In the last 18 months, we have seen numerous DDoS attacks on Internet providers, hospitals, national transport links, communication companies and political movements. In addition, recent reports have also revealed new, more powerful botnets are being assembled that pose an even greater threat.
With millions of networks now compromised, we need to review our decades-old approach to DDoS security where we only monitor the network for threats from outside the security perimeter.
This is no longer effective as threats from inside the network are just as serious.
Over the last year, we have seen a number of DDoS attacks from a new botnet program called Mirai. In the much-reported 2016 Dyn attack, the Internet DNS provider was brought down and services were disrupted for millions of users for multiple hours. Since then, Mirai has been used as the basis for a number of other attacks -- all of them notable for their use of Internet of things (IoT) devices such as baby monitors, routers, cameras and digital video recorders.
In October, Check Point Research and Qihoo 360 both announced a new threat which may be an outgrowth of Mirai, but is more sophisticated in its ability to hack devices. At that time, this new botnet -- referred to as IoTroop or Reaper -- had reportedly spread to over 1 million networks. Though updated reports confirmed the number is closer to 28,000, the potential magnitude of the new threat remains high. Again, household IoT devices have been targeted.
However, this botnet has made "improvements" upon Mirai's malware so the compromised IoT devices are capable of spreading the infection themselves.
So far, no known attack has been carried out using the Reaper botnet. But it is growing quickly and poses a serious potential threat. As Checkpoint noted: "Research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."
Defending against Reaper-style attacks
This calm before the storm is a good time to review our defense strategies to see if we are truly ready for Reaper, or even more sophisticated botnets of the future.
The traditional thinking around DDoS attacks can be characterized as the "Maginot Line" approach -- stemming from the famous WWII failed defensive perimeter set up by France, which the German army simply drove around. In following this approach, a strong defensive perimeter is built that is designed to guard against attacks from outside the network.
However, this strategy assumes threats come from outside, not inside, where they can be equally damaging.
The design of the Mirai malware and Reaper botnets reveals the weakness of the Maginot Line approach.
Reaper is currently infecting IoT devices, but its controller has yet to activate them. Those devices are also busy propagating the infection to other devices on their own networks. With so many networks already compromised, there is no "outside" or "inside" to the next attack. IoT devices throughout an internal network may now be compromised by Reaper, and can be turned against the network at any time.
Antiquated perimeter defense strategies are only the tip of the iceberg when it comes to the shortcomings of legacy DDoS approaches. Designed decades ago, DDoS solutions were primarily intended to pick up traffic from one, or in some cases, a few attack vectors.
These defenses would then redirect all traffic from those vectors to scrubbers -- or purpose-built mitigation machines that would clean all the traffic.
Today's attacks come from millions of vectors at once.
Each IoT device alone is not capable of sending large amounts of traffic, but millions of them can cause significant damage.
For instance, the Mirai botnet is known to be creating massive sleeper armies by infecting potentially millions of subscriber IoT devices and personal computers with 2G uplinks. These "zombie" devices can then be called to action at any time resulting in subscribers attacking their own network. Such an internal attack, combined with traffic from hijacked multi-gigabit cloud servers, creates a one-two punch that can quickly bring a network to its knees.
Finally, sending large volumes of infected traffic to scrubbers is a kind of brute force approach that is prone to false negatives which can result in uninfected traffic being unnecessarily processed. Additionally, the legacy dedicated hardware used to identify attacks isn't capable of keeping up with today's multi-vector outbreaks, even when they are strictly external.
A more intelligent approach
Software-based, multi-dimensional analytics are a new approach to DDoS defense that use a more elegant and faster method to attack detection. Combining real-time network telemetry with advanced network analytics and other data, such as DNS and BGP -- among others -- provides the ability to see down to the source of attack traffic in real time.
Multi-dimensional analytics provide visibility into everything from IoT devices to cloud applications and services -- determining which is friend or foe. Analytics can also be paired with big data approaches to traffic modeling that compare a potential event to past attack profiles, which enables them to avoid false negatives by being more precise about what degree of variability from "normal" is acceptable.
To block the zombie personal computers, IoT devices or cloud servers that are carrying out the attack, the network operator can use simple, effective filters at the peering edge of the network.
Every vector of the attack can be identified, pinpointing the endpoints and allowing for surgically precise mitigation. The offending traffic doesn't have to be sent to scrubbers as it is simply blocked at the edge. The ability to identify the endpoints of the attack in real time also means that as the attackers attempt to play cat and mouse with network security operations, the rapidly changing attack vectors can be identified and counteracted.
Sophisticated DDoS attacks such as Reaper will continue to test the limits of today's defense strategies by preying upon the mass proliferation of inexpensive IoT devices and insecure cloud services, especially those less than 10GB.
What remains is an increasingly complex environment where distinctions, such as outside and inside the network, have little relevance. The best defense are new approaches to detection and mitigation that work for attacks from any vector. As the world waits for the next "cyber hurricane" to erupt, network operators have the opportunity to adopt a software-based, multi-dimensional analytics approach to protect themselves from this new generation of DDoS attacks.
— Naim Falandino is the chief scientist for Nokia Deepfield.