Time to get serious about volumetric DDoS mitigation

2017 promises to be the “Year of DDoS Attacks.”  According to a recent study, more than half of all enterprises see in excess of 51 DDoS attacks per month. Think about that for a minute – most enterprises see two DDoS attacks each business day!

 And not just any DDoS attack, but often massive attacks, some in excess of 1 terabit.  These larger attacks are quite diverse, coming from a variety of botnets, in dozens of countries and employing a wide range of attack vectors.

Unfortunately, these attacks are taking their toll, as much as $500,000 per attack according to some sources. 

So, if 2017 is the “Year of DDoS Attacks,” perhaps it is time to get serious about DDoS mitigation.

Anatomy of a DDoS attack

The goal of a DDoS attack is simple – to take down an online service. DDoS attacks (DDoS stands for Distributed Denial of Service) focus a collection of compromised hosts (collectively called a “botnet”) upon a weak point in the network.

While there are dozens of different attack vectors that can accomplish this, at a high-level one can divide them into two fundamental types of attacks: application-layer and volumetric attacks. 

Application-layer attacks, such as an HTTP flood, make an innocuous request of the server trying to crash that server. They require very little bandwidth to accomplish and can be tricky to detect.

Volumetric attacks, on the other hand, focus an enormous amount of traffic on a specific host in the hopes of bringing the host’s network to its knees. Volumetric attacks are easy to spot – it is hard to hide the sudden arrival of 500 Gbps of data laser-focused on a single server.  But while detection is easy, mitigation requires the ability to process a huge number of rules to remove attack traffic from normal traffic all at line-rate speeds.

Volumetric DDoS attack mitigation 101

The size and severity of volumetric attacks are exploding: the largest attack volumes grew by 60 percent, with one in eight seeing attack volumes in excess of 200 Gbps.

As mentioned, mitigating volumetric attacks is fairly straightforward.  First, detect where the attack is coming from and then create a set of rules to block traffic from these compromised sites. While simple, it is not necessarily easy to do, especially when dealing with botnets with tens or even hundreds of thousands of infected devices either spread across hundreds of countries or localized to one service provider’s network.

The key is to be able to set up massive numbers of rules (for example, to discard all traffic from a certain source IP address) in a very short amount of time, and then apply all of those rules to incoming traffic at line rate speeds (which can be 1Tbps or higher in the largest networks).

So how does one do this? Which device on your network has that kind of power?

Your core router won’t work for several reasons. First, at the risk of stating the obvious, it is busy doing your core routing. Throwing a massive DDoS attack at it, with hundreds of thousands of rules, will inevitably slow (or even crash) your internal network. Further, most routers cannot handle that many rules, and even if they can, your networking team won’t be happy assigning such a large percentage of the available ACL entries to DDoS mitigation; space is needed for basic routing chores.

The same principle applies to your core firewall defenses. Using a traditional firewall to mitigate DDoS attacks affects the firewall’s ability to attend to its routine defensive responsibilities.

For service providers, a common solution is “remotely-trigger black holing” (RTBH).  Essentially, you tell your edge firewalls to drop all inbound traffic addressed to the target of the DDoS attack. If the bad guys target one of the service provider’s customers, the service provider simply takes that customer offline. This protects the rest of the provider’s customers, but is catastrophic for the targeted customer.

You could use high-end DDoS protection solutions – high-powered appliances that combine the intelligence to identify sophisticated application-layer attacks with the brute-force power required to handle volumetric DDoS attacks.

The problem with this approach is cost and flexibility. You need to place such devices at key locations to keep the volumetric attack traffic away from your network.  But, these monolithic devices are extremely expensive as they combine both application-layer attack intelligence as well as volumetric attack brute-force power. And they don’t allow the customization and programmability of rule sets that get exposed to the SOC who want these levers and options to mount an effective defense for your network and your users. 

This same principle applies, by the way, to scrubbing centers. Scrubbing centers use the exact same sophisticated DDoS appliances to perform your scrubbing. This leads to the same issue: You pay more than you need to and you are left short on programmability with a monolithic solution.

The best approach is to split the application-layer intelligence from the volumetric power and place the relatively less expensive, but purpose-built volumetric DDoS attack mitigation devices at the edges of your network so you can remove the huge volume of attack traffic before it congests your network pipes. Independently, you can then centralize the sophisticated application-layer DDoS attack mitigation appliance at the core of your network as a resource for protecting your applications. This approach puts power and intelligence precisely where you need it without spending more than you need to or compromising on control. 

No compromise volumetric DDoS mitigation

It turns out there is a standardized method for separating application-layer intelligence from volumetric mitigation: Flowspec. The Flowspec standard is used by many analytics and attack detection architectures to identify attacks at or near the targets and use Flowspec to communicate the mitigation rules to mitigation devices. Flowspec works perfectly for universal volumetric DDoS mitigation without compromise.

Centralize highly intelligent (and expensive) application attack response at the core of your network. Then deploy simplified (yet powerful) volumetric mitigation everywhere it’s needed. Centralizing the expensive application layer appliances means you minimize your investment in this expensive resource. Removing the application layer intelligence from the volumetric mitigation appliances means you can optimize its performance for the specific task at hand and therefore reduce its cost, which allows you to distribute these to as many locations as needed to effectively mitigate attacks.

Blueprint of a universal DDoS mitigation appliance

So what does it take for such a universal DDoS mitigation device to be effective?

Line-rate performance

First and foremost the device has to be able to process traffic at line rate speeds regardless of packet size and regardless of how many rules are required.  In today’s networks, this means packet processing up to 150Mpps (with the ability to scale up or out as needed).

Capacity for large numbers of rules

How many rules are enough? Many DDoS mitigation solutions max out at a few thousand. With botnets exceeding 100,000 infected devices this is woefully inadequate. To be effective you’ll need the capacity for 200,000 programmable ACL rules (or more).

Ability to quickly load rules

With such a high number of rules, the time it takes to load ACL entries starts to matter. To be truly effective your mitigation device needs to be able to load a full set of ACL entries in seconds, without affecting performance.

Summary

Volumetric DDoS attacks have reached critical mass and are only going to get worse.  Separating application layer intelligence and protection from volumetric attack protection allows you to cost-effectively keep attack traffic outside your network, allowing good traffic to flow unaffected.