwide Infrastructure Security Report showed increased attack activity on all reflection/amplification protocols with DNS remaining the most commonly used, with NTP close behind.

We’re now seeing a new way for attackers to launch massive attacks, with the emergence of IoT botnets like Mirai and LizardStresser. Embedded IoT devices are highly vulnerable, almost always turned on and the networks they reside on have very high-speed connections, making each compromised device the perfect conduit for a relatively large amount of DDoS attack traffic. Against this backdrop, it’s easy to see why massive attack size is dominating the debate around DDoS currently.

In this scenario, believing that the headlines tell the full story poses a serious risk to network operators. Yes, massive attacks are here to stay and yes, they’re getting large enough where they could become a national security issue for Australia. However, it is important for enterprise network operators to understand that a DDoS attack only has to be as large as your internet facing circuit.

Arbor’s ATLAS threat intelligence infrastructure gathers anonymised traffic data from more than 300 internet service providers, equalling approximately one-third of all internet traffic. Here are a few stats that show why DDoS is about more than very large attacks.

  • ATLAS recorded a DDoS attack every 6.3 seconds last year
  • 88% were less than 2Gbps
  • 80% were less than 1Gbps.

In fact, DDoS today is a series of attacks that target, not just connection bandwidth, but multiple devices that make up an existing security infrastructure, such as stateful Firewall/IPS devices, as well wide variety of applications that the business relies on, like HTTP, HTTPS, VoIP, DNS and SMTP.

DDoS attacks that target business-critical applications are often referred to as “low and slow” attacks. They target applications with what look like legitimate requests until they can no longer respond. High volumes are not required to cause serious operational damage to an unprepared organisation.

The hottest trend right now in DDoS is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a single, sustained attack. These attacks are popular as they are difficult to defend against and are often highly effective.

All of this calls for on-premise DDoS protection. It provides the first line of defence against volumetric attacks while protecting Layer 7 applications from “low and slow” attacks that cannot be effectively mitigated from the cloud. By deploying Intelligent DDoS Mitigation Systems on-premise in front of the firewall/IPS, you protect the existing security infrastructure, while maintaining availability of critical business applications.

Effective DDoS defence calls for agile protection from the cloud to the data centre. Without a tightly integrated, multi-layered mitigation infrastructure, Australian organisations will only be partially protected. What our enterprises need to do is to look beyond the headlines on DDoS attacks if they don’t want to become one.

Article by Tim Murphy, Country Manager, Australia and New Zealand, Arbor Networks.

Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Businesses can save on the hefty cost of a security breach if they're honest
SMBs and enterprises that disclose breaches proactively tend to experience 40% less financial damage, according to new research from Kaspersky. More
Story image
emt Distribution brings Netsparker security solutions to A/NZ and APAC market
emt Distribution has announced it will bring enterprise-level Netsparker dynamic application security testing solution to Australia, New Zealand and APAC businesses.More
Story image
Ransomware the most common cyber threat to SMBs - report
The survey found that 60% of managed service providers report that their SMB clients have been hit as of Q3 2020. More
Story image
Voice phishing attacks on the rise, remote workers vulnerable
There is an increase in voice phishing attacks, where hackers use existing employee names in attempt to trick victims into sharing login credentials and data by phone.More
Link image
Where is your data? You'll find out in 2021
Next year, we will start to realise exactly how much intellectual property was stolen by attackers during the 2020 remote working shift, writes Forcepoint global CTO Nicolas Fischbach.More