How traffic scrubbing can guard against DDoS attacks
Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed
What was possibly the world’s biggest distributed denial of service (DDoS) attack in February 2018 was stopped in its tracks after 20 minutes because there was a DDoS protection service in place.
The attack on GitHub, a popular online code management service used by millions of developers, experienced incoming traffic of 1.3Tbps, bombarded by packets at a rate of 126.9 million per second. Within 10 minutes of the attack, GitHub had sounded the alarm and routed its traffic to its DDoS mitigation service Akamai Prolexic, which sorted out and blocked the malicious traffic.
GitHub is not alone, as DDoS attacks have grown in intensity and become more sophisticated. Since 2017, businesses in the Asia-Pacific (APAC) region started to experience DDoS attacks at almost the same rate as North American businesses, which have traditionally been the most targeted, said Shahnawaz Backer, security specialist for APAC at F5 Networks, based on F5’s data.
And ASEAN organisations are not standing still. The DDoS market in ASEAN has seen significant growth, accounting for 20% of the APAC market, according to Frost & Sullivan.
A growing number of enterprises are investing in DDoS solutions, especially cloud-based DDoS mitigation services, with a shift away from a service provider-centric market.
A DDoS attack is one of the most complex threats that businesses can face. The goal of the individual hacker, organised criminals or state actors is to overwhelm a company’s network, website or network component, such as a router. To begin with, organisations have to determine whether a spike in traffic is legitimate or is an attack.
“Without a solid understanding of baselines and historic traffic trends, organisations are unlikely to detect an attack until it is too late,” said Sherrel Roche, senior market analyst at IDC’s Asia-Pacific business and IT services research group.
Landbank, the largest government-owned bank in the Philippines, has taken the step of implementing F5’s BIG-IP local traffic manager to understand its application traffic and performance better, as well as to gain full visibility into customer data as it enters and leaves an application. This enables the security team to inspect, manage and report fraudulent transactions as soon they are spotted.
Complementing that is an on-premise application level layer 7 DDoS mitigation service to ensure mission-critical applications are protected against application-specific attacks.
It can be relatively simple to launch a DDoS attack with readily available DDoS-for-hire services, and even people with little or no technical skills can launch a damaging attack.
One such attack, which generated over 170Gbps of traffic, was organised over chatrooms on the Steam game distribution platform and internet relay chat (IRC), with many participating members using downloaded tools. These included a YouTube tutorial by a 12-year-old developer, said Fernando Serto, head of security technology and strategy at Akamai Technologies APAC.
“To implement multiple denial-of-service defence measures at different layers would go beyond purchasing a single security product or signing up with a single service provider”
Rajpreet Kaur, Gartner
Part of the challenge of DDoS is the complexity of such attacks. Not only are there several categories of attack method, but each category has a host of different attacks. The same target can also be attacked using several different attack vectors.
On top of that, some attacks can be hard to detect. One notable attack involved overwhelming the target’s domain name system (DNS) server through a series of bursts that lasted several minutes, instead of a sustained attack.
“This led to defender fatigue as these bursts of traffic were coming in over a long period of time, and detection, let alone mitigation, of these types of attacks becomes very difficult,” said Serto.
DDoS attacks are unlike other cyber attacks, where patches and locally installed security appliances can block an attack altogether. The defence calculus for denial of service is different because no organisation can prevent or block all DDoS attacks on its own, said Gartner senior analyst Rajpreet Kaur.
So the decision to invest in DDoS protection is also not an easy one. DDoS mitigation is an expensive investment, which organisations do not easily choose unless they or their competitors have suffered an attack.
“While multinational and global firms will invest, the cost may deter smaller, local firms,” said Kaur.
Also, IT infrastructure is getting more complex as enterprises move their applications and infrastructure to the cloud, requiring DDoS solutions to cater to different environments, said Frost & Sullivan network security senior industry analyst Vu Anh Tien.
Scrubbing clean
What GitHub relied on to counter the attack in February 2018 was scrubbing services, a common DDoS mitigation technique. Using this method, the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination.
Most DDoS scrubbing providers have three to seven scrubbing centres, typically distributed globally, said Gartner’s Kaur. Each centre consists of DDoS mitigation equipment and large amounts of bandwidth, which can be over 350Gbps, that feeds traffic to it. When customers are under attack, they “push the button” to redirect all traffic to the closest scrubbing centre to be cleaned.
Enterprise customers make use of scrubbing centres in two ways – one is to route traffic via the scrubbing centres around the clock, while others prefer to route traffic on demand when an attack occurs.
Given the complexity of security attacks and IT infrastructures, organisations are increasingly adopting hybrid models of protection, to protect against the broadest set of potential attack vectors. They often turn to an on-premise system that is the first line of defence, with the scrubbing centre stepping in when the on-premise technology is overwhelmed, said Backer.
IDC’s Roche added: “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data.”
Read more about distributed denial of service attacks in APAC
Only 17% of organisations in APAC are able to detect a DDoS attack in less than an hour, compared with 25% in the US and Europe.
Some of Asia’s largest and most connected economies are fast becoming hotspots for botnets that are being used to launch DDoS attacks.
The website of the Australian Bureau of Statistics taken offline following a DDoS attack.
While scrubbing centres are mostly used to protect infrastructure sitting in the customer’s environment, such as DNS servers, mail relays and other IP-based applications, organisations are also turning to content distribution network (CDN)-based DDoS mitigation services to protect web and mobile applications, as well as application programming interface (API) traffic of many internet of things (IoT) applications.
“A CDN-based approach will also protect applications against application layer attacks such as SQL injection, cross-site scripting and remote file inclusion, as well as credential abuse attacks using bots for automation,” said Akamai’s Serto.
Gartner’s Kaur said that although most scrubbing service providers offer strong DDoS mitigation capabilities, enterprises need to evaluate them based on the provider’s infrastructure capacity, service levels, experience and pricing.
“To implement multiple denial-of-service defence measures at different layers would go beyond purchasing a single security product or signing up with a single service provider,” said Kaur. “A comprehensive solution will need to consider cloud scrubbing centres, CDN, DNS protection, edge and application DDoS appliances.”
