Unprotected enterprises are at serious risk
Last year saw a spate of a high-profile DDoS attacks on UK organisations, including the Home Office, BBC and HSBC. Now, more than ever, DDoS is a very real threat â€“ and not only to high-profile government organisations and financial institutions. Any business is prone to attack, no matter how big the company is, or what industry it operates within. There are many motivations for DDoS attacks, including political ideology, competitive rivalry and extortion. This means that any enterprise operating online (which applies to just about any type and size of business operating in the UK) can fall victim because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Nobody is immune.
Arbor Networksâ€™ WorldWide Infrastructure Report 2012, published last month, shows that nearly half of respondents suffered attacks targeted at their Internet data centers during the survey period. 94% of these recipients are seeing DDoS attacks regularly. As more companies move their services to the cloud, they have to be aware of the risks and the potential for collateral damage. With e-commerce and online gaming sites being the most common targets, according to survey results this year, sharing data centres with these organisations brings some risk.
What is particularly concerning is that enterprises are under the impression that they are actually protected by their existing firewalls and Intrusion Protection Systems (IPS). However, while these products play an important part of an organisationâ€™s defence strategy, they lack a vital capability. They do not protect against availability of services. And furthermore, these products themselves are often the target of DDoS attacks.
Data centre operators need to understand that availability of services begins with security. If your data centre is not available, network integrity and confidentiality will get you nowhere - because it will not help your customers, business or your brand.
Existing devices are failing
IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, and are designed to solve specific security problems, but they do not detect or mitigate against DDoS. They effectively address network integrity and confidentiality, but they fail to address a fundamental focal point of DDoS attacks â€“ network availability. Adding to the security threat, IPS devices and firewalls maintain state information for every session established between a client on the Internet and the corresponding server in the data centre, which means they are vulnerable to DDoS attacks and often become the target themselves, serving as chokepoints.
When it comes to protection against DDoS, many enterprises and data centre operators have been lulled into a false sense of security. They think they have secured their services against attacks by deploying IPS devices or firewalls in front of their servers. In reality, such deployments can actually expose these organisations to service outages â€“ which have a direct impact on customer satisfaction and therefore, revenue. Typical users of data centre and cloud services expect on-demand services. When business critical services are not available, enterprises and data centre operators can lose millions of pounds and potentially damage important customer and partner relationships. Availability of services is critical and can pose a major barrier to cloud adoption.
The attack landscape
Attackers see high-profile applications in shared Cloud Data Centres as an attractive target for criminal activity. Arborâ€™s WorldWide Infrastructure Report shows that 83.3% of respondents saw between 1 and 50 attacks per month. Also, while the use of firewalls has increased since last year - 35% saw their firewalls fail at protecting against DDoS attacks during the survey period.
Furthermore, the survey showed that while attack sizes have plateaued, they have become more complex. The largest attack reported was 60 Gbps, which is the same as in 2011. However, 46% reported multi-vector attacks â€“ meaning that they are becoming much more complex. Attackers have now turned to sophisticated, long-lived, multi-vector attacks â€“ combinations of attack vectors designed to cut through the defences an organisation has in place â€“ to achieve their goals. Multi-vector attacks are the most difficult to defend against and require layered defences for successful mitigation. The recent attacks on financial institutions are strong examples of multi-vector attacks.
Hackers love cloud infrastructures because they involve a small number of service providers who are responsible for delivering, distributing and hosting a large amount of content. This allows their attack to create the collateral damage effect. If they attack one of the providers or anyone who is operating on a shared infrastructure of that provider, it is possible for them to damage or negatively impact any number of consumers using that shared infrastructure. When one domain is attacked, those hundreds of thousands of domains can go off line or experience connectivity issues. The damage is not isolated or limited to a partitioned area. Attack one target and a million domains can be affected. The consequence is a staggering ripple effect.
On-premise threat mitigation
Visibility into DDoS botnets is an absolute necessity, especially when they are constantly changing and morphing to thwart detection. An on-premises availability protection system (APS) enables a layered defense strategy, which includes upstream ISPs and firewalls, to combat both volumetric and application-layer DDoS attacks.
An on-premise DDoS device can block advanced attacks, such as application layer DDoS attacks, using packet-based threat detection and multiple counter measures. These threat detection and counter measures detect and stop application layer DDoS attacks that are difficult to detect in the cloud. The on-premise DDoS device needs to provide visibility into critical IP services and applications running in the data centre such as HTTP, DNS, VoIP/SIP and SMTP traffic, With the correct visibility, the data centre can be protected from numerous types of attack, including TCP State Exhaustion, HTTP/Web Attacks, DNS Floods/Authentication Attacks, TCP SYN Floods, Spoofed/Non-Spoofed Attacks, UDP Floods and more.
Signs of intelligence
A strong, premise-based APS will provide immediate protection with zero downtime for the data centre and its services and applications. It also cannot have any lag time between detection and protection for all botnet threats. But it also should not be burdensome or cost-prohibitive and should not require in-house expertise or full time operators to truly realise all of its benefits.
Itâ€™s important for todayâ€™s cloud-based data centre to implement a multi-layered security solution that can simultaneously protect its network infrastructure, IP-based service sand data, as all of these are vulnerable to attacks or compromise. This multi-layered protection is the only to safeguard the data centre infrastructure, the applications and services and finally, the data that drives the business, the brand and the revenue. By working with vendors who connect the right pieces to the right parts of the puzzle, channel partners can support end-users by helping them protect themselves against the minefield of security threats that they face today.
By Jeremy Nicholls, European Channel Director â€“ Arbor Networks