Distributed Denial of Service (DDoS) attacks can compromise up to 10 per cent of a country’s total Internet traffic, according to Cisco Systems’ latest report on the topic. How do companies cope with that volume? One way might be to sign a partner who has even more Internet muscle than you do.
Earlier this month, Cisco released a document called the Zettabye Era, which predicts IP traffic trends. It said that DDoS attacks are increasing in frequency and size, with the biggest one hitting 500Gbits/sec last year.
Neustar, which provides DDoS mitigation systems, signed a deal last month with Limelight Networks, which is one of the world’s biggest content distribution networks, alongside competitors such as Akamai. Rodney Joffe, senior vice-president, senior technologist and fellow at Neustar, explained that the company’s cloud-based DDoS mitigation service is in a constant battle with attackers who flood it with unwanted traffic.
“To some degree it becomes a battle of bandwidth, because the bad guys are using other peoples’ resources,” he said.
Typically, DDoS attacks have been volumetric, meaning that they rely on overpowering targets by pure volume. They send ICMP and UDP packets to targets, flooding their ports with useless information. Botnets are a typical launching point, as they enable attackers to scale their traffic for free.
Services like Neustar’s cloud offering take traffic in the cloud and scrub it by looking for telltale signs of an attack. They can then discard that traffic before sending only the legitimate packets onto the customer. While that saves the customer’s bandwidth, it means that firms like Neustar have to beef up their infrastructure to cope with the increasing loads.
The pressure is likely to increase, said Andy Shoemaker, founder and CEO of Nimbus DDoS, a consulting firm that analyzes and simulates DDoS events.
“Attacks are just going to keep on getting bigger. Nowadays, they’re measured in hundreds of Gigabits per second, and my suspicion is that in the next five years, based on the trends, we’ll definitely see our first Terabit per second attack,” he said.
Working with a CDN enables Neustar to take advantage of wide area network capacity that isn’t being used, explained Joffe. Limelight has major nodes around the world that it uses to distribute traffic to, which can then be accessed by people from a site closer to their physical location. This cuts down latency times and stops the same traffic having to be sent across the same Internet routes multiple times.
Most of Limelight’s requirements are for outbound traffic as it distributes the large files that its customers want. Its requirements for inbound traffic going the other way are relatively low, meaning that one half of the connection that it uses from an ISP is far less used, Joffe explained.
Neustar’s deal with the firm enables it to use that inbound capacity on Limelight’s network, giving it a pipe for its customers’ traffic, so that it can analyze it before sending it on to them.
Neustar will be moving up to 10Terabits of DDoS mitigation bandwidth from around 1 Terabit, Joffe said. That’s more than many large tier-one backbones, he points out.
“What we’re now able to do for large companies is always-on capability. We act as a DDoS mitigation service that’s in the cloud all the time, and the customer only sees traffic that has come through us,” he added.
Still, this is only one step in the long battle against DDoS attackers. Joffe expects DDoS attacks to become smaller, rather than bigger. “There’s a point at which when you get to 10 Terabits, it takes so many of the bad guys’ resources that they have to get smarter about it.” The DDoS attacks will be shorter in duration and size, but more focused on individual organizations based on new motives.
Attacks will increasingly move away from volumetric methods to others, he suggested.
“Since the beginning o the year we’ve really seen a drop in the size. Those that used to be 4-500Gbit/sec are becoming more rare,” he said. “Now we’re seeing smaller ones where you think you’re dealing with an amateur, but you realize that they’re being far more sophisticated in their work.”
These kinds of DDoS attacks can target particular applications, for example, or may be used as ‘smokescreen’ attacks to evade detection as attackers try to compromise networks and exfiltrate information. The DDoS attack may have been around since the turn of the century, but it shows no sign of fading away yet.