As visionaries go, James Licklider was pretty impressive. In the early 1960s, while working at the Pentagon, he wrote a memo about what he called the “Intergalactic Computer Network” that foretold virtually everything we know today as the Internet, including cloud computing. He even foresaw the need for cybersecurity, suggesting a completely distributed design in order to avoid a single point of failure.
To make such a distributed system work, early architects built DNS (Domain Name System) so users could navigate using easy to remember site names like “Google (News - Alert)” without having to know the actual physical IP address of Google’s servers.
Unfortunately, Licklider missed an important point. In the ultimate irony, the DNS required for distributed computing turns out to be just the kind of single point of failure Licklider had hoped to eliminate.
Breaking the Internet
Last year an unknown hacker unleashed a distributed denial of service (DDoS) attack targeting U.S.-based Dyn (News - Alert), a company who provides DNS services for many Internet scale Web properties. By focusing massive amounts of junk traffic from as many as 10 million compromised bots, the attack ultimately brought down such well-known sites as Twitter (News - Alert), Reddit, Netflix and Airbnb.
Think about that for a minute. A single DDoS attack targeting a single company resulted in a day’s worth of absolute chaos and brought down several of the world’s largest Web properties. So much for avoiding single points of failure.
In one sense the attack wasn’t groundbreaking; DDoS attacks have been on the rise for years. But two aspects of the attack bear mentioning.
First, the attack utilized compromised Internet of Things (IoT) devices, as many as 10 million according to some reports. That’s important because IoT devices are growing geometrically and are notoriously under-protected. For example, what is the username for your webcam at home? For far too many users the answer is “whatever they defaulted to out of the box,” providing fertile ground from which hackers can recruit the bots they need for their DDoS attacks.
The second notable aspect was the sheer volume of traffic the attack generated. The exact magnitude may never be precisely known, but estimates range as high as 1.2 terabits per second. This is far beyond the capacity of most DDoS protections solutions.
If Netflix and Airbnb can fall to such DDoS attacks, what chance does the average site have? Before you answer, consider that Deloitte (News - Alert) is predicting that DDoS attacks will grow significantly in 2017, to more than 10 million discrete attacks, and that the size of the biggest attacks grew by 250 percent in the past year.
The reality is that DDoS is a problem that is going to get worse – a lot worse – before it gets better. It is worth thinking about how best to mitigate such attacks.
Why High-Volume DDoS Attacks Are So Hard to Mitigate
Fighting DDoS attacks requires two very different capabilities: intelligence and mitigation. Intelligence is being able to spot the attacks in the first place. Mitigation is doing something about it.
DDoS attacks can be stealthy, making common and seemingly innocuous requests of a company’s servers, but in such a high volume that the servers crumble under the load. Security intelligence requires sophisticated software algorithms to analyze traffic in order to quickly and accurately identify attacks.
Mitigation, on the other hand, is a fairly brute force operation. It requires less intelligence, but very high throughput and fast switching times. Mitigation in many ways is just a form of forwarding traffic. Once security intelligence identifies the attack signature, mitigation is a matter of looking for traffic matching that signature and forwarding it away from the company’s servers.
That sounds simple enough, but as the Dyn attack shows, DDoS protection is increasingly failing to protect company resources, for several reasons:
Core routers simply cannot scale to do both basic routing and DDoS protection – especially at the scale of attacks being seen recently.
A more flexible solution would tailor a mitigation strategy that protects both the infected and non-infected customers simultaneously.
The Problem in a Nutshell
The reason why existing DDoS solutions fall short is based on a fundamental architectural flaw. Most solutions combine security intelligence with mitigation in a single solution. As noted above, security intelligence requires complex software which can analyze traffic and detect even the most sophisticated attacks. On the other hand, mitigation requires extremely fast hardware that can immediately enforce policy to reroute attack traffic at line-rate and without slowing the network down.
When you put intelligence and mitigation in the same box you end up with a complex architecture that attempts to optimize the CPU complex needed for security intelligence with the raw hardware power for mitigation. Complexity always leads to very high costs at purchase time as well as operationally over the life of the solution. Or, if you do find a more affordable solution, the architecture is compromised and you end up underpowered in both intelligence and mitigation capacity.
A better approach is to disaggregate security intelligence from mitigation, but how?
Disaggregated Network Security: A Better Way
When the security intelligence is separated from the mitigation and it communicates through an out of band interface, better and radically simplified DDoS protection is immediately possible.
These interfaces include BGP Flow Spec and REST APIs. The BGP Flow specification is a multi-vendor standard which allows multiple devices on a network to coordinate traffic filtering. In this way, a large site can choose best-of-breed security intelligence solutions that sit at strategic points in the network and watch for attacks. It is broadly used already, as are REST APIs.
When the intelligence solution spots an attack it creates mitigation rules and sends them to the mitigation engine over these out-of-band interfaces. This architecture provides several immediate and fundamental benefits:
It also enables more flexible mitigation strategies, such as filtering on sources of attack traffic instead of being limited to shutting down destinations.
DDoS Will Continue to Evolve. You Should Too.
DDoS attacks have been around for nearly two decades. But with the world’s first terabit-class attack, 2016 marked a turning point. When even the largest Web scale sites are unable to withstand the largest DDoS attacks, it is time to evolve and adapt.
Disaggregating security intelligence from mitigation is a strategy that provides fundamental benefits that will allow organizations to stay ahead of the bad guys in the DDoS arms race.