Protecting networks from DDoS attacks

(16/10/2009)

Pravin Mirchandani, CEO of Syphan Technologies, looks at the continuing problems caused by distributed denial-of-service attacks, DDoS, and suggests that new cloud based mitigation services may be round the corner:

In my experience very few people would dream of operating their businesses without taking out adequate insurance protection against everything from an act of God to a bad debt. Yet many of these companies still choose to leave their main channel of customer communication - their Internet storefront - vulnerable to an abrupt termination or sudden drop in performance.

The consequences of non-availability of a corporate Web site, particularly for ecommerce based businesses can be far more damaging than dealing with the aftermath of a flood or fire and with the same or, in some cases, an even higher chance of an outage occurring.

To be fair to network managers, part of the reason for the lack of investment in specialist DDoS technology can be attributed to budget restrictions as well as a belief, put about by some vendors, that their IPS or Firewall will do the job. This is further compounded by the general impression that somehow the bad guys have moved on and, from a RoI perspective, the risk is one worth taking.

The problem with that viewpoint is that all the evidence suggests that, since hackers first started to use DDoS to gain peer group kudos in early 2000, it has evolved to become a highly organised, financially motivated cyber-crime with an estimated 10,000 attacks now occurring each day.

This fact alone should be enough to ensure that network managers take the problem more seriously, but if more reasons are needed there is also the phenomenon of “Flash-Crowds” to take into consideration. With the arrival of the Twitter and Facebook generation and the ubiquitous availability of the Internet, the announcement of the latest Madonna tour dates or a rumour of the imminent demise of a high street bank, can trigger a Tsunami wave of hits capable of taking even the most high profile Web sites offline in a matter of minutes.

To put the whole issue into sharp focus, a study carried out by leading security analysts at Forrester, IDC and the Yankee Group concluded that large ecommerce based businesses could face a potential $30M loss in direct revenue and reduced productivity costs, from just one 24 hour break in Internet availability; whether that is the result of a targeted DDoS attack or a Flash-Crowd incident. Most DDoS attacks can last several days if not weeks so it is hardly surprising that victims often prefer to pay the ransom demand that usually follows than spend valuable time struggling to fend off the attack.

Unlike other Internet malware, distributed denial-of-service attacks typically do not carry a malicious payload or have any distinct signature or behaviour profile that can be picked up by an IDS, IPS or Firewall system, resulting in most of the traffic being allowed through unhindered. Although there are some manual adjustments that can be made to black list un-trusted IP addresses and reduce the impact of the attack, this is usually after the event and can be a very blunt instrument resulting in a high level of false positives – aka disgruntled customers.

DDoS attacks are generally made up of large volumes of normal Internet traffic generated by a global network of robot PCs, ‘Botnets’. Designed to exploit the limitations of the server hardware resources and resulting in the system closing itself down this is no different, in effect, from millions of people all trying to access the same information, on the same Web server at the same time.

Whilst companies may still feel that the chances of being a DDoS victim is extremely low, there is the very real risk that their customers and remote users could suddenly find that access to Web based services is unavailable due to a flash-crowd event - with the inevitable serious financial consequences.

It has been argued that in the current economic climate, the temptation to use DDoS as an easy way of making money is likely to increase even more and, with the Gartner revised forecast of a 9% reduction in IT budgets over the next 12 months, network managers, without effective DDoS cover in place, are finding themselves in a very difficult position and are looking for innovative and cost-effective services to bridge the gap.

However this in itself has not been an easy task, with technology challenges severely restricting options to deliver sustainable, hosted point security and more specifically DDoS mitigation services in the cloud. Hardware performance limitations and infrastructure costs have not made enough economic business sense for many MSPs to make the necessary investment and until recently only high cost, premium services have been available. These don’t make sense for the vast majority of organisations.

Fortunately recent advances in high-performance, multi-tenant server architecture and new behaviour-based DDoS mitigation software, has started to emerge that is set to pave the way for a whole new range of cloud-based security services, collocated alongside the traditional storage, DR and managed server offerings. Supporting potentially hundreds of individual customers on a single appliance it will soon be possible for MSPs to deliver DDoS services at highly cost-effective prices that will enable organisation of any size or scale to bring their DDoS protection in line with the rest of their IT security posture.

This is a welcome development that many MSPs have been waiting for, and early indications suggest that the first services based on the technology will be ready to roll out later this year. There will then be no excuse for leaving networks unprotected and at risk from any form of flood attack – malicious or otherwise.

Related topics:  Network Security   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources