Extra armor needed to defend against DDoS attacks
Distributed denial of service (DDoS) attacks are getting stronger, and more frequent: that’s the message from two significant recent pieces of research. First, Kaspersky Labs’ DDoS Intelligence Report, covering the first quarter of 2016 reported a nearly fourfold increase in the maximum strength of DDoS attacks globally, compared with Q4 2015.
Next, the Neustar DDoS Attacks and Prevention Report, based on a survey of 1,000 IT professionals worldwide, found that 73% of respondents reported DDoS attacks in 2015, with 82% suffering repeated attacks. Over half of the organizations surveyed reported data thefts after an attack – meaning that the denial of service outage was a diversion tactic that made IT teams look the other way, while the attackers went after their real target. But this doesn’t take away from the fact that DDoS attacks are damaging enough on their own. The report found that half of organizations would lose $100,000 per hour or more if their systems were disabled by a peak-time attack, and 33% would lose more than a quarter of a million dollars every hour.
Both reports also expect DDoS attacks to continue to increase in frequency and intensity, as a result of ever-growing numbers of infected devices forming botnet armies, and the trend for DDoS-as-a-service, which enable criminals to rent botnets flexibly, by the hour.
What can you do to protect your business against attacks, to mitigate the risks of service outages, lost revenues and follow-on attacks? An excellent starting point is to test your systems and services to see how they would hold up during an attack. We recently blogged about a range of new capabilities in Ixia’s BreakingPoint Solutions which enable organizations to do exactly this, so they can emulate DDoS attacks at scale, and then take steps to mitigate their impact so they are better prepared for the real thing.
Putting on ThreatARMOR
There are also practical measures organizations can take to add an additional layer of armor to corporate networks. This could protect you from DDoS attacks originating from known bad IP addresses or geo-locations. The technique involves blocking the known bad or suspicious IP addresses – not URLs, which are a blunt instrument, but the precise, unique IP addresses – that are known to originate attacks or host malware.
Based on regularly updated threat intelligence, a purpose-built IP threat intelligence gateway such as Ixia’s ThreatARMOR ensures that traffic from known malicious IP addresses is blocked before it can reach the enterprise network. To give an example, 26% of global web application attacks originate from the BRIC countries. 18% of all DDoS attacks come from Chinese IP addresses; and Russia, Ukraine, Pakistan, China, and Turkey are five of the top ten botnet command and control countries. If an organization has no business relationships in these or other countries, why support connections from IP addresses there? Simply filtering those addresses at network speeds dramatically reduces the likelihood of being victim of a DDoS attack from those countries, or of inadvertently downloading malware such as APTs and bots. It also stops infected internal devices from communicating to known botnet C&C servers – further boosting security.
This has the further benefit of enabling organizations’ existing security infrastructure, and its IT teams, to function more efficiently. A typical enterprise receives around 17,000 malware alerts per week, and spends $1.27 million annually tracking down false positive alerts. By filtering out known bad IP addresses, the numbers of alerts and false positives can be cut by 30% or more. It frees up the resources of IT teams, reduces the load on existing security solutions such as next-generation firewalls, antivirus, sandboxes and DLP, and boosts the ability to identify and respond to targeted attacks.
Find out more ways you can mitigate against DDoS attacks in your own lab with this quick guide.