Arbor Networks, the security division of Netscout, has marked 20 years of distributed denial-of-service (DDoS) attacks targeting the availability of Internet service provider (ISP) networks.
In September 1996, New York City’s original ISP, Panix, was hit by a SYN flood denial-of-service attack that took it offline for several days. At a time when only 20-million Americans were online, this was one of the first high profile examples of the growing importance of network and service availability. It also demonstrated how fragile Internet infrastructure was at the time.
According to an advisory from Carnergie Melon’s CERT dated 19 September1996: “There is, as yet, no generally accepted solution to this problem with the current IP protocol technology.”
The New York Times account of the attack quoted an industry expert as saying, “In principle, most of the denial-of-service attacks we see have no solution. The generic problem is basically unsolvable. It’s an open-ended problem.”
Early days of DDoS defence
It was in this environment that a research project was born at the University of Michigan focused on solving this problem. The Defense Advanced Research Projects Agency (DARPA) recognised the importance of the effort and provided a grant to continue the work. That investment has since been hailed as one of DARPA’s five most amazing technologies.
For the past 16 years, Arbor Networks has been working with the world’s leading service providers, enterprises and governments in protecting against DDoS attacks. Arbor has seen firsthand the advent of cloud computing and enterprise mobility, the evolution of global networks as well as the attacks that target them. Looking back, much has changed, and much is riding on the availability of networks today.
“Availability is the starting point for our connected world, and it raises the stakes for network operators, and those who attack them. We’ve gone from a time 20 years ago with no answers to a time today that requires DDoS solutions that were purpose-built for the scale and complexity of modern attacks,” says Eric Jackson, Arbor Networks vice president of product management.
DDoS attacks have changed: Have you?
Despite 20 years of headlines, many businesses today are still under-invested and ill-prepared to handle modern DDoS attacks. Countless wrongly believe they are not being targeted by DDoS attacks, and are in fact experiencing outages due to DDoS attacks that are being attributed to equipment failures or operational error because the companies lack DDoS visibility and defence.
Still more rely on existing infrastructure devices such as firewalls and intrusion prevention systems (IPS), or a single layer of protection from their ISP or content delivery network (CDN). In each case, these businesses are exposed and only partially protected. Firewalls and IPS are stateful devices that are often targets of DDoS attacks, while cloud-only or CDN protection does not provide adequate protection for critical business applications.
* Size: Attacks that targeted ISPs in the late 1990s were minuscule compared to the massive attacks seen today. Just last month, Arbour Cloud mitigated a 600Gbps attack, the largest the company has ever seen. The average attack size is projected to be 1.15Gbps by end of 2016, large enough to knock most businesses offline.
* Frequency: In the age of hacktivism, free tools and for-hire services, the likelihood of being targeted for a DDoS attack is greater than ever. The number of DDoS attacks has grown 2,5 times over the past three years.
* Complexity: DDoS attacks are no longer simple SYN floods but highly complex, multi-vector attacks that target connection bandwidth, applications, infrastructure (firewalls, IPS) and services simultaneously.
Best practice defence is hybrid
According to IHS Infonetics Research: “For customers, the benefits of hybrid solutions are clear: on-premises mitigation (which has recently become much more affordable for even mainstream enterprises) allows them to deal with the constant hum of volumetric attacks in lower bandwidth ranges (10G or less) at a fixed cost. Hybrid solutions also provide great protection for non-volumetric, or non-saturation attacks (like many application-layer attacks). The on-premises solutions can be integrated with the rest of their security infrastructure to provide continuous attack coverage and insight into multi-vector attacks that leverage DDoS as a single vector in a larger attack.” – DDoS Mitigation Strategues and Vendor Leadership North American Enterprise Survey.
Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, says that acknowledging the rapid growth of cyber threats in the region and understanding the motivations behind today’s crimes are paramount to closing the cyber floodgates that first opened in 1996. Arbor has operated in Africa for more than 10 years.