Dave Larson, Chief Operating Officer, Corero Network Security
Almost every week there’s a new instance of DDoS attacks wreaking havoc upon its victims, costing them revenue and customers as a result of network outages. DDoS attacks have come a long way from their humble beginnings as a tool of the bedroom hacker, now being deployed by everyone from state-sponsored attackers to entry-level hackers as one of the most common forms of cyber threat activity today. What began as a simple volumetric attack has since evolved into a far more complex form of malicious activity with several different forms and purposes.
As the attacks change, so must our approach. An important step is looking further upstream and questioning the role that service providers have in mitigating the DDoS threat. This is something I explain to consultants with the following analogy:
Imagine running a bath and seeing that a quarter of the water coming through the tap was contaminated. When the bill from the water company came, I don’t imagine anyone being too happy paying for a contaminated supply. People can justifiably look at their Internet service in the same way.
If a hosting provider isn’t providing effective DDoS mitigation as a part of its service offering they may send useless and potentially harmful traffic across their customers’ networks. If folks refuse to pay the water company for contaminated water, why are so many companies paying for a similar situation with their hosting and service providers?
With Internet traffic, there’s the problem that customers can’t accurately visualise all the traffic flowing across their network and analysing it is far too big a job for existing staff to handle. Whether it’s a sub-saturation attack designed to explore or weaken certain aspects of a network, or a huge flood attempting to knock the whole place offline, customers aren’t able to hold providers to account in quite the same way, despite the second-rate service they may be receiving.
The legacy solution for hosting providers was to black-hole traffic i.e. if a suspected DDoS attack was taking place, traffic would be sent to an IP location that doesn’t exist. However this also sends the good traffic to said non-existent IP location, meaning these legitimate users can’t visit the site or service they were hoping to – costing the business money and customers. This is doing the attackers’ work for them, whereby the site is rendered out of use due to the DDoS attack, even after the attack itself has subsided.
Fast-forward to today and the technology has not only caught up with the hackers, but has surpassed their capabilities altogether. There are now technological innovations that utilise real-time mitigation tools installed directly inline with the peering point, meaning customer traffic can be protected as it travels across an organisation’s network. Such innovations mean providers are better positioned than ever before to offer effective protection to their customers, so that sites and applications can stay up and running, uninterrupted and unimpeded.
Fortunately, hosting providers are starting to deploy this technology as part of their service package to protect their customers, and the latest solutions are scalable and automated. This maximises efficiency and minimises the need for human intervention – which should act as a gigantic aspirin for the headaches caused by DDoS attacks in the past. Providers can tune these systems so that customers only get good traffic, helping their sites run far more efficiently. It’s a win-win for both sides, as providers’ services become more streamlined and reliable, protecting their reputation and attracting more customers. The upside for the customer is that they’re no longer paying for poorly filtered traffic.
If purpose-built technology is laid out at ISPs’ peering points, DDoS traffic is halted before it can enter their networks. This is effectively shutting the door on the DDoS traffic, while leaving a window open for the legitimate user traffic to still get in. For security staff and service administrators, this means no more calls in the middle of the night, no more downtime and most importantly, no more victims of DDoS attacks.
A case in point is SdV Plurimédia, a French hosting provider. It handles huge amounts of traffic and, like any other hosting provider, experiences DDoS attacks at speeds capable of derailing their networks. SdV Plurimédia guarantees customers 24/7 operability; a risky promise if DDoS attacks are a persistent concern.
Through deploying automated technology that was simple to implement, SdV Plurimédia didn’t have to reconfigure any elements of its network. It chose an option that sits inline and is dedicated to mitigating DDoS attacks at the edge of the network meaning the threat was removed and business for their customers could carry on as usual without sudden surprises coming downstream. As SdV’s example shows, the technology is readily available, so why not encourage more conscientious behaviour within the industry?
So our advice for businesses is as follows: when shopping around for a hosting provider, look out for the companies that don’t provide security as part of their service offering, since they may end up charging you for traffic you really don’t need and certainly shouldn’t be paying for. Opting for a company that offers security as a service means that you’ll be saved a lot of the expensive call-outs, downtime and loss of customers that tend to go hand in hand with the DDoS attacks which negligent providers allow to run their course.