Large-scale DDoS (Distributed Denial of Service) botnet attacks are on the rise. Akamai, to take one recent example, has reported five attacks greater than 300 Gbps in the final few months of 2016.1 And it’s not all down to the latest cyber threat that’s keeping the security community awake at night: large-scale botnets built from everyday Internet of Things devices. A majority of the big attacks that Akamai has seen on its network make use of older Windows/Linux malware botnet systems such as Spike (a multi-payload DDoS toolkit first observed coming out of Asia in 2014).
Given the scale of these attacks, it is not surprising that one of the questions our customers often ask us is: how big an attack should we be simulating when testing DDoS mitigation?
Although big attacks make the news, and our predictions blog for 2017 warned of the rise of the “terabit era” in DDoS, preparing for highly-scaled attacks does not necessarily mean subjecting systems to titanic floods of test traffic. The most important approach is to test against the modus operandi and tactics of real-world attacks. Real DDoS attacks feature a wide variety of traffic patterns and threat vectors, with huge variation in the footprint and live population of the botnet involved, the location of the zombie devices, and parameters such as protocol and packet size.
Max Pritchard, Pre-sales Consultant at activereach says:
“The average DDoS attack is expected to hit 1.2Gbps this year, but we are seeing a big rise in the number of major flood attacks over 100Gbps. Fortunately, it is not always necessary to use DDoS tests of this scale. You can actually learn more about real-world detection and response using lower intensity simulations, proportionate to the size of the customer’s connection.”
DDoS Attack Simulation: Replicating real-world DDoS Attacks
The reality is that it is fairly easy to block unsophisticated, overly aggressive attackers who rely solely on brute force. It is relatively easy to choke off a simple TCP SYN flooding attack generating, say traffic levels ten times the normal. It is a lot harder, however, to spot and block attackers who use guile and keep the traffic pattern from each individual zombie below expected norms. In these attacks, defence systems are involved in difficult decisions to differentiate between genuine customer traffic and bot noise. This can lead to situations where there are a number of false positives – blocking or delaying real users – or even a failure to detect an on-going DDoS attack at all.
It is also important to replicate the real-world diversity of botnet attacks. DDoS attacks often make use of geographically distributed zombie devices and employ a number of different topologies. This distribution leads to complex mixes of attack traffic with variations
in parameters such as latency times which can make it harder to detect, especially when dealing with Layer 7 assaults.
At the other end of the scale, there are some DDoS attacks that make use of small scale botnets and very low bandwidths, sometimes as low as 1 Mbps. Despite their tiny size, these can still damage key networking infrastructure such as firewalls and load-balancers by carefully targeting bottlenecks and weaknesses in the way in which these devices try to manage traffic flows.
For all these reasons, it is important to test DDoS mitigation strategies against real-world conditions as far as possible. This means conducting DDoS attack simulation with the largest practicable number of attack vectors and intensity levels, with accurate simulation of geographical and topological diversity. In our experience it is not enough to rely on the metrics provided for DDoS mitigation equipment; real-world performance needs to be evaluated on a regular basis. Indeed, Gartner recommends quarterly testing as threat vectors alter so rapidly.2
activereach can help by organizing a review of an organization’s DDoS defences, looking for ‘holes’ and vulnerabilities, including those from the latest threats. Our team can help run simulations backed up by a state-of-the-art DDoS testing platform which can handle large and small scale attack tests and incorporates a comprehensive range of attack vectors, wide geographical zombie distribution, real-time control and multi-protocol monitoring. To provide diversity, we can organize simulations with attack traffic from over thirty different regional locations using over a hundred unique data centres. We can also design attack tests that examine particular areas of weakness and advise on device-specific issues, for example the differing vulnerabilities of target devices.
The bad guys are well equipped, with an array of sophisticated armaments and tools. Their ability to attack with guile and constantly change tactics means DDoS defence needs to be about much more than dealing with newsworthy, large-scale flooding attacks.
Akamai, akamai’s [state of the internet]: security Q4 2016 report (Cambridge, MA.:Akamai Technologies, Inc., Feb 2017),
Orans, L., Master These Eight Steps to Control the Damage From DDoS Attacks (Stamford, CT: Gartner, Inc., October 2015).