Priced out - the future of DDoS?
The world’s biggest DDoS attack this week is in many ways just the most recent attack in 10-odd years of the technique, but may be the turning point - where protecting from the biggest attacks is just too costly for enterprises. Have the bots finally won?
When Brian Krebs site, krebs on security, was knocked offline the veteran security researcher wasn’t particularly surprised. Yet another DDoS attack to add to the list, albeit one of the biggest the internet had seen to date, at a considerable 665 Gbps.
“The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed,” said Krebs in a blogpost the day after.
Krebs and Akamai analysed the traffic and realised that a vast amount of the traffic was being generated by IoT devices, a considerable departure from more common DNS reflection ‘amplification’ techniques. “The biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself. The source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic. Nor can junk Web-based DDoS attacks like those mentioned above. That suggests the attackers behind this record assault launched it from quite a large collection of hacked systems — possibly hundreds of thousands of systems,” explained Krebs.
This unusual tactic might have been a footnote, were it not for the follow-up - Kerbs was attacked again, with such intense volumes that Akamai had to withdraw their pro-bono support, as the assault was threatening other paying customers.
Akamai executives said the attack could have gone on to cost the company millions of dollars. Krebs claims he spoke to other mitigation firms, with the result that: “One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.”
The rising scale of these attacks isn’t a surprise, but their increase in complexity and sophistication is a real issue, as it forces their opponent to dedicate more expensive resources to mitigating them, which is of course the point. As the Krebs case demonstrates, even with Akamai on your side the costs creep up until it’s a business decision based on simple economics to cave in.
In Krebs case, Google stepped in with its Project Shield umbrella, which is specifically designed to protect small content websites such as this from being silenced by DDoS attackers. Very laudable indeed, but this altruism won’t necessarily on hand to save your enterprise from similar attacks, such as the one that hit French hosting provider OVH just hours later. An even larger volume DDoS attack, also conducted by a botnet made up of compromised IP cameras and DVRs - according to OVH founder Octave Klaba in a Tweet below - which now stands as the biggest DDoS attack in history.
“This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.”
— Octave Klaba / Oles (@olesovhcom) September 23, 2016
DDoS is a tried and tested tool, used since the 1990s by everyone from schoolkids (now using free ‘booter’ services), through to nation states potentially hunting for infrastructure weaknesses, but while larger enterprises may be able to afford a price tag of $200k per annum to stay online in the face of more ingenious attacks, this is out of reach to most businesses. Maybe better DDoS mitigation is the key, maybe wider calls for ISPs to adopt anti spoofing measures such as BCP 38, or maybe, as Illa Kolochenko has pointed out in the past, we shouldn’t get too distracted by this noisiest of online attacks.
Even the most potent and successful of DDoS attacks only results in downtime, which although costly for certain types of service industry enterprise, doesn’t necessarily destroy the business overnight. However, DDoS attacks do make a perfect smokescreen for more insidious attacks on an enterprise, which can potentially have far reaching financial impacts once data has been stolen, or perhaps encrypted by Ransomware...