How to prove the value of DDoS security

Return on prevention

Dan Holden is the Director of ASERT, Arbor Networks's Security Engineering and Response Team.. His teams oversee the ATLAS global security intelligence database, and are responsible for threat landscape monitoring and Internet security research including the reverse engineering of malicious code.

With DDoS an increasingly preferred method of attack, especially in the last 12 months, the threat risen to critical levels

Techradar Pro: Why has the DDOS threat grown so much over the last year? Are businesses more vulnerable?

Dan Holden: DDoS attacks are continuing to evolve and the last 12 months has seen huge growth in the number, complexity and size of the attacks occuring. When we couple this with businesses increasing reliance on Internet connectivity, for either revenue or access to cloud based data and applications, protection from DDoS threat should be a top priority.

Over the last year the trend seems to have been a return to large traffic floods, known as volumetric attacks, to effectively cut their targets off from the Internet. Volumetric attacks have always been the most common attack type, but in the last year the scale of the problem has changed.

In 2013 saw an eight fold growth in the number of attacks over 20Gb/sec, based on data from Arbor's ATLAS monitoring system, which receives hourly DDoS statistics from over 300 service providers around the world, with just the first quarter of 2014 seeing 150 per cent increase on 2013's annual total.

TRP: With such a large network footprint, what peaks in DDoS activity has Arbor tracked this year?

DH: Q1 2014 probably saw the most concentrated burst of large volumetric attack activity ever, with 72 attacks against a French ISP tracked at over 100Gb/sec and a new largest ever attack at 325Gb/sec. This attack was caused by amplification/reflection which is used to amplify the volumes of traffic attackers are capable of generating.

While this attack vector has been around for some time, it has grown in popularity since 2013. During January 2014 a number of gaming companies fell victim to a Network Time Protocol (NTP) amplification/reflection attack creating very large bandwidth and causing severe availability problems.

TRP: What types of DDoS attack are organisations currently finding themselves most vulnerable to?

DH: Volumetric attacks have grabbed the headlines in the past year on numerous occasions, but we mustn't forget about the more stealthy application layer attacks. According to the Arbor World-Wide Infrastructure Security Report for 2013, nearly a quarter of attacks now target the application layer.

Web services remain the top target of these attacks, but there has been significant growth in the number of attacks targeting encrypted Web services (HTTPS) – which should be a concern for e-commerce, finance and government organisations. DDoS has become a complex attack type, with a broad spread of organisations being targeted.

TRP: So what does this mean in terms of security mitigation?

DH: Everything we have seen over the past year re-affirms layered DDoS protection as the best way to defend organisations from a DDoS threat. Network perimeter defenses provide proactive protection from application layer attacks, but they need to be coupled with a cloud or service provider based DDoS protection service to deal with higher magnitude, volumetric, attacks which are meant to saturate Internet connectivity.

TRP: When communicating its value to the board, how best can a CIO justify investment in DDoS security?

DH:The security and network teams across a broad spread of organisations are becoming increasingly aware of the need for these layered DDoS defense solutions, but they have to compete, from a budget perspective, with other business priorities.

For the CIO, the key is to compare the financial implications of a prolonged Internet service outage with the cost of appropriate defences. Fundamentally, it's imperative for CIOs and CISOs to be able to put a monetary value on the cost of an attack when building a case for investment into security products and processes.

ABOUT THE AUTHOR

Editor, TechRadar Pro

Désiré (Twitter, Google+) has been musing and writing about technology since 1997. Following an eight-year stint at ITProPortal.com where he discovered the joys of global techfests, developing an uncanny attraction for anything silicon, Désiré now heads up TechRadar Pro.