The recent Dyn attack – which, is in fact, the largest to date – brings to light the blunt force of Distributed denial of service (DDoS) attacks. These attacks are relentlessly persistent, the worst of these DDoS attacks are those that continue for days, as this leads to disruption that could affect service for days or even weeks.
[easy-tweet tweet=”the worst DDoS attacks are those that continue for days” hashtags=”DDoS, tech, security”]
The attacker must use many hosts in order to sustain an attack for a lengthy period. If it all came from a single data centre – the attack would quickly be stopped by the data centre operator, more than likely within a day. Considering how many home networks participated in the Dyn attack, it is no wonder it is almost impossible to shut down. Thirty-thousand systems sending 10 Mbps of attack traffic results in 300 Gbps of attack traffic. Many small trickles come in from many directions, becoming a massive flood once it reaches the target.
The most effective course of action would be if people kept their home systems clean and up-to-date on patches. Scrubbing at the target site is a tried-and-true technique, but it’s a matter of capacity: scrubbing 300 Gbps of attack traffic takes some serious muscle. Stopping a DDoS attack near its many sources is much better, and this is a matter of being a good internet neighbour. And this is where the true opportunity lies.
By deploying smaller-scale scrubbing technology at the edges of the Internet, closer to office buildings, and closer to home users, most DDoS attacks can be mitigated before they even make it out of the neighbourhood. This is especially true for ISPs and providers that operate sub-10 Gbps links to hundreds or dozens of end customers.
[easy-tweet tweet=”The sooner we realise that DDoS is a common problem, the sooner we can all play a role in minimising it.” hashtags=”security, cloud”]
More often than not, the enforcers are not aware of their participation in a distributed attack, but their traffic patterns are clearly visible to their Internet provider or small enterprise security teams. By cleaning egress traffic before sending it upstream, you are not only a good Internet neighbour, you can also save substantial peering costs over the years. Just as it is good common sense to drop any packet with a non-local source address, it is equally good sense to scrub malformed packets that have no business on the internet. No blunt instruments needed at the source end, just snip out the few bad packets and let the majority through.
The sooner we realise that DDoS is a common problem, the sooner we can all play a role in minimising it. Big sites will surely always need special protection, but as individuals we can do our best to scrub off a couple Mbps or Gbps of outgoing traffic, helping to block the trickles that could become a flood.