INSIGHTS

VerisignInc.com

I speak about DDoS quite often these days—it’s a topic everyone wants to know about and yet, so few people know much about. It’s one of those topics where good information is not readily available.

A quick refresher: A DDoS attack is a method an attacker uses to deny access for legitimate users of an online service. This service could be a bank website, e-commerce site, SaaS application or any other type of network service. (Some attacks even target the VoIP infrastructure.) An attacker uses a non-trivial amount of computing resources (either that they have built themselves or more commonly have obtained by compromising vulnerable PCs around the world) to send “bogus” traffic to a site. If the attacker sends enough traffic, legitimate users of a site can’t be serviced (i.e., if a bank website can handle 10 people per second clicking the “Login” button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can log in). There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage and just plain old boredom. (Trust me, we have seen attacks due to that.)

DDoS attacks vary in both sophistication and size. An attacker can make a “fake” request look like random garbage on the network, or more troublesome, make the attack traffic look EXACTLY like a real user of the site. In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target’s bandwidth.

(We have seen very large attacks against our own infrastructure and towards our customers.) The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack). These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target. A more complex Layer 7 attack “simulates” a real user trying to use a web application —searching for content on the site, or clicking the “add to cart” button, etc.

Enterprises and providers of Web applications naturally want to protect themselves and their customers from these types of attacks. (Who wants their site to be inaccessible?) Currently, there are four main types of “protection” from DDoS attacks we’ll cover here:

• Do-it-yourself

• Specialized on-premises equipment

• Using your Internet Service Provider (ISP)

• Using a specialized cloud DDoS mitigation provider

DO-IT-YOURSELFThis is the simplest and least effective method. Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try to use their existing firewall. (Firewalls are NOT built to withstand a DDoS attack.) This will protect you from only the smallest and most trivial attack. Back in the early 2000s, when attacks were pretty simple, this could work. But these

Verisign | Industry Insights

APPROACHES TO DDoS PROTECTION AN OVERVIEW ON KEEPING YOUR NETWORKS PROTECTED

Mr. Leach is responsible for technical and product strategy within Verisign’s network intelligence and availability business. Previously he was chief technology officer of name.com and served in other technology leadership roles at various domain and Internet infrastructure services companies. He is a sought-after subject matter expert in DDoS, DNS and cyber security, and his current research focus is on combating the massive online crime epidemic.

FOR MORE INFORMATION on Verisign’s managed DNS and DDoS protection services, visit: VerisignInc.com/NIA1

TO READ MORE from “Between the Dots”, Verisign’s blog, click on the blog button below.

VICE PRESIDENT, TECHNOLOGY

Sean Leach

INDUSTRY

2 Verisign | Industry Insights

days, attacks are far too large and complex for this type of protection. A firewall will melt quite quickly under the load of even a trivial attack.

SPECIALIZED ON-PREMISES EQUIPMENTThis is similar to the do-it-yourself approach in that an enterprise is doing all the work to stop the attack, but instead of the enterprise relying on some scripts or an existing firewall (which are quickly proven to not work), they will purchase dedicated DDoS mitigation appliances and deploy them in their data center. These are specialized hardware that sit in an enterprise’s data center in front of their normal servers and routers and are specifically built to detect and filter the malicious traffic. There are some fundamental problems with these devices:

1. They are very expensive CAPEX purchases that may sit around and do nothing until you get attacked. Not only that, they are expensive to operate. You need very skilled network and security engineers to work these devices—there is no magic “mitigate DDoS” button.

2. They must be constantly updated by your operations team to keep up-to-date with the latest threats. DDoS tactics change almost daily; It’s amazing how skilled the attackers are that we see on a regular basis. Your team must be prepared to constantly update these devices to the latest threats, and that’s only IF the vendor has been patching/updating the system to keep up.

3. They can’t handle volumetric attacks. Remember the “very large attacks” I mentioned? Do you have that much bandwidth coming into your data center? Didn’t think so, so these hardware appliances don’t do any good when the attack exceeds your network capacity.

INTERNET SERVICE PROVIDER (ISP)Some enterprises use their ISP (the same network provider they get their bandwidth from) to provide DDoS mitigation. These ISPs usually have more bandwidth than an enterprise would have, which can help with the large volumetric attacks, but there are three key problems with these services, as well:

1. Lack of core competency: ISPs are in the business of selling bandwidth; They don’t always invest the required capital and resources to stay ahead of the latest DDoS threats. It can become a cost center to them—something they have to provide, so they do

it as cheaply as possible. In the DDoS mitigation game though, you have to constantly be on your toes—researching the latest threats, developing countermeasures, etc. This is NOT a service to do on the cheap, which unfortunately a lot of ISPs do.

2. Single-provider protection: Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider going down and taking your site with it. Having two providers is a best practice to maximize uptime. ISP DDoS mitigation solutions only protect their network links, not the other link you might also have, so now you need two DDoS mitigation services, from two different providers, doubling your cost.

3. No cloud protection: Similar to single-provider protection, a lot of Web applications these days are split between enterprise-owned data centers and cloud services like Amazon AWS, GoGrid, Rackspace, etc. ISP’s can’t protect your traffic on these cloud services.

CLOUD MITIGATION PROVIDERCloud mitigation providers are experts at providing DDoS mitigation from “the cloud.” This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic (whether you use multiple ISP’s, your own data center, any number of cloud providers, etc.), scrub the traffic for you and send “clean” traffic towards your data center.

Cloud mitigation providers have the following benefits:

1. Expertise: Generally, these providers have any number of network and security engineers and researchers who are constantly monitoring for the latest DDoS tactics to better protect their customers.

2. Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on their own to stop the biggest volumetric attacks.

3. Multiple types of DDoS mitigation hardware: DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats. Cloud providers should take advantage of multiple technologies, both commercial off-the-shelf (COTS) and their own proprietary technology to defend against attacks.

3 Verisign | Industry Insights

As an example, we at Verisign have DDoS scrubbing centers around the world that can help protect enterprises in all verticals from DDoS attacks. We can take the attack traffic destined for a customer’s website either via the Border Gateway Protocol (BGP), the protocol that manages all of the “routing” on the Internet, or by the customer simply making a DNS change to point to our network. Once the traffic hits one of our scrubbing centers, we work to filter out the bad DDoS traffic and pass on the good traffic to our customers (no matter where their site is hosted). The diagram below is a good visual of how the process works.

CONCLUSIONHopefully this article has been educational on the various types of DDOS mitigation. I may be biased, but in my view, cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs. They are the most cost-effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.

What type of DDoS mitigation techniques, if any, does your company use?

This piece was originally posted to “Between the Dots”, the Verisign blog, on June 12, 2013.

Verisign Public VRSN_SLeach_DDoS-Blog_Ind-Inst_201306

VerisignInc.com© 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Customer

Malicious Actor

Customer Site

Denial of ServiceTraffic

Legitimate traffic during attack

DoS attack traffic

VerisignMonitoring Facility

Legitimate traffic during normal conditions

VerisignMitigation Centers Actor Attribution

Analysis

Internet