Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:00 AM
Naim Falandino
Naim Falandino
Naim Falandino

DDoS Today: No Safety Inside the Perimeter

For years, protecting the perimeter was believed to be the safest way to guard against DDoS. However, the cloud, IoT and new botnets have changed that thinking. Here's how CISOs and security pros should respond.

In the last 18 months, we have seen numerous DDoS attacks on Internet providers, hospitals, national transport links, communication companies and political movements. In addition, recent reports have also revealed new, more powerful botnets are being assembled that pose an even greater threat.

With millions of networks now compromised, we need to review our decades-old approach to DDoS security where we only monitor the network for threats from outside the security perimeter.

This is no longer effective as threats from inside the network are just as serious.

Over the last year, we have seen a number of DDoS attacks from a new botnet program called Mirai. In the much-reported 2016 Dyn attack, the Internet DNS provider was brought down and services were disrupted for millions of users for multiple hours. Since then, Mirai has been used as the basis for a number of other attacks -- all of them notable for their use of Internet of things (IoT) devices such as baby monitors, routers, cameras and digital video recorders.

In October, Check Point Research and Qihoo 360 both announced a new threat which may be an outgrowth of Mirai, but is more sophisticated in its ability to hack devices. At that time, this new botnet -- referred to as IoTroop or Reaper -- had reportedly spread to over 1 million networks. Though updated reports confirmed the number is closer to 28,000, the potential magnitude of the new threat remains high. Again, household IoT devices have been targeted.

However, this botnet has made "improvements" upon Mirai's malware so the compromised IoT devices are capable of spreading the infection themselves.

So far, no known attack has been carried out using the Reaper botnet. But it is growing quickly and poses a serious potential threat. As Checkpoint noted: "Research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."

Defending against Reaper-style attacks
This calm before the storm is a good time to review our defense strategies to see if we are truly ready for Reaper, or even more sophisticated botnets of the future.

The traditional thinking around DDoS attacks can be characterized as the "Maginot Line" approach -- stemming from the famous WWII failed defensive perimeter set up by France, which the German army simply drove around. In following this approach, a strong defensive perimeter is built that is designed to guard against attacks from outside the network.

However, this strategy assumes threats come from outside, not inside, where they can be equally damaging.

The design of the Mirai malware and Reaper botnets reveals the weakness of the Maginot Line approach.

Reaper is currently infecting IoT devices, but its controller has yet to activate them. Those devices are also busy propagating the infection to other devices on their own networks. With so many networks already compromised, there is no "outside" or "inside" to the next attack. IoT devices throughout an internal network may now be compromised by Reaper, and can be turned against the network at any time.

Antiquated perimeter defense strategies are only the tip of the iceberg when it comes to the shortcomings of legacy DDoS approaches. Designed decades ago, DDoS solutions were primarily intended to pick up traffic from one, or in some cases, a few attack vectors.

These defenses would then redirect all traffic from those vectors to scrubbers -- or purpose-built mitigation machines that would clean all the traffic.

Today's attacks come from millions of vectors at once.

Each IoT device alone is not capable of sending large amounts of traffic, but millions of them can cause significant damage.

For instance, the Mirai botnet is known to be creating massive sleeper armies by infecting potentially millions of subscriber IoT devices and personal computers with 2G uplinks. These "zombie" devices can then be called to action at any time resulting in subscribers attacking their own network. Such an internal attack, combined with traffic from hijacked multi-gigabit cloud servers, creates a one-two punch that can quickly bring a network to its knees.

Finally, sending large volumes of infected traffic to scrubbers is a kind of brute force approach that is prone to false negatives which can result in uninfected traffic being unnecessarily processed. Additionally, the legacy dedicated hardware used to identify attacks isn't capable of keeping up with today's multi-vector outbreaks, even when they are strictly external.

A more intelligent approach
Software-based, multi-dimensional analytics are a new approach to DDoS defense that use a more elegant and faster method to attack detection. Combining real-time network telemetry with advanced network analytics and other data, such as DNS and BGP -- among others -- provides the ability to see down to the source of attack traffic in real time.

Multi-dimensional analytics provide visibility into everything from IoT devices to cloud applications and services -- determining which is friend or foe. Analytics can also be paired with big data approaches to traffic modeling that compare a potential event to past attack profiles, which enables them to avoid false negatives by being more precise about what degree of variability from "normal" is acceptable.

To block the zombie personal computers, IoT devices or cloud servers that are carrying out the attack, the network operator can use simple, effective filters at the peering edge of the network.

Every vector of the attack can be identified, pinpointing the endpoints and allowing for surgically precise mitigation. The offending traffic doesn't have to be sent to scrubbers as it is simply blocked at the edge. The ability to identify the endpoints of the attack in real time also means that as the attackers attempt to play cat and mouse with network security operations, the rapidly changing attack vectors can be identified and counteracted.

Sophisticated DDoS attacks such as Reaper will continue to test the limits of today's defense strategies by preying upon the mass proliferation of inexpensive IoT devices and insecure cloud services, especially those less than 10GB.

What remains is an increasingly complex environment where distinctions, such as outside and inside the network, have little relevance. The best defense are new approaches to detection and mitigation that work for attacks from any vector. As the world waits for the next "cyber hurricane" to erupt, network operators have the opportunity to adopt a software-based, multi-dimensional analytics approach to protect themselves from this new generation of DDoS attacks.

Related posts:

— Naim Falandino is the chief scientist for Nokia Deepfield.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...