The Collateral Damage of DDoS Attacks - Part 1. What is what
Feb 21, 2018
ISP networks are part of the backbone of the Internet—and carry any and every security threat. Most threats are not considered by the ISP, since they do not harm their own infrastructure, they are just another packet flow. While this is true for application-level and state-exhaustion DDoS attacks, ransomware infection, malware distribution, and so on, there are exceptions, such as volumetric DDoS attacks.
In contrast to other attacks, the DDoS volumetric attacks impact ISP infrastructure even if it is not the target of the attack. In this blog I will focus on volumetric DDoS attacks and techniques that allow ISPs to mitigate collateral damage on their network.
The Volumetric DDoS attack is characterized by large volume of data send to the target that originates from multiple sources simultaneously. But what it meant by “large volume” and “multiple” sources?
The trend since 2008 shows exponential growth, peaking in 2016 at 800Gbps; attacks in 2017 and earlier (see picture below) are likely temporary retracements.
Looking at additional data sources, we find that on average there are ~40.000 attacks reported per week, with an average attack time of ~1.2 hours from ~250 simultaneous attack sources. Given the 2017 average attack size of ~1Gbps, this translates to ~250 of Gbps of attack traffic.
We can conclude that the total volume of DDoS data that SPs must deal with is large and increasing.
During an attack, malicious traffic enters the ISP network, and if not mitigated, is transported toward the target, consuming network resources along the way. As result, high-cost long-haul links can be saturated, causing ‘non-selective’ packet drops and latency to all traffic traversing the given resources and potentially impacting the traffic of all customers, not just the target. As a result, customers may experience network slowness, unresponsive services, streamed media degradation, and even total outage (TCP timeouts = 15-30 minutes). These issues damage the SPs business directly (SLA penalties) and indirectly (customer dissatisfaction, brand damage, etc).
Therefore, it is in the SPs best interest to mitigate DDoS impact on their infrastructure and thus protect the experience of the entire customer base.
Volumetric DDoS attacks are not a new phenomenon on Internet, but with the exception of very few large attacks, the network infrastructure has had enough capacity to absorb the DDoS traffic. For example, in 2010, when 100GE links were widely deployed in SP core networks, the biggest DDoS attacks generated just 100Gbps of traffic.
In the past, DDoS attacks have been contained by manual intervention utilizing techniques like D-RTBH, S-RTBH and filters/access-lists. RTBH discards all traffic addressed to (D-RTBH) the target; similarly, S-RTBH discards all traffic coming from source addresses generating the attack, not a bad counter- measure at first look, but… a) the actual device generating the attack traffic may use a spoofed address, so counter-attacks will penalize innocent hosts; and b) even if the source address is not spoofed, the device (eg PC/laptop) may be infected by some malware that generated the attack, but are also simultaneously used for legitimate, normal work[i].
These techniques provide a coarse grain, very simple “DDoS detection” solution by finding IP addresses that are a destination to an untypically large volume, and flow export (Netflow) provides sufficient data to accomplish this. Unfortunately, this detection is associated with relatively high false-positives, and triggering RTBH automatically is such a nuclear option, that virtually noISP has automated this response. There is always a human in decision loop.
These legacy approaches are no longer sufficient. Over the years, the volume of traffic generated by DDOS attacks has grown faster than infrastructure capacity, the number of DDoS attacks per day and per week continues to grow, and, because the majority of volumetric DDoS attacks are amplification types--with DNS and NTP being the biggest contributors--backhauling DNS, and even filtering DNS service (at L4) are not useful because they break the name resolution system.
Fortunately, analytics software has matured, and so has ISP willingness to trust autonomous decisions taken by software, thanks to advances in technology and experience gathered in other industries. These technologies offer new approaches to mitigate the collateral damage caused by volumetric DDoS attack. These new approaches should:
Detect attacks based on a combination of flow volume and payload data.
Enable fine-grain differentiation of attacks vs. legitimate flows and packets, even inside same Layer 3-4 flow, and discarding/rate-limiting only malicious ones.
Provide a rapid and complete detect-analyze-mitigate cycle to prevent TCP sessions time-out and protect customer experience.
Should discard malicious packets at network edge (inline/on router line card)
The network service prices payed by customers should not be impacted by the the cost of the solution; solution costs should offset by savings coming from not carrying DDOS traffic over network..
Be focused on volumetric attacks; non-volumetric one does not really impact network resources, so their detection and mitigation is good to have if possible without adding solution costs, but is not critical.
[i] Some SP offers to their customers a ‘clean pipe’ service. For customers who pays for it, traffic addresses to suspected victim is redirected to in-line scrubbing center. This prevent completing DDoS by backhauling victim IP, while protects it against volumetric attack. It also allow SP to generate revenue that offset cost of scrubbing infrastructure and extra capacity on network needed to carry traffic to scrubbing center.