Scissors Beats Rock – Small Scrubbers Can Rid the Internet of DDoS

Distributed denial of service (DDoS) attacks are blunt instruments, but effective ones. A recent very large attack reminded us, in a drop-everything and deal with it kind of way, of the difficulty of handling these crude attacks. What made this particular attack special was just how persistent these attackers were: for days, they kept at it – and they say attention spans are getting shorter! The worst DDoS attacks are these lengthy ones, disrupting service for days, or even weeks on end.

To make a big sustained attack possible, the attacker must use many hosts. Imagine it all came from a single data center – the attack would quickly be stopped by the data center operator. Less than a day, anyway. And considering how many home networks participated in this attack, it is no wonder it is almost impossible to shut down. Thirty-thousand systems sending 10 Mbps of attack traffic results in 300 Gbps of attack traffic. Many small trickles come in from many directions, becoming a massive flood once it reaches the target.

Ideally, these attacks would be prevented outright by people keeping their home systems clean and up-to-date on patches. Maybe they’ll floss more, too. Scrubbing at the target site is a tried-and-true technique, but it’s a matter of capacity: scrubbing 300 Gbps of attack traffic takes some serious muscle. Stopping a DDoS attack near its many sources is better, and is a matter of being a good Internet neighbor. And this is where the true opportunity lies.

By deploying smaller-scale scrubbing technology at the edges of the Internet, closer to office buildings, and closer to home users, most DDoS attacks can be mitigated before they even make it out of the neighborhood. This is especially true for ISPs and providers that operate sub-10 Gbps links to hundreds or dozens of end customers.

Often the perpetrators don’t even know they are participating in a distributed attack, but their traffic patterns are clearly visible to their Internet provider or small enterprise security teams. By cleaning egress traffic before sending it upstream, you are not only a good Internet neighbor, you can also save substantial peering costs over the years. Just as it is good common sense to drop any packet with a non-local source address, it is equally good sense to scrub malformed packets that have no business on the Internet. No blunt instruments needed at the source end, just snip out the few bad packets and let the majority through.

The big sites and the big links will always need special protection, but we must recognize that DDoS is a common problem we all face, and we all play a role in minimizing it. If everyone is prepared to scrub a couple Mbps or Gbps of outgoing traffic, then nobody has to scrub hundreds of Gbps of incoming traffic: turn off the trickles, and we turn off the flood.

FlowTraq is working with A10 Networks to offer solutions to our customers that mitigate against DDoS attacks.

For more on surviving DDoS attacks, check out A10’s complimentary white paper, “The DDoS Factor: Costs, Facts & Insight into 2017’s Most Advanced Cyberattack Vector.” And for information about how A10 Thunder TPS can detect and mitigate DDoS attacks against your organization, please contact one of our cyber security experts.


October 24, 2016

About Dr. Vincent Berk

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. Vince's defense research projects on network behavioral anomaly detection, internet security, monitoring and forensics ultimately led to the development and commercialization of FlowTraq, and its predecessor InterMapper Flows which is deployed in thousands of government, university and private sector customer sites. He is a member of the ACM, and the IEEE. He holds a Ph.D. in Computer Science from Leiden University. He is also a frequent contributor to InformationWeek's Dark Reading publication. READ MORE