How Best to Respond to DDoS AttacksNIST Expert Offers Strategies to Defend Your Organization
The recent wave of DDoS attacks against top U.S. banks is a wake-up call for organizations that are ill-prepared to fight against such an attack, says Matthew Scholl, deputy chief of the National Institute of Standards and Technology's computer security division.
Scholl, in an interview with Information Security Media Group's Eric Chabrow [transcript below], says an organization's defense against distributed denial-of-service attacks begins at its borders.
"The technologies at your borders should be and usually are configured to look for some of the generic-type DDoS attack signatures," he says.
Scholl characterizes a DDoS attack as a back-and-forth game to see who can flood who faster and who gets shut down quicker. "There are fail-over technologies with the use now of virtual networking and dynamic networks," he says. "There are lots of things that can be done on dynamic addressing to help move yourself out from under the attack."
Organizations should also coordinate with their local Internet service provider, "who can also help you with that traffic of volume," Scholl says.
In the interview, Scholl explains:
- Why recent DDoS attacks against banks may not be as dire as they appear [see Bank Attacks: What Have We Learned?].
- How the migration to IPv6 could help organizations can defend against DDoS attacks.
- Types of guidance NIST offers that could help organizations develop plans to handle DDoS attacks.
Scholl says DDoS attacks won't vanish anytime soon, but believes a government-industry partnerships could help diminish the impact of these digital assaults. "That's going to be the solution to try to both enable us to defend against it on the organizational side and remove the capability of it at the threat side," he says.
Defending against DDoS Attacks
ERIC CHABROW: Why does it seem that DDoS attacks are so difficult to defend, even if there's warning ahead of time that they're coming, as is the case with some of these banks?
MATTHEW SCHOLL: A DDoS attack is a difficult one to defend against for a lot of different reasons. First of all, the attack mounts and is spawned external to an organization. The attack is going to spin up, it's going to be launched and the assault will come from outside of your perimeter. Even if you potentially do have visibility of the attack coming, which most do not, there's not a lot you can realistically do about it until it crashes on your front door.
The second issue is, through the prevalence of the botnets, it's an easy attack to launch and it's a semi-easy attack to launch from multiple locations. All those factors make it a difficult type of attack to ensure that you maintain your availability of your systems against. That being said, it's not a new type of attack, and a lot of the current technologies that are deployed around perimeters - borders, routers and firewalls - are configured these days to look for the signatures of the DDoS and then to natively combat it. The hope for this case is there are lots of technologies available to help against DDoS attacks, but it's an easy one to launch and a hard one to spot.
Overwhelming Nature of Attacks
CHABROW: When you talk about technology that could combat that natively, one would assume that the financial services industry is way ahead of a lot of other industries. Why do you think they're successful? Is it just that it's overwhelming and, regardless of what you do, it's hard to defend?
SCHOLL: It's overwhelming. That's the intent of the DDoS attack, to overwhelm. Whether or not those attacks happen successfully or not against the current targets, I think it's a matter of debate. Some of those financial institutions may have been down for a little bit, but no one is out for the count. Many have services come back online. A lot of the dynamic nature of networks now on the organizational side have allowed for a more flexible Internet presence to allow that to happen. A large-scale distributed denial-of-service attack may knock an organization down for a day or a weekend, but we have yet to see if it actually takes someone off-line or actually crush their infrastructure, for a couple of different reasons. It's the constant back and forth game between those who are trying to provide the services and those who are trying to take them down.
CHABROW: Being down for a few hours, or a day or so, may not be a worst-case scenario, although obviously it's very disruptive to the business and it's reputation in cases like that. You're saying the defenses are basically working.
SCHOLL: Yeah. I work at NIST and we like to quantify things as much as we can, so terms like "working," "success" or "failure" are difficult to quantify. As you said, down for a weekend means different things at different businesses. A couple of years ago, there was a large DDoS attack against Ebay. Now you take Ebay down for an hour, the economic impact of that is different to Ebay than it is if you take a mobile banking site down for a day, and I'm not sure exactly where those two line up but I'm pretty sure that the financial impacts to those institutions are different because of their dependencies on that web presence for their customers.
As such, those different organizations then look at the need for their systems to be available and then prioritize their defenses against DDoS. A technology that has been extraordinary interesting in the DDoS arena is the use of cloud technology, cloud web services. You're not necessarily completely dependent upon your physical infrastructure that you own to scale up and be able to stay on pace with a denial-of-service attack coming, but you have an entire cloud infrastructure that you can spin up and provision to keep pace with the scale of the attack.
Then, when the attack subsides, you can drop that infrastructure back down again and just pay for that service that you needed as the attack occurs. We've seen the use of the cloud and the elasticity and the dynamic nature of cloud technology to be something that's kind of changing the economics of a DDoS attack.
CHABROW: You have the security concerns with the cloud. When you were talking about the cloud, in the case of institutions like banking where you have sensitive information - money being a form of information involved - I guess there still could be private clouds or other kinds of secure environments where these can be used as back-up systems, or maybe eventually the systems themselves.
SCHOLL: Be that private clouds, public clouds or hybrid, those decisions on which cloud to use would be driven by the risk tolerance of that organization and what kind of data or services they're going to be using with that cloud provider.
CHABROW: If there were an unlimited number of servers an organization could use, would that be a way to just defend against it? I mean it may not be very practical, but is that basically a defense?
SCHOLL: It starts off at your borders. The technologies at your borders should be and usually are configured to look for some of the generic-type DDoS attack signatures. A half-open TCP connection is one of the classic signatures and often your border routers, your servers and your DMZs are configured to close those connections on your side with an "x" amount of time to allow additional ports to stay open so that the attackers are trying to use up all of your resources and then you, on your side, are trying to close those requests as fast as you can when you see that signature then not being used.
That being said, it's a back-and-forth game, who can flood faster and who can shut down quicker. There are fail-over technologies with the use now of virtual networking and dynamic networks. There are lots of things that can be done on dynamic addressing to help move yourself out from under the attack. There are a lot of technologies that are very legacy but are very commercially available, as well as some new ones that are being commercially used that can really help with a DDoS attack.
The other thing is, especially in the commercial organizations, there's a significant amount of consideration and cooperation with your local carrier who can also help you with that traffic of volume if you've got that kind of relationship, be it ad hoc or contractual with your ISP.
CHABROW: There are some structural things on the Internet happening - the move to IPv6, new domain-naming systems coming on board. Can they play a role at all in defending against these kinds of attacks?
SCHOLL: I believe they can, but for sometimes indirect or tertiary reasons. With IPv6 you now have globally reachable IPs so that every endpoint can have its own IP address that's routable. Therefore, you can have a lot more understanding of where the specific individual traffic is coming from, which makes it easier then to, if you need to, shut off the reception of those specific IP addresses or blocks of addresses. Rather than just getting a flood out of somewhere of a large amount of traffic and you're really not kind of sure where exactly it's coming from. That can potentially allow for the identification of where the botnets exist, because that's hard. Most, but not all, of the DDoS attacks occur in a structure where there are compromised machines that are executed by a controller. My machine here at home, your machine in your office and my mother's machine at her beach house get a virus and that virus is intended to use that machine as a launch point as one of the many distributed attack points for the distributed surface. IPv6 can also help identify and mitigate where those machines are that have those viruses and potentially alert those people.
DDoS Attack Guidance
CHABROW: What kind of guidance does NIST provide on DDoS attacks?
SCHOLL: NIST has been looking at different attack classes and attack vectors for quite some time, and we've got a bunch of different guidance on how an organization can defend itself against a DDoS attack, starting with a mature, repeatable and understandable risk management process so that an organization can identify if the availability of their IT and information is critical to them achieving their business goals.
Underneath that will be a suite of specific security controls that you should consider in order to maintain that type of availability: use of virtualization, segmenting your networks, redundancy, fail over, a contingency plan, consideration of operation under compromise. NIST has put out some guidance on assisting organizations on how to use cloud technologies, which can also be helpful as an architecture should availability become a key consideration for them that an organization might want to consider.
In the malware space, because the launch points of this really come from malware infestations, NIST has a series of documents on malware prevention, malware identification and incident response in order to clean up malware. The other thing NIST has done, working jointly with the Department of Commerce, our brother agency, is to initiate a significant dialogue with industry and the carriers on the problems of the botnets, and we last year had issued a green paper with the Department of Commerce to engage with industry and the ISPs on how we can collectively have a public/private partnership, where government and industry come together voluntarily to work in reducing the botnet threat. Last year, NIST held a workshop on strategies for botnet reductions and then we're going to continue to look at specifically how we can address botnets out in the infrastructures.
CHABROW: Is a part of the solution more regulation, or is this really not something that can be regulated when coming to DDoS attacks?
SCHOLL: I'm a technology guy, so I've never been overly optimistic of the use of regulation in solving a technology issue. Regulation can facilitate and assist in removing some barriers to adoption or in ensuring coordination. I'm not necessarily convinced that regulation will solve it. I think that NIST's approach is to work in an open consensus manner to work, whenever possible, in the industry-led standards development organizations to see what can be done in those industry standards developing organizations to help us address these things. We would prefer to work with U.S. industry and organizations like the Internet Engineering Task Force [IETF] or the International Organization for Standards [ISO] or these standards bodies that generate the interoperable and security standards for communications on the Internet. That's how we would prefer to address this.
This is a recurring issue. We've seen DDoS attacks before and we're probably going to see them again. Working together, a public/private partnership, government, industry, carriers and the public, is going to be the solution to try to both enable us to defend against it on the organizational side and remove the capabilities of it at the threat side.