More work needed to defend APAC against DDoS attacks

When StarHub’s residential fibre network went down in October 2016, the Singapore telco initially pinned the blame on distributed denial of service (DDoS) attacks brought on by internet of things (IoT) devices of customers that were compromised by malware.

Subsequent investigations by the authorities, however, revealed that the outage was caused by a surge in legitimate Domain Name System (DNS) traffic and did not point towards a DDoS attack. The flood in traffic eventually overloaded part of StarHub’s home broadband infrastructure.

Notwithstanding, this high-profile incident has underscored the clear and present danger posed by the use of IoT devices to launch DDoS attacks.

According to the findings of the recent Neustar Worldwide DDoS Attacks and Cyber Insights Research Report, more than 80% of surveyed organisations globally have been hit by DDoS attacks in the previous 12 months – an increase of 15% since 2016.

Furthermore, 85% of those attacked were hit more than once. “Worryingly, despite knowing the threats, companies still struggle to detect and respond to DDoS attacks effectively and efficiently,” says Robin Schmitt, Neustar’s general manager in the Asia Pacific (APAC) region.

In APAC, only 17% of organisations were able to detect an attack in less than an hour, compared to 25% in the US and Europe. The results are similar for response times, with APAC lagging behind. Ideally, Schmitt says companies should be identify and mitigate an attack in less than three minutes.

According to Schmitt, the dependence on internal skills and next generation firewalls, as opposed to specialised DDoS services and appliances, is a contributing factor to APAC’s less than stellar record of detecting and mitigating DDoS attacks.

When it comes to mitigating DDoS attacks, the first thing that comes to mind is clean pipe services that “scrub” malicious traffic off an organisation’s internet traffic, while allowing legitimate traffic to pass through.

However, Schmitt contends that clean pipe services delivered by network providers typically have limited scrubbing capacity and are mostly confined to attacks in layers 4 and 5 (in the OSI model), adding that it is common for larger attacks to be black-holed.

A better solution is to implement a specialised DDoS mitigation solution that gives organisations the choice of working with an on-site DDoS defence appliance, a cloud service or a hybrid solution.

“Appliances analyse incoming network traffic, allowing only clean, legitimate traffic to pass. Cloud-based solutions reroute traffic to scrubbing centres that are able to handle a high volume of traffic at both the network and application layers,” Schmitt says.

With DDoS attacks growing in scale and size, Schmitt advises organisations to examine the capacity of their providers’ scrubbing centres and whether they’re capable of handling modern DDoS attacks. Neustar, for one, has expanded its network capacity in APAC with a new 200Gbps node in Singapore, doubling its in-region capacity with additional large nodes soon to follow.

Having large nodes and a wide network of scrubbing centres are necessary for DDoS mitigation service providers to minimise network latency and as what Schmitt says, “redirect traffic to local scrubbing centres at the edge of the network, closer to the source”.

“By scrubbing a customer’s web traffic and redelivering it locally rather than having to be backhauled to a scrubbing centre that may be halfway around the world, we offset latency and restore network performance more quickly and effectively resulting in faster, more efficient in-region mitigation,” he says.

While Neustar’s service may address the limitations of clean pipe offerings, it is not enough. Besides having some common sense and practising basic cyber hygiene, organisations need to develop deeper understanding of cyber threats to defend themselves better.

As the StarHub episode shows, there’s still a lot more work to be done.