2014: The Year of DDoS?
Late last year, NTP attacks began to rise, and just earlier this week, the infamous Spamhaus DDoS record was broken. Whereas the Spamhaus attack was based on DNS amplification, the attack on an as yet unnamed CloudFlare customer was done using NTP amplification.
Bitcoin Recently Sustained a Massive DDoS Attack
Earlier this week, the Japanese Bitcoin exchange Mt Gox was hit by a “massive DDoS attack” after disputes about flaws in their systems. The Bitcoin exchange rate has plummeted and exchanges have halted payouts as they are out of sync with the Bitcoin network.
The trend to notice here is obvious: DDoS attacks are mostly very crude, and are effective at taking a victim off the grid. Launching attacks is getting easier as well; a technically unskilled user can launch a DNS reflection attack for example.
To effectively mitigate DDoS, to have an effective first line of defense, the intense, crude, volumetric component has to be taken care of first with high-performance networking hardware. But beware; more sophisticated application layer (L7) attacks are also on the rise, requiring compute-intensive Deep Packet Inspection (DPI). Classic security solutions such as firewalls, IPS and so on, are not effective at mitigating DDoS traffic at scale, due to their stateful nature. As a matter of fact, the security infrastructure is often the intended target: if the fuses of the network are blown, you no longer care about the intended service behind it.
Is your network ready for the next DDoS attack?