DDoS: The New, Hybrid SolutionNeustar's Bryant Rump on This Next-Gen Approach
In 2013, attackers proved that sophisticated DDoS attacks could be launched as effective disruptions and distractions. What are the evolving solutions that now help organizations mitigate these strikes?
Bryant Rump, senior solutions engineer at Neustar, has spent years tracking the evolution of distributed-denial-of-service attacks such as we saw against U.S. financial institutions in 2012 and 2013.
He also has watched the corresponding evolution of DDoS solutions - from product add-ons to what he describes as "purpose-built" DDoS mitigation appliances from his company and others in the marketplace.
But now he's seeing the emergence of a hybrid solution that he finds most effective in addressing today's multi-layered attacks.
"There's an even newer breed of DDoS mitigation appliance that allows that local hardware device to communicate upstream with cloud-based DDoS mitigation gear, and communicate its state and its availability to those upstream devices," Rump says.
In other words, the organization experiencing DDoS can attempt to mitigate the attack locally, bringing in heavier artillery via the cloud, only if necessary. It's an approach that has been embraced by financial services organizations, Rump says.
"This type of solution may only fit some risk profiles," he adds, "but it's definitely a great solution for higher-risk type companies."
In an interview about the evolving DDoS solution, Bryant discusses:
- How DDoS solutions must vary to meet the needs of different-sized organizations;
- What to look for in an effective DDoS solution;
- DDoS trends to watch in 2014.
Rump has over 15 years of experience presenting IP technology and products/services to Fortune 50 customers, sales executives and other engineers. He has provided IT and IP technology consulting to both commercial and federal markets at Booz Allen Hamilton and EDS. He has gained valuable experience at several large service providers such as UUNET and Level 3 supporting security-related services and MPLS VPN. At Neustar for the past three years, Rump has specialized in DDoS mitigation as a subject matter expert in external performance monitoring.
DDoS: The Next-Generation Solution
TOM FIELD: Why don't you tell us just a bit about yourself and your expertise?
BRYANT RUMP: I really spent the beginning years of my career as a government contractor for companies like Booz Allen and EDS, performing work on various federal contracts, intelligence agencies and defense contractors. But I really spent the majority of my career at Chair 1 ISP supporting MPLS VPNs, manage firewalls, and other WAN solutions. The past four years has really been tightly focused on DDoS mitigation solutions.
FIELD: What are some of the types of solutions that have developed, one as hardware and two, in the Cloud?
RUMP: Lots of companies who have perimeter security deployed and DDoS attacks sort of uniquely take advantage of the bottlenecks that these traditional premier security devices create. We've seen in the past couple of years the introduction to the market of those traditional security devices, firewalls and IPS with add-on DDoS mitigation capabilities. That is marginally helpful, but what has been much more helpful towards the purpose of mitigating DDoS attacks is the emergence of purpose-built DDoS mitigation appliances like Arbor, Corero and Radware. There is an even newer breed of DDoS mitigation appliance that allows that local hardware device to communicate upstream with cloud-based DDoS mitigation gear, and communicate its state and availability to those upstream devices.
Also, to basically be able to address all the different risk profiles and threat profiles out there, and to address the growing bandwidth being used in DDoS attacks, there has certainly been a large explosion in cloud-based DDoS mitigation services. There are a number of different flavors there, from on-demand service, where it is only activated during a DDoS attack, to an always-on type service where the traffic is constantly being routed through the DDoS mitigation platform. That platform is always sitting in the middle of legitimate traffic even during sunny day circumstances. We've also seen DDoS mitigation being used as an add-on to CBN services or application acceleration services.
Emerging Hybrid Solution
FIELD: What can you tell us about the emerging hybrid solution?
RUMP: Well, I've seen working hybrid solutions neatly fit into the traditional security-in-depth, tried-and-true paradigm in security. It's already being embraced by the most frequently targeted vertical in DDoS attacks, the financial institutions. I talked to a lot of different financial institutions from the largest four or five banks, to brokerage houses, to mom and pop credit unions, and it is clear that the larger ones have certainly embraced the hybrid approach. In that approach, you can mitigate application layer attacks or small volumetric, and fill the pipe-style attacks locally. It's really enhanced the control, avoids the latency and hassle of redirecting when possible, and you redirect to a cloud-based DDoS mitigation platform when the attack becomes too large or too complex to handle locally. That allows the banks and any other really vertical, or market that is really concerned about the privacy of their information, to mitigate a lot of attacks locally, and do deep-packet inspections for application layer attacks. They don't have to give out their encryption keys to a third-party if they have that local appliance. This type of solution may only fit some risk profiles, but it's definitely a great solution for higher risk type companies and those verticals.
Unique Threat Profiles
FIELD: How should DDoS solutions differ to meet the needs of different-sized organizations and their unique threat profiles?
RUMP: It's not one-size fits all. I really vary in what I recommend obviously according to the customer I'm talking to. You can't just have one standard solution you go to market with. It's got to shift with the attack history, the customer you're talking to, what size company they are, what vertical they're in. That all plays into their threat profile and what the risk is, and also what risk they realize that they have. If they have a history of being attacked, they are more willing to proactively prepare and perhaps have already assigned a budget to the solution. Whereas some companies think they are in the clear, because they haven't been attacked yet, and it may be harder for their IT department or their security group to get the budget to really be able to proactively set up a solution. But, we're able to really address the low risk and the high risk type customers by either offering an on-demand cloud-based type solution or an on-premise solution, or a combination of the two.
FIELD: What are the key benefits that an organization should look for in an appropriate DDoS solution?
RUMP: That's a really good question because it is certainly a growing marketplace, the DDoS mitigation space. It's being offered as an add-on for a lot of companies, and you have to look at the focus of the company. Is it a stable organization, do they have a history in the DDoS migration space, have they been afraid to grow and fund their platform, are their personnel experienced? Where do they draw their personnel from; are those personnel available to you as a customer if you signed up with them? Are you able to speak to knowledgeable personnel, or are you stuck talking to their generic support department? Those are really important things. Also, the ability to provide visibility into actual DDoS attacks when they happen and the quality of postmortem-type incident reporting that they provide.
Not Yet Attacked
FIELD: For organizations that have not yet suffered DDoS attacks, what is your advice on how they should prepare?
RUMP: Well it's certainly important to have a plan, at least an on-demand option preconfigured. The worst circumstance to be in is being either under attack or under immediate threat of attack. Maybe you get some advanced warning that you're about to be attacked and you're scrambling to find the right provider, and are left in a very bad negotiating place if you have to find them at the last minute. So you want to know where all your most at-risk resources are, and at least make sure you have those protected. Lots of times customers will have resources that are both at main datacenter and they may have some small micro-sites sitting out in the cloud at different places, and there are some DDoS mitigation solutions that will cover both the resources sitting in main datacenters at small branch offices, as well as some resources sitting out maybe in the scalable cloud-based environment.
FIELD: For organizations that have been DDoS victims, what are the lessons that they should have learned and already applied?
RUMP: When you're just preparing proactively and you've never experienced a DDoS attack, obviously a less-expensive solution looks very attractive, especially if it's from a known vendor. You are going to believe the promises they make. Once you've seen or had a chance to see that actual DDoS mitigation provider perform under attack, you'll see that either they do a really good job, or they end up dropping a lot of your legitimate traffic, they don't provide you very timely updates to what's going on, and they don't provide a very good post-incident analysis. Those are the types of things that you learn. Also, you obviously are going to be aware of resources you didn't even know that you had, so take stock of where all your resources are sitting that could potentially be the target of an attack. Also make sure the type of DDoS mitigation provider you select is able to protect resources scattered across multiple datacenters, multiple branch offices and different cloud-based resources of CDNs.
Trends for 2014FIELD: As we look into 2014, what are the DDoS trends that you're tracking and are most interested in?
We've seen a re-emergence a DNS reflection attacks, basically spoofing the IT address of someone requesting information and then having the actual target be flooded with the DNS response. But what we've seen in the past month or so is use of the network timing protocol being used in application attacks where, essentially, NTP servers running an old version of NTP are vulnerable to certain commands being issued to them from a spoofed IT address. The response is amplified or much larger than the request. That is the new version of a DNS reflection attack; it uses NTP to do something similar. We've seen that on a number of our customers recently.