September 5, 2014 (Fri): Fortinet, a global leader in high-performance network security, today urged Malaysian organizations to stop relying on Internet Service Providers to protect them from DDoS attacks. Distributed Denial of Service (DDoS) attacks are some of the oldest Internet threats and continue to be the top risk to networks around the world. As protections evolve, the technology used by hackers has become much more sophisticated. New attack types now target applications and services and often times, they’re masked in bulk layer 3 and 4 DDoS events, making it difficult to detect them. SYN flood and HTTP GET floods are the two most commonly used methods to overwhelm network connections or overload the servers behind firewalls and intrusion protection services (IPS).
More worrisome, however, is that application layer attacks use far more sophisticated mechanisms to attack organizations’ network and services. Rather than simply flooding a network with traffic or sessions, these attack types target specific applications and services to slowly exhaust resources at the application level (layer 7). Application layer attacks can be very effective using small traffic volumes, and may appear to be completely normal to most traditional DDoS detection methods. This makes application layer attacks much harder to detect than other basic DDoS attack types.
“The financial services industry is one of the biggest targets of cyber criminals for DDoS attacks, followed closely by the government sector. Besides disrupting Internet operations through a brute-force data onslaught, DDoS attacks have recently been used to hide more sophisticated attempts to break into financial and e-commerce information. These attacks often have the intent of disrupting operations mostly through the destruction of access to information,” said Eric Chan, Solution Consulting Director for Fortinet Southeast Asia and Hong Kong.
Most local ISPs offer layer 3 and layer 4 DDoS protection to keep organizations’ links from becoming flooded during bulk volumetric events, however they do not have the capability to detect the much smaller layer 7-based attacks. Data centers should not rely on their ISP alone to provide a complete DDoS solution that includes application layer protection.
According to Chan, the evolving nature of DDoS attacks means that enterprises can no longer depend solely on their ISP for protection. Organizations must start making shifts now that give them greater foresight and more proactive defences for network and application-level services.
“DDoS attacks are on the rise for almost any organization, large or small. The potential threats and volumes are increasing as more devices including mobile handsets join the Internet. If your organization has a Web property, the likelihood of getting attacked has never been higher,” said Chan.
To help Malaysian enterprises protect against escalating DDoS attacks, Fortinet has advised one of the following measures:
1. DDoS Service Providers: There are hosted cloud-based DDoS solutions that provide layer 3, 4, and 7 mitigation services. These can range from inexpensive plans for small websites to large-scale enterprise plans that can cover multiple ones. They’re usually very easy to set up and heavily advertised to small and mid-sized organizations. Most offer customized pricing options and many have advanced layer 7 detection services for large organizations that require sensors to be installed in the data center. Many companies opt to go this route, but some experience unpredictable and significant overage charges when they’re hit with high-volume DDoS attacks. Performance may also not be up to their expectations as the service providers redirect DDoS traffic to mitigation centers instead of stopping it in real time, which is especially problematic for the short duration attacks typically encountered.
2. Firewall or IPS: Almost every modern firewall and intrusion protection system (IPS) claims some level of DDoS defense. Advanced next generation firewalls (NGFWs) offer DDoS and IPS services and can mitigate many DDoS attacks. Having one device for firewall, IPS and DDoS is easier to manage, but one device may be overwhelmed with volumetric DDoS attacks, and it may not have the sophisticated layer 7 detection mechanisms other solutions offer. Another trade-off is that enabling DDoS protection on the firewall or IPS may impact the overall performance of a single device, resulting in reduced throughputs and increased latency for end users.
3. Dedicated DDoS Attack Mitigation Appliances: These are dedicated hardware-based devices that are deployed in a data center that are used to detect and stop basic (layer 3 and 4) and advanced (layer 7) DDoS attacks. Deployed at the primary entry point for all web-based traffic, they can both block bulk volumetric attacks and monitor all traffic coming in and leaving the network to detect suspicious patterns of layer 7 threats. By using a dedicated device, expenses are predictable as the cost is fixed whether an organization suffers from one attack in six months or is attacked every day. The trade-offs are that these devices are an additional piece of hardware to manage, lower-bandwidth units can be overwhelmed during bulk-volumetric attacks, and many manufacturers require frequent signature updates.
Enterprises should look for DDoS attack mitigation appliances that use adaptive behavior-based methods to identify threats. Such appliances learn baselines of normal application activity and then monitor traffic against them. This adaptive/learning approach has the advantage of protecting users from unknown zero-day attacks as the device does not need to wait for signature files to be updated.