[ad_1]
What’s in a DDoS attack?
First of all, these attacks have changed a lot over time. Maybe not in terms of vectors, per se, but in terms of sophistication, for one thing. We remember the earlier, more primitive web, and how little it took to crash a server. Things are different now – but hackers are still finding interesting ways to swarm and compromise systems.
You can characterize a modern DDoS attack in terms of its nature, and what it’s meant to disrupt. You can look at reports and see which categories of attacks are trending. Or you can talk to people who are on the front lines!
But some are pursuing mitigation efforts that will help make it much more difficult for hackers to pursue these kinds of attacks.
One thing that we’re seeing in the security world is the rise of UDP attacks, where hackers are using the layer 4 protocol because, in some ways, it’s easier than TCP.
CISA is warning about the ubiquity of UDP attacks, and you can see more evidence of this trend at places like the Cloudflare blog.
In her MIT talk, Karen Sollins addresses how to go on the offense against DDoS attackers.
She starts off with an anecdotal experience where she was involved in mitigating an attack.
“The press was on my phone,” she says. “It was an exciting day.”
Mentioning a priori mitigation and the need to evaluate attacks, she also points out the scale of the problem – with hundreds of thousands of bots in powerful botnets, she points out, stopping volumetric attacks can be difficult.
“These are attacks where the traffic itself looks completely legitimate,” she says. “They’re very hard to recognize … we have, in this space, a large collection of companies that have stepped up to actually try to provide mitigation to the victims, if they can’t do it themselves. We see that there are a number of different kinds of attacks that are happening.”
See where Sollins addresses UDP attacks specifically:
“Kaspersky was reporting last year that over 50% of their traffic was UDP traffic, that (these) were UDP attacks. … So the vast majority of what they’re seeing are layer four protocol attacks. Down on the lower graph, we see Microsoft reporting the other way around, the majority of the traffic they’re seeing is TCP – UDP plays is a slightly lesser role. But again, layer 4 traffic is really the vehicle for providing these attacks.”
Sollins also mentions spoofed addresses and other strategies hackers use to shield their traffic in deceptive clothing and appear legitimate.
She also wants to pass the costs of attacks on to the hackers. She explains:
“If we look at the costs that are incurred here, the attackers themselves are bearing very little of the cost; the victims, and anybody that they pay to … are, in fact, bearing the burden of the cost. So what we’re doing is trying to turn the problem upside down, what we expect is that our attackers will have to bear some of the burden, do some work, use some of their resources, in order to send traffic: if they don’t, their traffic will be dropped automatically … so what we’re doing is realigning the burden of the cost here.”
One way to do this is through proof-of-work systems where the sender has to do something in order to get a packet through.
She also addresses criteria including nature of attack, nature of application, and topology environment.
It’s important, she suggests, to run experiments.
“We run a set of experiments, we choose a set of applications that we’re going to do this over, we choose a protocol that is the attack vehicle, we choose topologies, and so forth,” she says. “And then we run a series of experiments, we run a set of experiments where nothing is going wrong, which gives us a baseline traffic, we run another set of experiments with mitigation turned on, but nothing else happening, to understand the overhead of the mitigation. We run the attack without any mitigation to understand the threat. And finally, we run it with everything turned on. And look at the difference that gives us: the efficacy of the over utilization of that.
It’s an interesting look at cybersec in an age where this is a major issue for nearly any company!
In addition to recommendations from CISA, like stateful UDP inspections and border gateway protocols, think about what Sollins and the team are doing in order to add dimension to the security response against DDoS attacks – after all, DDoS attacks have been a trusted method of compromising online systems practically since the birth of the Internet. They’re just more sophisticated now, and hackers are, in some cases, taking advantage of a pretty low bar.
[ad_2]
Source link
Be the first to comment