DDOS — a Problem Bigger Than You Can Ever Be
January 17, 2010 by Greg Ferro · 1 Comment
I was just reading this report from Arbor Networks which has some really valuable data on the size of DDOS attacks on the Internet.
Data Source
If you don’t know, Arbor Networks makes a DDOS appliance that is used by many of the carriers to detect and mitigate DDOS attacks at very large scale. Many of the appliances installed send information back to Arbor as part of a distributed analysis service. Because of information, apparently “obtained from ~100 ISP’s” they have a very good view on a widely distributed problem.
Main Points
Here are the scary bits.
That said, to the data… There were 350,367 discrete anomalies reported within the 12-month study period, with 20,280 (~5.8%) of these exceeding 1 Gbps.
and
With just over 20k attacks larger than 1 Gbps in 2009, we collected a registered incident of 1 Gbps or larger roughly every 26 minutes throughout the year, and received a reportable attack every ~90 seconds. Furthermore, we observed a registered 10 Gbps or larger attack roughly every 190 minutes (just over 3 hours).
Observations
Many people think that because they learned about Denial of Service in CCSP training that they have the tools to fix a DDOS attack. A bit of TCP SYN flood protection, some “threat detection” on the Cisco ASA or maybe using an IPS module isn’t going to be enough when someone can flood your entire Internet connection. Even if you can afford a 1 Gigabit connection, the Arbor report clearly shows that an attacker can easily exceed that bandwidth, and you will be down and all your prevention will be for nothing.
Evaluating Risk
To generate that much traffic means that someone has a strong desire to attack. This would require a bot net and not just a single Internet connection and require a reasonable amount of intent and organisation.
On the other hand, smaller DDOS attacks can be equally effective. A TCP SYN flood to a single address which takes your email server down for a couple of days is still effective even though it might use less than 500 Kbps of bandwidth.
As an example of evaluating your security risks before solving the problem this is a classic security dilemma. Do you put in expensive firewalls and DDOS defences, or upgrade your bandwidth. Remember that upgrading your bandwidth will also improve the response time of your Internet connection because the reduced serialisation delay between 100Mbits and 1000Mbits (or even 10Gbps) has a real impact on user performance.
If you go for adding the expensive DDOS appliances, and the DDOS attack overruns your bandwidth, you look stupid. If you go for more bandwidth but skip the expensive DDOS gear, you could get taken out by a reasonably small DDOS event. 
No winners.
Wrap Up
So the DDOS problem is many faceted. It can be bigger than any bandwidth than you can reasonably buy, it can be small enough to take down your servers if you don’t buy the right tools. A lose/lose situation.
Take these comforting closing words from the Arbor report:
To that point, I suspect it would be safe to assume that the probability of an effectively-sized attack targeting a given Internet property today is higher than the probability of a fire that affects that enterprises Internet availability and online presence (something I’ll look to qualify) – whilst from a business continuity perspective the latter is quite likely what the enterprise values most in today’s ‘connected’ world.
“Hey Boss, how much money do we spend on fire prevention ?”
Please rate this post:
Why Rate Posts?
(2 votes, average: 7.00 out of 10)
Loading ...Probably Related Posts on the Same Topic
TCP SYN Cookies — DDoS Defence
A TCP SYN Cookie is typically used in DDoS engines and load balancers to create another level of protocol security for Denial of Service attacks. Lets take a quick dive through the technology. …
Read the full articleInteresting Switch Designs for Data Centre Racks From Juniper
I was reviewing the Juniper Virtual Chassis Technology and there are some very interesting designs possible with their specific stacking technology.
Read the full articleNotes on Cisco Catalyst 6500 Architecture. (Or What Does 720 in Supervisor 720 Mean ?)
What does the ‘720’ in the Supervisor 720 stand for ? Or, what do you need to know about Cisco C6500 switch architecture.
Read the full articleWhy Use Two Routing Processes in a Firewall ?
In a recent post on Two OSPF Processes on an ASA firewall Christian asked why you would want to do this. Here is one case of a design that needs secure routing :
Read the full article
There are a couple of points to consider when thinking about DDoS protection:
- How likely is your on-line business to get attacked due to its nature (i.e. online gambling and financial sites have much more to lose if their online presence is affected than say “Joe Blow’s Tyres and Shocks”). Often DDoS attacks come with a ransom demand.
- What can your Internet provider or providers do for you (apart from yanking your prefixes from their BGP tables)? Many providers have Arbor infrastructure and can offer DDoS protection services to their downstream clients. Yes, an individual Internet SP can also be drowned, but they also have capability to coordinate their attack mitigation activities with their own upstream providers, which makes the chances of success much better.
Yes, I do realize that even Arbor isn’t a silver bullet when it comes to DDoS attacks in all their approaches and varieties, but a well thought-out strategy (rather than “we’ll buy boxes and all will be fine” approach) can make you sleep a little bit better at night.