October saw vulnerable Internet of Things devices used in a massive Distributed Denial of Service attack targeted towards DNS-provider Dyn.
The recent Dyn attack was massive, but most DDoS attacks don’t make the news. There’s been a 125% increase in the number of attacks since 2015, which itself saw an over-100% increase on the year before. Just because they aren’t 500gb in size, doesn’t mean these lesser known attacks are any less problematic to organizations.
“The problem that we have is that so many people, and so many organizations, and so many vendors, focus on the size of an attack. That's wrong, you shouldn't,” says Steve Mulhearn, Director Enhanced Technologies UKI & DACH at Fortinet. “You should focus on whether the attack was successful, because that's the important bit.”
Visibility & behaviour
Not a particular fan of the term DDoS, Mulhearne says we should call it what it really is; resource exhaustion.
“The problem that most organizations have is they don't actually have visibility of behaviour,” he says. “They have this resource exhaustion but they don't understand what the normal behaviour looks like.
“80% of DDoS detection is visibility. It's understanding what is normal; seeing change, identifying it, and if the service becomes threatened, then taking some mitigation against it.”
“If I see a change in behaviour, do I automatically start blocking or mitigating? No, of course I don't. But if you can monitor behaviour down to a finite level, that's a great indicator. Then you can start to do predictive analysis.”
Better planning ahead of time is one part of the equation; ensuring greater capacity ahead of a new product release where you expect a rush is simple common sense. Although he labels it “draconian”, Mulhearne suggests geoblocking makes sense in certain situations; he uses an example of a local lottery company being overloaded with traffic from halfway around the world that clearly shouldn’t have any purpose being there. In such a scenario, geo-blocking seems like something that could help mitigate attacks.
“Identify your critical resources, critical assets,” he suggests. “On online trading system that costs you a million dollars a minute vs an internal vacation booking system, they haven't got the same levels of criticality. Identify your critical services, focus on them first.”
It don’t matter if it’s black or white
As well as better technology, DDoS protection is a very different problem to the ‘black and white’ of traditional security and requires something of a rethink in approach.
“So many people take the view of trying to protect everybody from everything. Don't. You're doomed to fail. What we're used to dealing with [in security] is if it's bad, I block it. If he's doing bad things, stop him. But you can't do that with DDoS because you can't tell [what's good or bad traffic].”
“It's not easy because I’m not dealing with black and white. I’m not dealing with good and bad. I’m actually dealing with very grey and shady. You almost have to ask people; “Is it better that most of the people have some service, or all of them to have none?” Your goal is not to stop bad traffic. Your goal is to keep the service available.”
“Some of the cleverest guys I’ve ever worked with on DDoS used to be bad guys and are now good guys. They're very clever, they have adaptive tools that will attempt to circumvent any protection method we put in place,” Mulhearne explains. “But there's one thing that’s in common with every single DDoS attack that's ever happened. You know what that is? A change in behaviour.”
PREVIOUS ARTICLE«Red Hat EMEA chief sees opportunities in shifting markets
NEXT ARTICLETypical 24: Richard Gadd, Hitachi Data Systems»
Phil Muncaster reports on China and beyond