Last year – 2016 – was one for the history books. Memorable for reasons beyond wild politics, it also turned out to be a banner year for volumetric internet attacks, also known as distributed denial of service (DDoS). Indeed, the threat landscape saw a major zombie apocalypse in the fourth quarter with the release of Mirai and its legions of Internet of Things (IoT)-based bots walking onto the world stage. After a moderate start to the DDoS season, September saw the internet's first volumetric attack breakout north of 600 Gbps. That attack, aimed squarely at KrebsOnSecurity, topped out at a stratospheric 620 Gbps! Within hours of the Krebs attack a week-long onslaught of OVH's network began and before it would finish, we would see the first terabit (1 Tbps) attack among a multitude of 500 to 750 Gbps attacks on their network. The "real" whopper came in October – another Mirai-based attack hit Dyn (DNS) on the 21st day of the month. This attack was so big (1.2 Tbps) it essentially took the entire Eastern Seaboard offline – or at least a huge chunk of it, to be sure.

What did these attacks have in common and why are we still talking about them? These attacks were all delivered by IoT bot-nets like Mirai (and its infectious friends), and they are both cheap and easy to create and because of their massive scale. For example, 100,000-bot IoT cannons are priced around $7,500. Unfortunately, it does not take a basement dwelling black-hatted genius to stand up a botnet. To quote Marcus Hutchins, the security expert who stopped the recent Wannacry outbreak: "Now any idiot and their dog can set up a Mirai botnet."

This is a big issue and it is not going away. In fact, with Persirai now adding at least another 150,000 bots to the pool, be assured the problem is only getting bigger.

Why old mitigation strategies don’t work

This multifaceted problem starts with device manufacturers with little incentive to harden their devices; it trails on to the blissfully ignorant masses buying said devices; it passes through a tight knit group of Tier-1 networks with very large capacities; and then it lands squarely on the shoulders of those downstream providers and enterprises who actually have to deal with it. While industry has stepped up to address the challenge, a significant piece of the puzzle is disturbingly absent from the discussion, though it is fundamental to mitigation strategies – defending against Massive Localization.

The belligerence footprint now spans such a broad and homogenous field, traditional strategies aimed at multiple external point sources are failing to mitigate these threats. The proximal volume of vulnerable IoT devices has changed the mechanics of volumetric attack mitigation. Critically, the number of zombified devices within proximity of targeted networks/sites/services has grown to such an extent that localized attack fronts are able to restrict access to their targets. Routing protocol-based networks, such as BGP (essentially the entire internet) do not inherently deal well with the kind of traffic manipulation these attacks inflict upon their targets. For example, BGP won't pull a route until it loses access to the AS advertising the victim's network, and the victim's AS won't pull the route until the network itself is unavailable, and so it goes. Thus, black-holing the victim is STILL the common mitigation method, which is essentially a Viking funeral for the victim's site/services (RTBH) – and that sucks. Just ask Dyn. Enterprises are at even greater risk, facing a double whammy, because botnets are conjoined with compromised or malicious parties inside the enterprise's perimeter.

State of the art solutions are not designed to effectively deal with this new paradigm. The Kreps attack was large enough that Akamai was ultimately compelled to blackhole the traffic to maintain delivery for their other anti-DDoS service customers. This attack involved well over 150,000 IoT bots. Importantly, this attack demonstrated traditional monolithic scrubbing center shortcomings. A short time later the ~1 Tbps attacks hammered OVH over in Europe. It was followed up with the attacks on Dyn, one of the largest anycast DNS providers on the planet. This attack dramatically demonstrated fundamental weaknesses in traditional routing-based anycast methods against the local field effects of regional IoT botnets. The methods used to combat DDoS attacks today fall roughly into products, services, and prayers – otherwise known as, appliance-based, service-based, and faith-based. Let’s right out of the gate eliminate a faith based approach; we all know that hope isn’t a battle plane.

Head in the clouds

Mitigation services (those requiring no onsite hardware, i.e. capex) are either always-on or on-demand (redirection) services. The primary difference is cost and time to mitigation. If latency is a big deal for you (e.g. retail or gaming) then approach this method with caution. While outsourcing the hardware is convenient (and that is ultimately what you are doing with a service), you can expect 50 to 250 milliseconds of induced latency and every 100 ms kills 1 percent of site-wide retail revenue. Always-on services respond faster obviously, with a tradeoff balanced with the aforementioned latency (all the time). CDN-based always-on services can eliminate the lion's share of the performance hit, though large distributed mitigation systems using traditional monolithic intrusion protection stacks are not cheap to deploy nor maintain, as reflected in the cost of these solutions.

Where the rubber meets the road

Appliance-based mitigation comes in so many flavors and sizes, it is challenging to list them all. The main rack and stack solutions involve some combination of exposure/detection, collection/analysis, determination/identification/signature/behavior-expectation, promulgation of mitigation requirements, and enforcement. There are other ways to describe the continuum of actions but the bottom line is: detect, determine, detonate. And no method gives you more control over how to make this happen than when you are in the driver's seat with your own hardware.

Distributed volumetric DDoS mitigation is the modern method of achieving DDoS protection seamlessly and economically while enabling scale out and up expansion to deal with IoT bots. Its origins are in the software defined networking (SDN) world where control and data/forwarding are bifurcated duties. DDoS mitigation may just be the ideal application for this method because it allows discrete tools to be highly optimized for their functions, no more, no less. DDoS mitigation works exceedingly well with software-based or virtualized compute resources providing analysis and identification along with SIEM solutions, while leveraging streamlined hardware to provide highly performant line-rate enforcement of those decisions. This best-of-both-worlds approach provides economies of scale and allows an operator to apply OpEx and CapEx in a very effective manner, where it is actually needed.

Wrapping it up

The localized nature of IoT attack sources with respect to attack target only compound the IoT issue. This is changing the dynamic of how network operators and security teams can protect their network infrastructure. We cannot be certain when large attacks will occur, but we are certain their leverage, impact, and cost will be historic in volume. Vigilance is necessary for network operators to stay ahead of the bad guys working to exploit the continuously expanding IoT footprint.

Unlike the bad guys who need only succeed once to wreak havoc, those responsible for mitigation need to win, 100 percent of the time. To defend against massively localized IoT, distributed volumetric DDoS mitigation stands up to the task. It’s a shift in the status quo of scrubbing to deal with a rapidly changing connected world.


Carolyn Raab is VP of Product Management at Corsa, a networking and infrastructure security company.