DDoS: What to Expect Next Dan Holden of Arbor Networks on State of DDoS Attacks

The good news is: U.S. banks have learned valuable security lessons from defending against recent distributed-denial-of-service attacks. The bad news? DDoS has evolved into new and improved assaults.

Today's most effective attacks are against the application level, and that's a frightening development says Holden, director of ASERT at Arbor.

"If you really wanted to [launch] a really targeted DDoS attack, then application is probably your best bet," Holden says. "It's very, very effective, and it does not require tons of bandwidth or tons of capability. What it takes is a very focused and persistent attacker."

In an interview about the latest research on DDoS attacks, Holden discusses:

  • Size and length of latest attacks;
  • Lessons learned from a year of bank incidents;
  • Where DDoS fits in today's threat landscape.

Holden is director of ASERT for Arbor Networks Inc., a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world's Internet service providers and many of the largest enterprise networks in use today. Arbor's proven network security and management solutions help grow and protect customer networks, businesses and brands.

DDoS Attack Size

TOM FIELD: Arbor has just released its latest DDoS attack trends report. I'm going to ask you a couple of questions about key findings. First of all, what can you tell us about the size of attacks that you've been reviewing?

DAN HOLDEN: It's certainly been a trend, especially Q3, that average attacks have gotten larger, which is a big change. The majority of your attacks over the Internet in general are small, related to gaming attacks or small websites. The average attack isn't all that large, but of the attacks that are over 20 gigs, those attacks have risen dramatically over the recent months, and that's been one of the big changes.

Overall, regardless of the size the attack, whether over 1 gig or up to 20 and larger, the trend has certainly been that the attacks are getting larger. Now, the Internet is getting larger as well. The bandwidth capability of both users and that of the attackers is going up. That's going to be a regional difference. Each region's infrastructure is going to be different, but I don't expect to see this trend go down anytime soon.

Length of Attack

FIELD: Attacks are getting larger. What can you tell us about the length of the attacks? If you put these two metrics together, what should we draw from that?

HOLDEN: In most cases, the attacks are actually under an hour. I think our statistic is about 87 percent of the attacks are under an hour. It all depends on the motive of the attack, if it's a gaming-type attack or a small website. Let me give you a couple quick examples. Extortion, for example, doesn't need to be a very long attack. All you're trying to do is prove a point and get money out of the victim. If you're trying to go after a very large website - say a financial institution, government, or it's related to hacktivism and there's an election going on - taking a site down for a longer period of time is far more important. It all depends on the motive of the attack.

In the case of DDoS services that are hired, many of them have five or ten-minute trials, where they can prove that the DDoS service is legitimate, good and actually works. I use legitimate loosely, of course. Those attacks only last a few minutes, then you think it's gone and then they do hire the service and it comes back. Most attacks are under an hour. It's just going to depend on your particular risk: how much you think you're at risk and what you're protecting. The motivation can be varied.

Lessons from Bank Attacks

FIELD: As we sit here today, the attacks that we've seen against U.S. banking institutions really have subsided. What lessons can we draw from the past year's experience of the four waves of attacks on banks?

HOLDEN: When discussing the U.S. financial attacks, I try and look on the bright side. If you compare us in October of 2013 to September of 2012 when they first hit, certainly the banks have better infrastructure and protection in place today than they did a year ago. That's the good part. Their ability to react and their ability to collaborate and communicate with their upstream ISP providers and defenders is far better. Their visibility into a lot of these attacks - especially from an on-premise standpoint, whether they're under attack and their ability to react quickly, is far, far better. You can look at those attacks and say they were terrible. What was it? Was it hacktivism or was it nation-state funded? There are lots of good questions and lots of good lessons learned. But at the end of the day, the financials are now considered extended critical infrastructure. From that standpoint, they're better defended today than they were a year ago, and that's in many cases what it takes with security, whether that's physical or related to the Internet.

That series of attacks really highlighted that the application level is definitely at risk. If you really wanted to have a targeted DDoS attack, application is probably your best bet. It's very, very effective, and it does not require tons of bandwidth or tons of capability. What it takes is a very focused and persistent attacker. The application is a big part, and I think the need for some on-premise visibility and protection has also been another lesson learned. If you need to defend against an attack quickly, that becomes more difficult when it's a cloud-based type of defense. I think that was one of the other issues that these series of attacks brought up.

Brobot: What's Next?

FIELD: One of the things I think about often is this huge botnet, the so-called Brobot that was developed to engineer these attacks. Now that the attacks on the banks are done, or at least have subsided, what becomes of this massive botnet?

HOLDEN: That's an excellent question and it remains to be seen. It still does exist; it's just a question of maintenance. They're certainly not growing it, but any number of things could happen, whether it's hacktivism or nation-state funded; it could be used for other purposes. One of the things that I questioned is whether it might be repurposed based on U.S. interaction and influence in Syria. Thankfully, that has not happened, but it could certainly be just lying in wait and they're looking for another chance to use it. Given the size of attacks, the longevity of the attacks and the fact that it still exists, [it could] certainly lead to the assumption that it's funded at some level. That could be by whomever or whatever group or organization. But I'd be somewhat surprised if we've seen the last of it. There was a sizeable investment in that. I imagine it's just like many other weapons stockpiled and put away for the time being, and if it needs to be brought out it can be.

Understanding the Attackers

FIELD: Based on your experience, what would you say we have learned about the attackers, and who potentially could be the next target of them?

HOLDEN: Historically, with Internet security it's generally been government and then finance. One is holding all the secrets and the other one is holding all the money. Those [have] always been the two places where attackers chase. The next vertical really seems to be more involved in the next aspect of our critical infrastructure. There's been a lot of attacks around infrastructure related to oil and gas. Generally, when that sort of thing comes up, you think SCADA. There are certainly lots of SCADA vulnerabilities in existence, but I don't think we've seen a huge level of attacks, although once you've got numerous vulnerabilities all sorts of things become more possible.

But that seems to be a vertical where there's more interest being gained. It's just going to be a question of what the reward for the attacker is and who that attacker is. Is there any ability for typical cybercrime to cough it up in that vertical? If not, then the risk is going to be quite different, and then you're thinking more nation-state or hacktivist; in other words, more politically motivated or movement-based.

I think it would be naïve of anyone, especially over the last four years, to think that those kinds of motivations are not certainly a big, big portion of the modern threat landscape. It's not all money-focused at this point. If it's not, I think that vertical is going to make it certainly more interesting to attackers, especially given the fact that their defenses are not going to be anywhere near as good as your government and finance. That might be one of the reasons why other verticals are chosen to be attacked. At this point, the defense and financial spaces are just much better defended. If you want a better ROI on your attack, looking at other verticals is certainly the easiest way to do that.

DDoS and the Threat Landscape

FIELD: You used an interesting term talking about the modern threat landscape. Give us a sense of how DDoS now fits into this threat landscape. It's something we didn't pay attention to for a number of years but sort of has come back with a vengeance. What's its place now?

HOLDEN: That's an excellent question. It's actually made defending against DDoS a bit more difficult. I think most people think of DDoS, they think of the original kind of attacks that we saw way back in the day from MafiaBoy. Then, throughout the mid-2000s it was all about cybercrime and botnets. What happened is that spamming became less profitable, and a lot of folks looked at repurposing those botnets, and DDoS was certainly an area that they looked at and could repurpose those botnets for. The big wake-up call for everyone was Anonymous initially attacked Scientology and Tom Cruise.

Then 2010 rolls around and you've got WikiLeaks and Operation Payback, and most CSOs and CISOs that I talk to really say that's when DDoS was reawakened for them. They really started paying attention, and DDoS really hit their radar.

There have been a couple big shifts. That was certainly a big one just showing that DDoS attacks do not have to be your typical botnet, but can be more of an opt-in, movement-based botnet where you're volunteering to be a part of something, the fact that DDoS can be used as a form of protest and as a tool for various movements in hacktivism.

The other two big ones in recent history that are really helping to define more of the modern threat landscape, especially as it pertains to DDoS, is the U.S. financial attacks, [which are] a very big deal. The Spamhaus attack is another example of massive bandwidth and an attack that many were not familiar with being used. DDoS is now pushing the boundaries in terms of what's capable and what most people's assumptions are. But it's also now a feature of the threat landscape.

Historically, most people think of DDoS as a network problem. It's a traffic problem; it's a plumbing problem, big pipe going into a small pipe. ... But the U.S. financial attacks definitely proved that, no, that's not necessarily the case. If you're focused and persistent, you can go after the application layer and it's very damaging and very successful. There are many attacks, many examples, where DDoS has been used alongside other attacks. We do see APT-related malware with DDoS features built into the tools.

More and more DDoS isn't used just as a distraction. It's really used in parallel with these attacks to make them more successful. The defenders are getting better and the attackers are looking to get the best ROI they can, regardless of what the motive is. DDoS is definitely reawakened, reenergized and whatever other term you want to throw at it. It's definitely here to stay, and it's only getting worse.

Steps to Prepare

FIELD: Here's one final question for you that really builds upon that answer. The attacks have morphed; you see the target shifting. How should organizations in any sector be assessing their DDoS preparation right now?

HOLDEN: That's a great question, and I look at DDoS the same way as I look at defending any of your assets. You've got to look at what your particular risk is. One of the most dangerous things you can do is follow the herd. There are definitely best practices when it comes to defending against DDoS; that's absolutely true. But when you just blindly say things like best practices or defense in-depth, those terms [aren't] necessarily ... related to compliance. Those aren't raising the bar. Those are where everybody else already is.

You can't just follow everyone else. I think you've really got to judge your specific environment. Organizations are just like people; they're all different. What you're defending is going to be different than another vertical or even a competitor. Judging what you're defending against is important.

The other thing to think about with DDoS is to get out of an IT mindset and into more of a business asset type of mentality. What I mean by that, is in the old days, we would walk through a server room and one server would be labeled with "www," and that was your web server. That was a long time ago, but that mentality is kind of still with us. When you think about protecting something, a lot of people still think in terms of IT assets, not the data the business assets. It's important to realize that if you're protecting a website, for instance, that website is a lot of various pieces. It's your bandwidth and your service coming in from your ISP; it's all of your perimeter and edge technologies, which are potential bottlenecks; it's the server, of course, but it's also the application. You have lots of different areas of potential weakness, different areas that could become bottlenecks.

What you have to think of is, I've got six or eight different aspects that really comprise this business asset. How am I going to protect that, rather than just looking at it as, "How do I protect this box or how do I protect the network?" That outlook is perpetualized because it's various responsibilities within the organization. But at the higher levels, you've really got to look at it as a business problem and you've got to judge the risk based on the risks of the business rather than to just the network or the particular IT asset. That would be my initial guidance on just how to think about it.

Around the Network