Most people assume that security breaches happen when a perpetrator is trying to steal something, but the reality is that many of the DDoS attacks happening today are designed to disrupt. The clue is in the term: denial of service. The motive of a DDoS attack is, put simply, to prevent the delivery of online services that people depend on and only very occasionally will the attackers ask for a ransom.
Financial institutions, gaming and eCommerce websites are among the top targets of DDoS attacks, as are cloud service providers that host sites or service applications for business customers. Even a brief disruption of service delivery can cost some enterprises millions in lost business, not counting the after-effects of alienated customers and reputational damage.
Since DDoS attacks and data breaches are so different in nature, conventional security infrastructure components used to combat breaches – perimeter firewalls, intrusion detection/preventions systems (IDI/IPS) and the like – are comparatively ineffective at mitigating DDoS attacks. These security products certainly have their place in a layered defence strategy, serving to protect data confidentiality and integrity. However, they fail to address the fundamental issue in DDoS attacks, namely network availability.
In fact, these components themselves are increasingly the target of DDoS attacks aimed at incapacitating them. The 13th annual Worldwide Infrastructure Security Report (WISR), NETSCOUT Arbor's annual survey of security professionals in both the service provider and enterprise segments, uncovered a significant increase in DDoS attacks targeting infrastructure over the previous year.
Among enterprise respondents, 61% had experienced attacks on network infrastructure, and 52% had firewalls or IPS devices fail or contribute to an outage during a DDoS attack. Attacks on infrastructure are less prevalent among service providers, whose customers are still the primary target of DDoS attacks. Nonetheless, 10% of attacks on service providers targeted network infrastructure and another 15% targeted service infrastructure.
Meanwhile, data center operators reported that 36% of inbound attacks targeted routers, firewalls, load balancers and other data center infrastructure. Some 48% of data center respondents experienced firewall, IDS/IPS device and load-balancer failure contributing to an outage during a DDoS attack, an increase from 43% in 2016.
Infrastructure components are particularly vulnerable to TCP State Exhaustion attacks, which attempt to consume the connection state tables (session records) used by load balancers, firewalls, IPS and application servers to identify legitimate packet traffic. Such attacks can take down even high-capacity devices capable of maintaining state on millions of connections. In the latest WISR, TCP State Exhaustion attacks accounted for nearly 12% of all attacks reported.
Despite their vulnerability, firewalls, IPS and load-balancers remain at the top of the list of security measures organisations say they employ to mitigate DDoS attacks. Among service providers, firewalls were the second most reported DDoS mitigation option, while on the enterprise side, firewalls were the first choice of 82% of respondents. It is somewhat discouraging that some of the most popular DDoS mitigation measures are also the least effective, given the ease with which a state-based attack can overwhelm them.
On a positive note, however, the increased frequency of DDoS attacks reported in our 2016 survey appears to have driven wider adoption of Intelligent DDoS Mitigation Systems (IDMS) in 2017. About half of respondents indicated that an IDMS was now a part of perimeter protection, a sharp increase from the previous year's 29%.
Any organisation that delivers services over the web needs strong, purpose-built DDoS protection. Security experts continue to recommend as best practice a hybrid solution combining on-premise defences and cloud-based mitigation capabilities. Specifically, in terms of attacks on network infrastructure, a dedicated DDoS on-premise appliance should be deployed in front of infrastructure components to protect them from attacks and enable them to do their job unimpeded.