I was just reading this report from Arbor Networks which has some really valuable data on the size of DDOS attacks on the Internet.
Data Source
If you don’t know, Arbor Networks makes a DDOS appliance that is used by many of the carriers to detect and mitigate DDOS attacks at very large scale. Many of the appliances installed send information back to Arbor as part of a distributed analysis service. Because of information, apparently “obtained from ~100 ISP’s” they have a very good view on a widely distributed problem.
Main Points
Here are the scary bits.
That said, to the data… There were 350,367 discrete anomalies reported within the 12-month study period, with 20,280 (~5.8%) of these exceeding 1 Gbps.
and
With just over 20k attacks larger than 1 Gbps in 2009, we collected a registered incident of 1 Gbps or larger roughly every 26 minutes throughout the year, and received a reportable attack every ~90 seconds. Furthermore, we observed a registered 10 Gbps or larger attack roughly every 190 minutes (just over 3 hours).
Observations
Many people think that because they learned about Denial of Service in CCSP training that they have the tools to fix a DDOS attack. A bit of TCP SYN flood protection, some “threat detection” on the Cisco ASA or maybe using an IPS module isn’t going to be enough when someone can flood your entire Internet connection. Even if you can afford a 1 Gigabit connection, the Arbor report clearly shows that an attacker can easily exceed that bandwidth, and you will be down and all your prevention will be for nothing.
Evaluating Risk
To generate that much traffic means that someone has a strong desire to attack. This would require a bot net and not just a single Internet connection and require a reasonable amount of intent and organisation.
On the other hand, smaller DDOS attacks can be equally effective. A TCP SYN flood to a single address which takes your email server down for a couple of days is still effective even though it might use less than 500 Kbps of bandwidth.
As an example of evaluating your security risks before solving the problem this is a classic security dilemma. Do you put in expensive firewalls and DDOS defences, or upgrade your bandwidth. Remember that upgrading your bandwidth will also improve the response time of your Internet connection because the reduced serialisation delay between 100Mbits and 1000Mbits (or even 10Gbps) has a real impact on user performance.
If you go for adding the expensive DDOS appliances, and the DDOS attack overruns your bandwidth, you look stupid. If you go for more bandwidth but skip the expensive DDOS gear, you could get taken out by a reasonably small DDOS event. 
No winners.
Wrap Up
So the DDOS problem is many faceted. It can be bigger than any bandwidth than you can reasonably buy, it can be small enough to take down your servers if you don’t buy the right tools. A lose/lose situation.
Take these comforting closing words from the Arbor report:
To that point, I suspect it would be safe to assume that the probability of an effectively-sized attack targeting a given Internet property today is higher than the probability of a fire that affects that enterprises Internet availability and online presence (something I’ll look to qualify) – whilst from a business continuity perspective the latter is quite likely what the enterprise values most in today’s ‘connected’ world.
“Hey Boss, how much money do we spend on fire prevention ?”
Loading ...
About Greg Ferro
There are a couple of points to consider when thinking about DDoS protection:
- How likely is your on-line business to get attacked due to its nature (i.e. online gambling and financial sites have much more to lose if their online presence is affected than say “Joe Blow’s Tyres and Shocks”). Often DDoS attacks come with a ransom demand.
- What can your Internet provider or providers do for you (apart from yanking your prefixes from their BGP tables)? Many providers have Arbor infrastructure and can offer DDoS protection services to their downstream clients. Yes, an individual Internet SP can also be drowned, but they also have capability to coordinate their attack mitigation activities with their own upstream providers, which makes the chances of success much better.
Yes, I do realize that even Arbor isn’t a silver bullet when it comes to DDoS attacks in all their approaches and varieties, but a well thought-out strategy (rather than “we’ll buy boxes and all will be fine” approach) can make you sleep a little bit better at night.
It’s a case of technology being smartly used to fight a flawed technology, vendors have provided tools to deal with these threats and I’m amazed by the seemingly lack of coordination amongst service providers to mitigate DDoS.
First we have the problem of detection; We should be looking to detect the attack at the lower levels, (I don’t think its necessarily the SP’s job to do this), I believe that the lower end gateways should be equipped to detect attacks.
Secondly we have to define how to deal with the incident; If you announce an address range (to point that its injected into a routing protocol for announcement into the global routing table) then you have the capability to announce a filter for that address range using something like bgp flowspec.
And finally service providers need to provide the flowspec like functionality in their networks (can be done many ways) in their networks.
There aren’t only expensive DDoS appliances out there. We’re using a cheap, software solution to mitigate 10G DDoS attacks and we’re using our own Linux servers for it. You can search for WANGuard to see more about it. If the DDOS attack is too powerful to be mitigated then we can blackhole the attacked IP through BGP.