The unprecedented attacks launched recently against Brian Krebs’ blog (Krebs on Security) and the hosting provider OVH highlight the immense damage from IoT-driven botnets, and really signal a new age of attacks.
For years, security evangelists have been talking about the potential for IoT-driven attacks, a message that has often been met with a combination of eye rolls and skepticism. That’s likely no longer the case after these latest attacks. It’s a shift I experienced first-hand at the SecureWorld event in Denver where I participated in a panel on the current threat landscape. Suddenly, the IoT threat has more attention in such a setting, whereas in the past it held more merit in the future threats panels and discussions. This week’s panel elicited a palpable degree of anxiety from the audience about what these attacks mean for security professionals.
Here’s what we know about the attacks . . . the Krebs on Security blog became the target of an attack that started on September 20, peaking at over 620 Gbps of traffic. Some reports speculate that the attack was a retaliatory strike in response to Krebs reporting on some specific information about DDoS-for-hire service providers. Regardless of the motives, the attack was notable not only for its size, but also due to the fact that the botnet that generated the majority of the traffic appears to have been built through exploiting vulnerabilities in roughly 1 million network-enabled cameras, making it the most vivid example of an IoT botnet.
Just a few days later, European based hosting provider OVH was hit with an attack approaching 1 Tbps, making it by far the largest reported DDoS attack ever seen. Within a week, the source code behind the botnet (Mirai) was released, confirming the key role that IoT devices played in these attacks.
Without question, these attacks signal a new age of attacks that will force many organizations to revisit their current DDoS protection strategies. Based on some of the dynamics of these attacks, here are some things to consider when looking for service providers that are prepared to defend you from this new wave of attacks:
- Layer 7 attack detection: In the past, most very large scale DDoS attacks have leveraged network attack vectors (Layer 3/4). However, these attacks are reportedly sending through massive amounts of HTTP floods, making most Layer 3/4 attack detection methods (e.g., Netflow analysis) useless. Be sure your service provider has effective application (Layer 7) attack detection and mitigation capabilities.
- Hybrid, automated mitigation capabilities: According to some reports, the recent attacks ramped up with extreme speed, hitting 100 Gbps of attack traffic within 15 seconds. Successfully defending a network from such an attack really requires resources conducting multi-vector attack detection in an always-on fashion, along with an ability to automate the process of redirection of traffic to cloud based mitigation resources. Be sure your provider is utilizing hybrid mitigation capabilities, ideally leveraging same technologies on-premise and in the cloud to ease automation and speed time for effective and accurate mitigation.
- Separate network for DDoS mitigation: The ideal architecture features a separate, scalable infrastructure specifically for volumetric DDoS attack mitigation where attacks can be rerouted when they reach predetermined thresholds. These DDoS scrubbing centers should ideally be located close to a major Internet peering point, providing the distinct advantage of not having to backhaul large amounts of traffic across a network backbone, which increase costs to the service provider and results in a necessity to drop certain customers who are under sustained volumetric attacks.
- IP agnostic protection: The IP address has a rapidly decreasing value in security, for a wide variety of reasons. First, the reality is that many users access the Internet through providers using dynamic hosting configuration that results in a new IP address each time they access the Internet. When you combine this with the increased mobility of today’s user, organizations are quickly faced with a challenging situation with regard to user identification. Additionally, users accessing the Internet through Network Address Translation (NAT) devices result in many devices sharing the same IP address, making it difficult to block IPs without potentially blocking legitimate users/devices.
- Ability to quickly scale HW needs: These attacks also highlight the advantage of being a manufacturer of dedicated DDoS mitigation hardware. Security service providers that build their services upon third-party technology will always have a stricter mitigation capacity threshold than those that have additional high-capacity gear on hand and ready for deployment as needed.
For now, it appears the attacks against Krebs on Security and OVH have ended. However, they should stay in the forefront of the minds of security practitioners as indicative of the direction of large cyber security attacks. And they should also be carefully reviewed by those considering the appropriate DDoS protection strategy and service architecture for their business.