Pulling the Rug Out on DDoS Carpet Bombers

Network attacks driven by traffic, such as DDoS, have long been classified by a capacity threshold or baseline limit. When traffic surpasses that limit, an alarm is triggered to indicate an attack. Internet service providers now face a more stealthy type of DDoS attack known as the “carpet bomb,” which flies below the baseline to escape detection. Fortunately, new forms of defense based on scalable contextual awareness can spot these attacks and render them harmless.

At one time, carpet bomb attacks were seen merely as a nuisance (if they were even noticed at all). And since network providers relied on DDoS protection that could only extend specialized protection to a handful of customers, this defense was only offered to the largest enterprise clients. Baseline detection worked pretty well for very large surge attacks on these single endpoints, meaning that attack traffic could be routed to racks of mitigation hardware for scrubbing.

The scale of today’s attacks have grown, employing not only captured PC botnets, but also botnets comprised of IoT devices and cloud services. With today’s larger, multivector carpet bomb attacks, tens of thousands of customers can be noticeably affected, even though no single endpoint goes down. For instance, they might only get SD quality video streaming instead of HD.

This doesn’t sound disastrous until you take into account the low tolerance that discerning viewers have for poor-quality video streaming. They don’t care why they’ve been receiving SD-quality video for the last half hour; they just want it to improve—now! Many of these customers are in danger of silently churning.

The ability of carpet bombing to confuse detection is also being used by attackers as a form of smokescreen to hide an attack against a single target. They can deploy slow and low attacks that gently increase the tolerance of baseline alerting solutions by incrementally injecting traffic across the entire network—eventually causing congestion and poor quality of experience for the user. Additionally, big surge defenses are designed to deal with tens of endpoints, not thousands. So, the network prioritizes the protection of the dozen or so large enterprises that have been extended specialty DDoS protection while the other tens of thousands fall victim to the attack.

When it comes to carpet bombs, the baseline method of detection is not the way to go. A new layer of defense is needed to deal with these kinds of attacks.

The latest approach to network protection uses scalable, contextual awareness to spot attacks, instead of solely relying on baselines. This multidimensional technology uses readily available public data to understand what is happening at any moment across the global internet. It connects to other systems to get service-related data from the network, including performance information, Syslog and information from security events from sFlow. It then correlates this information with DNS information and IP addresses.

This allows the network operator to see how traffic travels to and through the network. It sees beyond the IP address to immediately identify the difference between YouTube traffic and Amazon traffic, for instance. And then it identifies the servers, IoT devices, endpoints and service chains to which they are connected­, making it possible to pinpoint service issues or identify DDoS traffic in real time.

This real-time, end-to-end intelligence understands the difference between normal network behavior and identifies incorrect traffic signatures, making it possible to spot anomalies. One example of this is an amplification attack that exaggerates traffic flows and causes incorrect traffic ratios, such as too many SYN ACK in relation to the number of SYN flows across the network. Identifying abnormal traffic signatures instead of simply relying on baselines results in a more accurate and holistic line of defense. With this deep knowledge of traffic across the network, it is now possible to more cost-effectively filter a majority of the offending traffic at the network edge by utilizing the operator’s existing router infrastructure instead of sending all of this traffic to specialized hardware.

This approach has a number of advantages beyond carpet bombs. As we know, DDoS solutions were built to protect just tens of large enterprise customers from DDoS attacks. However, since they can only stretch this protection to a small number of customers, only the largest enterprises receive company-specific DDoS protection. This leaves hundreds of thousands of small and medium enterprises with rudimentary protection—despite their willingness to pay for better security.

It is also incredibly difficult to configure traditional DDoS defenses because it requires highly skilled security operators to set up and administer, further limiting the number of customers any one company can maintain. Additionally, legacy solutions are simply blind to new threats because they lack networkwide detection and multidimensional insight.

On the other hand, multidimensional techniques are self-learning and can be highly automated, so specialists are not required and the operator’s SOC can administer the system. And it scales to protect every endpoint and infrastructure across the network so that security services can be extended past dozens of customers to the other million.

Building a multilayer defense strategy starts with better intelligence and contextual understanding of what is happening across the network. This knowledge enables the IP routing infrastructure to handle the first layer of defense. The second layer of defense, traditional scrubbing centers, are then freed up to face the big surge, more complex attacks when they strike. And, as it turns out, pulling the rug out from under the carpet bombers gives the operator a better, more affordable defensive system that serves all its customers, not just the few.

Luke Carmichael

Avatar photo

Luke Carmichael

Luke Carmichael is Chief Architect at Nokia Deepfield. Luke’s expertise in real-time analytics, machine learning, and scalable information architecture is being applied to build products that solve the networking industry’s most complex problems in security, performance, and management.

luke-carmichael has 1 posts and counting.See all posts by luke-carmichael