|
Bandwidth Needs Rise As DDoS Attacks Grow In Size & Complexity
By Paul Sop
Expert Author
Article Date: 2007-06-05
Distributed Denial of Service (DDoS) attacks are an increasing concern of online organizations. In a DDoS attack, compromised PCs controlled by remote attackers, or botnets, inundate a network with the intent to crash its Web or application services.
DDoS attacks are increasingly easy to execute, and worldwide reached as many as 10,000 per day, according to a 2006 Computer Security Institute survey. The size of the attacks is growing as well. In 2005, the largest DDoS attack was 3.5Gbps. Today, attacks are over 10Gbps, which is enough brute force to take out an entire hosting/co-location facility.
A large DDoS attack can quickly overload an organization's Internet connection, so that few if any legitimate requests can get through. When networks are saturated, network equipment becomes unreachable or unresponsive, rendering mitigation attempts difficult, if not impossible. In the face of a large attack, most Internet carriers have only one recourse to save their bandwidth costs and protect their customers from collateral damage: ‘null route' the organization under attack or essentially take it off of the Internet. This is of course the intended goal of the attacker.
Today there are three types of DDoS attacks: 1) remote attacks in which attackers send very small packets which crash the servers, 2) protocol floods that overflow bandwidth capacity so that no legitimate requests can get through and 3) application attacks that hit servers with so many application requests that they fall over along with their back-end databases like dominos.
The best defense against a remote attack is to ensure that Internet-exposed application servers are well patched and regularly scanned for vulnerabilities. Also, adding an in-line intrusion prevention system (IPS) can potentially save servers from zero-day compromises. Protocol floods and application DDoS attacks, however, require more complex architectural defense solutions. To mitigate these attacks,
some organizations invest in commercial mitigation equipment. These devices typically sit in front of the servers they protect. Once deployed, they protect against many types of DDoS flood attacks and some application attacks. Unfortunately, no commercially available commercial DDoS mitigation technology can successfully stop all attack types. To do so, requires an investment in multiple complex technologies, configured to work synergistically - no easy feat.
The biggest constraint of in-line deployment however is limited bandwidth. It is cost prohibitive for an organization to scale bandwidth high enough to mitigate today's large attacks. Consider the following. An average botnet can easily saturate a 1 Gigabit Internet connection. Even if an in-line mitigation device performs 100 percent to that upper ‘bandwidth' limit, legitimate traffic still cannot get through.
Faced with the increase in attack sizes, organizations that seek comprehensive DDoS protection face investments in large amounts of bandwidth and lots of mitigation devices to handle the range of attacks. This is an expensive and complex proposition. Where organizations have multiple points of presence, each one requiring protection, the cost and complexity is compounded.
In the end, the most effective prevention against DDoS attacks is to ensure they never enter a network Increasingly many organizations are turning to service providers who mitigate massive DDoS attacks ‘in the cloud' by employing large amounts of bandwidth. Managed service providers spread the cost of their resources over many customers, so they can purchase massive amounts of resources to handle the largest attacks.
The most effective DDoS mitigation service providers have global reach, and so are able to mitigate attacks near their origin. It is increasingly common that US-and European-based companies are attacked by large botnets stemming from Asia. So it makes little sense to have Gigabits of traffic travel over continents and oceans en route to a single DDoS mitigation system. Managed service providers who have distributed data centers can act as ‘gravity wells,' advertising an organization's IP addresses from each data center. Should a large botnet attack an organization from Asia, the attack can be ‘sucked' into an Asian scrubbing center and diffused there. The ability to diffuse global attacks via distributed scrubbing centers is the current state of the art in DDoS mitigation.
One thing is certain - DDoS attacks are growing in size and complexity and the rates appear unabated. Since acquiring large amounts of bandwidth is the most effective way to mitigate attacks, over the long term, the responsibility of prevention needs to shift from organizations to Internet carriers who can shoulder the cost.
About the Author:
Paul Sop is Chief Technology Officer for Prolexic Technologies. He has 16 years of technology leadership experience in innovative and successful start-ups, 12 of those in information security. Prior to joining Prolexic Paul founded RedWolf Security, a company focused on insider threat simulation, as well as Intellitactics, a market leader in security information management.
paulsop@prolexic.com
|
|
