Story image

The war on infrastructure: DDoS is designed to disrupt

11 Jun 2018

Most people assume that security breaches happen when a perpetrator is trying to steal something, but the reality is that many of the DDoS attacks happening today are designed to disrupt. The clue is in the term: denial of service. The motive of a DDoS attack is, put simply, to prevent the delivery of online services that people depend on and only very occasionally will the attackers ask for a ransom.

Financial institutions, gaming and e-commerce websites are among the top targets of DDoS attacks, as are cloud service providers that host sites or service applications for business customers. Even a brief disruption of service delivery can cost some enterprises millions in lost business, not counting the after-effects of alienated customers and reputational damage.

Since DDoS attacks and data breaches are so different in nature, conventional security infrastructure components used to combat breaches – perimeter firewalls, intrusion detection/preventions systems (IDI/IPS) and the like – are comparatively ineffective at mitigating DDoS attacks. These security products certainly have their place in a layered defence strategy, serving to protect data confidentiality and integrity. However, they fail to address the fundamental issue in DDoS attacks, namely network availability.

In fact, these components themselves are increasingly the target of DDoS attacks aimed at incapacitating them. The 13th annual Worldwide Infrastructure Security Report (WISR), NETSCOUT Arbor’s annual survey of security professionals in both the service provider and enterprise segments, uncovered a significant increase in DDoS attacks targeting infrastructure over the previous year.

Among enterprise respondents, 61% had experienced attacks on network infrastructure, and 52% had firewalls or IPS devices fail or contribute to an outage during a DDoS attack. Attacks on infrastructure are less prevalent among service providers, whose customers are still the primary target of DDoS attacks. Nonetheless, 10% of attacks on service providers targeted network infrastructure and another 15% targeted service infrastructure.

Meanwhile, data centre operators reported that 36% of inbound attacks targeted routers, firewalls, load balancers and other data centre infrastructure. Some 48% of data centre respondents experienced firewall, IDS/IPS device and load-balancer failure contributing to an outage during a DDoS attack, an increase from 43% in 2016.

Infrastructure components are particularly vulnerable to TCP State Exhaustion attacks, which attempt to consume the connection state tables (session records) used by load balancers, firewalls, IPS and application servers to identify legitimate packet traffic. Such attacks can take down even high-capacity devices capable of maintaining state on millions of connections. In the latest WISR, TCP State Exhaustion attacks accounted for nearly 12% of all attacks reported.

Despite their vulnerability, firewalls, IPS and load-balancers remain at the top of the list of security measures organisations say they employ to mitigate DDoS attacks. Among service providers, firewalls were the second most reported DDoS mitigation option, while on the enterprise side, firewalls were the first choice of 82% of respondents. It is somewhat discouraging that some of the most popular DDoS mitigation measures are also the least effective, given the ease with which a state-based attack can overwhelm them.

On a positive note, however, the increased frequency of DDoS attacks reported in our 2016 survey appears to have driven wider adoption of Intelligent DDoS Mitigation Systems (IDMS) in 2017. About half of respondents indicated that an IDMS was now a part of perimeter protection, a sharp increase from the previous year’s 29%.

Any organisation that delivers services over the web needs strong, purpose-built DDoS protection. Security experts continue to recommend as best practice a hybrid solution combining on-premise defences and cloud-based mitigation capabilities. Specifically, in terms of attacks on network infrastructure, a dedicated DDoS on-premise appliance should be deployed in front of infrastructure components to protect them from attacks and enable them to do their job unimpeded. 

Article by NETSCOUT Arbor's regional director of South Asia, Jason Hilling.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.