Volumetric DDoS attacks are similar in nature to floods to my mind. I regularly term the systems put in place to deal with volumetric DDoS attacks as “flood defences”, to differentiate them from systems used to defeat more sophisticated application-based DDoS attacks. Dealing with floods is often a raw numbers game. If you expect big floods – you need big flood defences.
Next year marks the 35th anniversary of the opening of the Thames Barrier. I was born and raised in East London and the barrier is close to my heart. The Barrier was designed by Charles Draper after the terrible North Sea floods in the 1950s. It is half a kilometre long, five storeys high when closed and each of the main gates weighs over 3,300 tonnes. It has a projected “total protection” lifespan of fifty years (1982-2030) and could still be helping to mitigate floods in Central and West London to 2070 and beyond – depending on changes in sea level and climate. Despite its raw scale, it is a real thing of beauty. As a solution to flooding on a busy waterway – it is both striking and elegant.
Its operations go largely unremarked upon by the population or visitors to London – but it has been used nearly 180 times in its lifespan – quietly saving lives and money. The lack of celebrity is not surprising though, given its location east of London’s main tourist areas and lack of public access (there are monthly talks you can go to if you are so inclined, but you need to book).
Apart from the Internet itself, it could very well be my favourite piece of engineering.
The importance of DDoS flood testing
The state of Internet defences against volumetric DDoS attacks we are seeing today is not so serene. The largest attacks are growing in scale – volumetric attacks over 600 Gbps have been seen this year.
(See Brian Kreb’s article on Democratization of Censorship.) At that scale, the problem is not necessarily the scrubbing centres used to remove the harmful traffic itself, but the peering points – the major road junctions at the heart of the Internet. It’s easy to stop a flood – but doing so without making the river totally unnavigable is more difficult.
It won’t just be the target that suffers, but all Internet users with traffic trying to traverse the peering points will feel the effects.
The number of devices that have been recruited into botnets (the weapon used to launch DDoS attacks) is rocketing. The Internet of things (IoT) may promise a connected world of devices to record TV for you, CCTV cameras to watch you, creepy talking/learning toys for your kids and food ordering kitchen appliances; but at the moment all it seems to be creating are hundreds of thousands of devices plugged into the public networks with poor security baked in by uncaring device manufacturers.
Tools designed to recruit these IoT devices into botnets have recently been released into the public domain. The Mirai trojan can automatically recruit devices that are being plugged into the public network with default username and password pairs or unpatched security vulnerabilities. The tool’s author boasts the ability to build botnets numbering 300,000 compromised devices. (See article Mirai DDoS Trojan behind KrebsOnSecurity attack; code made public by author.) As fast as the compromised devices are shut down, new ones are plugged into the network and recruited.
Data published by Cisco says that connected devices will grow from 4.9bn (2015) to 12.2bn by 2020. Half of those devices are expected to be IoT devices. Unless the industry can convince every global manufacturer to adopt stronger security practices, the public Internet will become an environment where tools to create floods on a massive scale are at the disposal of anyone with the inclination to exploit them.
Industry standards bodies and governments (e.g. the European Union) are commencing the process of trying to agree some kind of security standard for Internet-connected devices to curb the problem (see article Commission plans cybersecurity rules for Internet-connected machines), but like combating climate change, this seems like a long journey started too late.
As Billy Joel sang in 1989, “There’s a storm front coming.” The floods are rising and our defence engineering has to continue to improve to prevent damage.
So in the face of increasingly stormy conditions and surging tides, how effective is your company’s DDoS flood barrier? Will it continue quietly protecting your online assets until 2030 without further investment in scale or flood testing? The DDoS flood record books are being rewritten each year and we cannot afford to stand still.