Security Strategies

Multi-Terabit DDoS Attacks Likely, Arbor Says

Two different types of massive security threats -- IoT-powered botnets and reflection amplification attacks -- will likely be combined in the near future to create crippling multi-terabit DDoS attacks, a key security vendor is warning.

In releasing its 12th annual Worldwide Infrastructure Security Report (WISR), the Arbor Networks unit of NetScout Systems Inc. (Nasdaq: NTCT), pointed to new capabilities of the Mirai software code that famously enabled millions of Internet of Things devices to be used in last fall's attack on the Dyn DNS infrastructure that crippled many major US-based Internet sites. Recent variants of the Mirai software include the capability to spoof source addresses, says Gary Sockrider, Arbor principal security technologist, and that creates the ability to combine IoT-based botnets with reflection amplification attacks. (See Arbor Report Shows Size, Complexity of Network Attacks Exploding.)

"So now you take the massive number -- billions of IoT devices out there, which have this incredible capacity to deliver large-scale attacks, and add on top of that an emerging reflection amplification ability," he tells Light Reading in an interview. "Independently, either one of those two was generating the biggest attacks we've ever seen. It's only a matter of time before we start seeing the two combined for even bigger attacks, and you could easy generate multi-terabit attacks with those types of techniques. We haven't seen it happen live yet, but I think it's inevitable."

The Arbor WISR combines a survey conducted by the vendor annually with the results from its own deployed security gear, covering roughly one-third of Internet traffic. This year's numbers are truly frightening in showing an expected uptick in scale, complexity, frequency and consequences of distributed denial-of-service (DDoS) attacks, even as it also shows much greater efforts at vigilance and mitigation. The full report can be accessed here.

This year's WISR report was dominated by the massive -- up to 800Gbit/s -- attacks largely based on using unsecured IoT devices to launch DDoS attacks. That overshadowed reflection amplification attacks, Sockrider notes. But those are definitely still around and causing problems too. According to Arbor, the largest monitored reflection amplification attack was up to 498 Gbit/s, which is a 97% jump from 2015. A quick look at stats on growth in attack size can be found here.

"Reflection amplification didn't go away," he says. "It was a little bit overshadowed by IoT, but it is still happening at a very high rate. I kinda shudder to think of the combination of the two, but I do think it's going to happen."

Taking a brief break from the relentless bad news, Arbor's research did reveal a better understanding of the damage DDoS attacks can do to company reputation, resources and operations costs and an uptick in focus on best practices for preventing or mitigating attacks. The survey showed 77% of service provider respondents are capable of mitigating attacks in less than 20 minutes and just over half of enterprises are conducting simulated DDoS attacks to test their defenses, with 40% doing so quarterly.

Want to know more about security strategies? Check out our security section here on
Light Reading.

That's a step forward from the past when enterprises too often put network defense in place and assumed the job was done, not paying attention to the need for regular testing, patching and updating.

The reality of DDoS attacks is that they are commonplace, says Sockrider, but most are mitigated. This year's report showed 41% of enterprise, government and education respondents and 61% of data center operators reported attacks exceeding their total Internet capacity, effectively taking their networks down and in some cases, putting them out of business for some period of time.

"Both of those numbers are up for last year, and we are really seeing the impact of these large attacks," he says, adding that there are so many DDoS attacks happening at any one moment, but the majority don't take the target down. "The majority get mitigated either by a service provider or a third-party cloud mitigation service, or even in some cases the network operator or the victim themselves," he says.

The rise in volume and complexity of attacks is likely to continue to increase the ability of attacks to take down targets, Sockrider adds, and that obviously means a greater impact on businesses.

Given the volume of unsecured IoT devices deployed globally, DDoS attacks using those as botnets represent a growing threat that is difficult to mitigate, he admits. In late 2016, Arbor took a snapshot of IoT-based attacks, using a honeypot technique, and saw "over a million log-in attempts from IoT devices, coming from 92,000 unique IP addresses." Sockrider says, "In Asia and South America, in particular, we saw more than one attempt per minute per device."

The takeaway, Sockrider says, is even if you do patch your device in Asia, a minute later there will be another attempt to crack it.

That doesn't mean there should be any slowdown in efforts to make IoT devices and networks in general more secure, of course. One thing Sockrider stresses is the need to turn off networking features that are considered default "features" but are rarely used, such as the ability to convert wireless printers to web access points. Turning off network connections that are rarely if ever used reduces the number of potential vulnerabilities in the long run, he says.

— Carol Wilson, Editor-at-Large, Light Reading

HardenStance 1/24/2017 | 12:58:29 PM
Fire Drils & Simulations One of the layers of defence that is all too rarely applied is the DDoS attack simulation or fire-drill.

Most DDoS providers crave better awareness and engagement from their customers as regards their understanding of the step by step best practice they should follow when they  suffer an outage of some kind and suspect a DDoS attack.

Enterprises need to speak up and ask for this a lot more than they do. Better customer preparedness can take minutes or hours off the time taken to mitigate an attack.

The best DDoS protection providers would rather take the call requesting this kind of preparatory support during 'peacetime' than the call from the customer's operations folks that may be mis-reading a situation and screaming down the phone threatening divine retribution because the provider's DDoS protection solution "isn't working".
Carol Wilson 1/24/2017 | 12:14:05 PM
Re: Layered DDoS protection One of the other positive things from this year's report is that service providers are doing a better job of mitigating DDoS attacks in general - as Gary Sockrider points out, most attacks don't take down their targets, we just hear more about the ones that do. 
Kelsey Ziser 1/24/2017 | 11:52:45 AM
Layered DDoS protection Gary discussed threats from IoT-based botnets and October's major DDoS attack in the Upskill U course, Security: Tackling DDoS. He mentioned that the best approach in response to a major DDoS attack is layered DDoS protection which starts upstream in a service or cloud providers' scrubbing center that can handle the volumetric attack. Gary advised organizations to also implement security measures closer to the device, servers and applications requiring protection, which is usually an inline device capable of deep-packet analysis to find and stop stealthy applications in real-time. Finally, organizations need the capability to quickly and easily communicate threat intelligence to the operator upstream.
Sign In