The Future of DDoS Protection - Simulation Not Resilience!

This blog was originally published by MazeBolt here.

Written by Yotam Alon, MazeBolt.

Existing DDoS Protection Shortcomings

As the word 'Resilient,' indicates, DDoS mitigation solutions do not prepare for attacks ahead of time, they adapt to and recover from DDoS attacks, after they have been hit. Most enterprises trust their DDoS protection in the hands of DDoS mitigation vendors who offer resilient DDoS mitigation solutions but these resilient DDoS solutions do not have a way to detect DDoS vulnerabilities before the network is attacked. They act after the attack comes in and then they `resiliently` mitigate attacks – meaning organizations get hit, go down, but later recover. Depending on the mitigation solution’s capabilities, SLAs signed and so forth, the resiliency is determined, that is, how long it takes for services to be restored. This number can be anywhere in the range of 30 seconds, up to a few days.

The inherent shortcomings in mitigation solutions are apparent and can be seen in the DDoS attacks that continue to cause severe damage to businesses worldwide. In May 2021 a large-scale DDoS attack was the cause of several sections of Belgium’s internet going down. Several organizations in Belgium, including the government and parliament, were affected by this DDoS attack that overwhelmed them with bad traffic.

Last year, Amazon Web Services (AWS) was hit by a huge attack. This 2.3 terabit per second attack lasted for over three full days. There were several DDoS attacks in the month of April 2021 which we were able to create an overview report. All if not most of the enterprises that were attacked had mitigation solutions in place. Despite this, massive attacks continue to occur with the intention of taking businesses, enterprises, governments, and sometimes entire countries offline. For many such companies, disruption of information technology (IT) services can directly correlate to lost revenues, and here are the list of top 4 industries who impacted by DDoS attacks. Finally, customer expectations have increased, and there is an expectation of `always-on connectivity`, which means that businesses cannot afford any downtime whatsoever.

Critical Reasons for Damaging DDoS Attacks Despite Mitigation Solutions

• Mitigation solutions are powerful but need to be continuously monitored and configured. However, in today's climate, it is impossible because network vulnerabilities frequently change as new services and applications are added. As a result, outdated configurations leave systems open to new DDoS vulnerabilities.
• DDoS attackers are insidious and there have been several attacks over the years that are low and slow, i.e., the attack focuses on loading the service, but does not trigger the mitigation system thresholds, creating a set of different attacks that together slow services down, take a long time to detect, and cause the response team’s focus to be distracted.
• DDoS attackers are also launching multi-vector attacks that use a complex mix of different attack vectors to a variety of targets, making it much more complex for mitigation systems and services to focus on what’s going on, and what to block first. This strategy successfully achieves longer downtime before attack detection and mitigation. Here is an interesting factsheet on how Hackers continuously study DDoS protection limitations and launch multi-vector attacks.
• A long time-to-mitigation stems from the realization that in many cases, DDoS protection systems have an intrinsic minimum response time required to detect malicious DDoS traffic, and that mitigating the attack requires even more time. Hackers abuse this deficiency by changing attack tactics (vectors and target combinations) in a time frame shorter than the protection system’s response time, avoiding triggering the mitigation system. A series of such short attacks will easily cause damage to the target network services.

So, is it possible to prevent these attacks? Is there a more efficient and smarter way to stay on top of DDoS attacks?

It is evident that mitigation solutions lack the capacity to prevent or stop all DDoS attacks without continuous configuration. By themselves, they are only able to detect configuration gaps and mitigate attacks after the attack has already taken the network down. The choice for enterprises is to decide if they want resilience to mitigate attacks or would they prefer to ensure that network vulnerabilities are identified and closed on an ongoing basis with continuous DDoS simulations on live production.

About the Author

Yotam is Head - R&D at MazeBolt and is in charge of all R&D activities, infrastructure and security. With five years in the security industry, Yotam brings fresh perspectives and insights into current technologies and development flows. He holds a BSc. in mathematics and philosophy and enjoys hitting the archery range in his spare time.