When it comes to mitigating distributed denial of service (DDoS) attacks, security professionals have long been concerned about the growing volume and frequency of such incidents.
NETSCOUT Arbor, which specialises in advanced DDoS protection solutions, says that, with thousands of attacks reportedly underway across the world at any given time, large institutions have had to steel their defences against what is for many a daily event. This is according to Kevin Whalen, senior director: corporate and marketing communications at NETSCOUT Arbor.
Whalen reports that, in the recently released NETSCOUT Threat Landscape Report, researchers observed that the frequency of attacks had actually declined between 2017 and 2018. However, this is offset against another significant trend: attacks are multiplying in size, often far exceeding what many service providers consider a safe defensive capacity. According to NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), the maximum size of DDoS attacks increased 174 percent in the first half of 2018 over the same period in 2017.
In February this year, DDoS entered the terabit era.
Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, says, “As has been previously reported, the largest attack ever witnessed, at 1.7 Tbps, struck a large North American service provider, Github, in February 2018. Fortunately, the customer’s well-designed architecture and their incident response preparedness, combined with their multi-layered NETSCOUT Arbor DDoS solution, meant that they were able to successfully defend against the attack with no downtime. However, this act shows us that defences designed to counteract incident in the 300 Gbps range are no longer adequate. Even an infrastructure with a one terabit defensive capacity is at risk.”
According to Whalen, this record-breaking attack is an example of the Memcached-based strikes that have arisen over the last year, so identified because they exploit vulnerabilities in memory caching servers used to accelerate data access for websites. Well-known cache engine, Memcached is free, open source software frequently deployed in cloud service infrastructures and enterprise networks with the effect of increasing bandwidth.
The actors behind the February attack uncovered a design flaw in the Memcached software package that enabled them to take advantage of large amounts of service-provider bandwidth to build and launch an attack of unprecedented scale.
NETSCOUT Arbor advised that, based on publicly available information on Memcached installations worldwide, at the end of February 2018, there were around 50,000 unsecured Memcached installations on the Internet that could be used as DDoS reflectors (whereby reflection denial of service attacks make use of potentially legitimate third-party components to send the attack traffic to a victim, ultimately hiding the attacker’s own identity). In the weeks following the large attacks, this number dropped very quickly down to 20,000 and then gradually declined further to around 3,500 installations. Data from the ATLAS Intelligence Feed from NETSCOUT Arbor on Memcached attacks showed that, by and large, the attack frequency has remained flat since March this year.
“The trend toward larger incidents once again reinforces the case for a hybrid or layered defence posture that combines on-premise and cloud mitigation capabilities. Such a hybrid defence position is NETSCOUT Arbor’s consistent best-practice advice. Everyday compromises are still relatively small and can usually be detected and mitigated with an on-premise solution.
“However, the rise of the terabit attack means it’s essential to have a cloud-based component with the capacity to mitigate attacks of such size. Cloud-based defences can be instantly activated when the on-premise component detects an attack of significant magnitude. The terabit-sized DDoS outbreak has arrived, and it will re-surface again in the future. The threat is real, and we must be ready,” concludes Hamman.