How to Protect Customers From Massive DDoS Attacks In 2017

By Gary Sockrider

The world has been on high alert following recent high-profile cyber-attacks that took down huge portions of the internet using the Mirai botnet. The epic distributed denial-of-service (DDoS) attack went after Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. In the process it brought down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others. And we’re only getting started.

Even as the original Mirai Internet of Things (IoT) botnet, consisting of about a half-million DVRs, surveillance cameras and other embedded devices, is still active, new evolutions are already being leveraged. During the past two decades, we have seen DDoS attacks grow in size, frequency and complexity. They’re now being broadly adapted as an attack technique by threat actors who are available for hire at as little as $5 an hour.

This ease of use coupled with businesses’ increasing reliance on internet connectivity, for revenue, access to cloud-based data or applications or all of the above, means DDoS protection is – or should be – front of mind for customers worldwide and across every industry sector.

It’s also a real opportunity for the channel. Despite 20 years of headlines, many businesses today are under-invested and ill-prepared. Some wrongly believe they will not be targeted, even as they experience DDoS-induced outages that are wrongly attributed to equipment failures or operational error. Others are sitting ducks, reliant on infrastructure devices, such as firewalls and intrusion prevention systems, or a single layer of protection from their ISP or content-delivery network.

In each case, these businesses are only partially protected. Firewalls and IPSes are stateful devices that are often targets of DDoS attacks, while cloud-only or CDN protection may not provide adequate protection for critical business applications. DDoS protection should be seen as an insurance product; everyone is at risk.

Make the Sale

If you need to illustrate the problem, Arbor’s Worldwide Infrastructure Security Report shows how DDoS attacks have grown in size, frequency and complexity.

Further trends can be seen in real-time on the Digital Attack Map, a live data visualization of DDoS attacks occurring worldwide. Developed in conjunction with Google’s Jigsaw, the Digital Attack Map uses data from Arbor’s Active Threat Level Analysis System (ATLAS) global threat-monitoring system to reflect the current state of DDoS attacks. It currently collects anonymous traffic data from more than 330 service providers and monitors about one-third of the world’s internet traffic.

As a solutions provider, how are you helping customers prepare for a future that the data tells us is going to look different from today?

Begin by educating customers on the threat, and discuss a multi-layered defense that combines a hybrid approach backed by continuous threat intelligence. Preparation is the key to stopping DDoS attacks. The first step is to stop application-layer attacks on premises, where you have more control over the protection of services that matter most. Make sure your customers have on-premises, purpose-built, inline products that can stop in-bound DDoS attacks and other threats. They are placed in front of the firewall and can also stop outbound activity from compromised hosts. 

In the event that an on-premises product senses that it is going to become overwhelmed with a large volumetric DDoS attack, it needs to have the capability to “call for help” through a cloud signal.

The next step is to stop volumetric attacks in the cloud before the attacks saturate circuits and overwhelm the customer’s on-site security devices. An ideal system is one where the on-premises detection solution can communicate upstream when it’s under attack and dynamically re-route network traffic through the cloud to a scrubbing center, where malicious DDoS traffic is removed and then the clean traffic is rerouted. This is the key to stopping a large-scale attack.

Last, there needs to be intelligent communications between the two environments to stop dynamic, multi-vector attacks. Make sure your solutions are backed by continuous threat intelligence to stay abreast of the latest threats.

Gary Sockrider is principal security technologist at Arbor Networks. He seeks to understand and convey the constantly evolving threat landscape, as well as the techniques and solutions that address them. Sockrider is an industry veteran with over 20 years of broad technology experience, ranging from routing and switching to network security, data center, and collaboration.