In the Face of the Largest (Known) DDoS Attack

By Cat Yong

Late in the month of March, Sophos had detailed how Cyberbunker, a ‘dodgy’ Internet hosting provider from the Netherlands ‘”took umbrage” with Spamhaus, a non-profit organisation that takes on spammers and Internet hosts who profit from their activities.

What ensued, was reported by numerous news sites as the biggest attack in the history of the Internet. Akamai Technologies, enterprise security director in Asia Pacific, John Ellis said, “The DDoS attack on SpamHaus clocked in at 300 billion bits per second and is the largest publicly announced DDoS attack in the history of the Internet.

John Ellis


“The 300Gbps is what was reportedly seen by a tier-1 telco provider and not by the content delivery provider who was hosting SpamHaus’s site. The attackers against SpamHaus moved their attack to several Internet Exchange Points (IXPs) in a bid to suffocate the upstream bandwidth of SpamHaus’s hosting provider.

The various Tier-1 providers involved were able to re-route traffic around the congestion and also filter out the attack before reaching SpamHaus’s site,” Ellis further explained.

 
Collateral damage
General Internet users ‘suffered’ as a result of the DDoS attack but Ellis noted, “No one has any vested interest in truly taking down the Internet, nor prolonged disruption of service in its entirety. Localised and targeted attacks even from foreign states is typically the objective of DDoS.
 
“Malaysian users accessing local sites should experience no disruption to service, however they ‘may’ experience some performance issues if accessing sites that are serviced by network providers who are being attacked.”
 
Preventative measures
An original design goal of the Internet was for it to be robust, fault tolerant and distributed.

Ellis pointed out, “Despite its resilience to date, in the face of major but localised incidents such as the 2007 Taiwan earthquake, 9/11, and Hurricane Katerina, there is some concerns about the future of the Internet’s resilience.”

He suggested that the areas that need attention are:
 
1. Improving Border Gateway Protocol (BGP) security and stability.
2. Improving the efficiency in the lose coupling of networks,
3. Improve traffic engineering in a ‘major’ crises; and
4. Addressing the problem with Open DNS resolvers on the Internet.
 
“It is clear to most IT professionals that the Internet was never designed with security and its performance as high priorities, but then again nor did its designers expect that it would grow into a global platform with over 2.7 billion users,” said Ellis.

What has happened is that the IT industry has had to apply band-aid solutions to fix many of the design limitations of the Internet. As a result, “Even new more secure and better designed parts of the internet (for want of better words) have to co-exist with the less than ideal implementations.”
 
Tips for enterprises
What can enterprises do in the face of DDoS attacks like the one on SpamHaus?

Ellis opined, “Preventing volumetric DDoS attacks such as this, especially those that are designed to ‘look’ like or are in fact legitimate traffic (just high volume) are virtually impossible for most if not all enterprises at the data centre or even the local ISP level.”

Instead, Ellis proposed protection at the edge of the Internet, by leveraging a cloud security solution. He explained, “A solution that is able to distribute their service or service entry point across the Internet.”

“For an enterprise looking to protect itself, it needs to assess their approach and strategy at three levels – data centre, geographically and service-wise.

“How can the enterprise ensure that their data centre is resilient to DDoS attacks? Especially attacks at the application level – these attacks may not even impact network bandwidth, yet exploit vulnerabilities in the application or database services within the technology stack,” said Ellis.

For geographical resilience, the enterprise has to take into consideration the multiple service providers they have servicing its primary data centre? If a regional attack like SpamHaus’ occurs, what is the strategy and approach to business continuity?

From the service resilience point of view, enterprises have to think about how to protect their underlying critical infrastructure and application services such as DNS.

“DNS is an often overlooked service, yet as seen in the SpamHaus attack, DNS is often an after-thought for many organisations and they do not have sufficient geographical and capacity resilience.

“Furthermore, what is the strategy for providing resilience to the services provided by third parties or even hosted by third parties such as a cloud provider (irrespective of whether they are a IaaS, PaaS or SaaS cloud provider)?” Ellis concluded with that theoretical question.



There are no comments

Add yours