Fastly and Cloudflare both recently published end-of-year posts looking at the DDoS landscape as a whole. Both CDNs note the ways in which the DDoS landscape is evolving and the trend in increasingly sophisticated types of DDoS attack.
Fastly’s position as a flexible edge cloud platform with a global network of points of presence (PoPs) and a growing security research team places it in a strong position to track global traffic patterns and defend its customers against DDoS attacks. As we noted recently, Fastly has scaled rapidly since its founding in 2011 as a CDN into an edge cloud platform serving more than 10% of all Internet requests (up to 400 billion a day). Fastly recently noted its goal to provide virtual patches to web applications before there are wide security breaches.
In its recent post on the evolving DDoS landscape, Fastly team Ryan Landry, Director of Network Engineering and Jose Nazario, Director of Security Research, looked back at the history of DDoS attacks from the late 1990s to today, and noted trends they are seeing to help Fastly’s customers address attacks on their own infrastructure. They highlight the goal of DDoS attacks as being “all about making a statement in a very visible, impactful way”, and divide DDoS attacks into multiple types.
These include economically rational attacks, which involve ransomware and demands to pay a ransom, increasingly in cybercurrencies such as bitcoin, in order to regain access to frozen documents. Fastly points out that these are the easiest attacks to handle, as you just need to make it more expensive for the attacker to attack than the expected gain from any ransom. They also note the obverse – economically irrational attacks, including those which are ideologically motivated, targeting individuals or nation states; retribution attacks on an individual or industry; distraction attacks; or those which are intended to gain a competitive advantage by disrupting a competitor’s ability to provide service and thereby tarnishing its reputation.
Fastly notes that the most significant recent DDoS attacks have involved attackers harnessing the power of Internet of Things (IoT) devices to create massive botnet attacks. The most notorious of which involved the Mirai open source malware that was used against security blogger and journalist Brian Krebs and in a separate assault against infrastructure provider Dyn, both in Q3 2016. Both mega attacks were launched with the involvement of hacked IoT devices, such as CCTV security cameras and digital video recorders.
IoT devices are useful for launching DDoS attacks as they are often poorly secured and linked to big networks, which allows the attackers easily increased scalability. In addition, Fastly notes “an uptick in bitcoin-enabled extortion”, which offers ample opportunity for attackers. Industry researchers are closely tracking the new IoT Reaper (aka IOTROOP) botnet, which has already infected a million networks, but has not yet launched a DDoS attack of note.
Fastly and Cloudflare both point out the way in which DDoS attacks are becoming more complex, and Fastly notes that attacks can change tactic midway through as attackers attempt to evade defenses.
In its own DDoS overview, Cloudflare Marketing Manager Junade Ali also notes a shift in DDoS strategy to more sophisticated modes of attack. Ali reports that Cloudflare has noted a shift from volumetric DDoS attacks comprised of relatively simple attempts to flood its network with junk traffic to more advanced application-layer attack strategies. He notes that while Cloudflare is still experiencing network level attacks greater than 300 and 400 Gbps, network level attacks in general – on the over 6 million websites that use its services – have dropped in volume significantly.
Cloudflare attributes this partly to its new policy, Unmetered Mitigation, which was introduced in September of this year with the intention of assuring customers they will not be removed from its network merely for receiving a too big DDoS attack. Similar to Fastly, its increased success in handling volumetric DDoS attacks is also due to Cloudflare’s global presence. Cloudflare also has a huge network capacity, currently approaching over 15 Tbps, and growing. Its customers’ traffic passes through Cloudflare’s network and in doing so, it can apply performance optimisations and security filtering, including removing the type of junk traffic that is associated with Layer 3/4 DDoS attacks.
Additionally, Cloudflare built its network using an Anycast design, which means that network traffic is always routed to the nearest available PoP using BGP, and attackers cannot override this routing strategy. In unicast networks that employ routing technologies such as DNS instead, attackers can override that kind of routing, allowing them to force attack traffic to a single data center. With Anycast, that is not possible as Cloudflare maintains control of how its traffic is routed. Furthermore, when it is attacked, there is usually only a short network path from the attacker to Cloudflare, meaning there are usually no intermediary networks that suffer collateral damage during a DDoS attack.
As it has become harder for attackers to clog up the network capacity of a DDoS victim, they are increasingly choosing to perform attacks higher up the network stack aimed at the applications themselves.
Application Layer 7 attacks are harder to distinguish from legitimate traffic than Layer 3/4 attacks. In Layer 7 attacks, botnets can be ordered to perform attacks against websites using “Headless Browsers”, which don’t have a user interface and are controlled programmatically. Botnets can make HTTP requests using Headless Browsers so that they load and behave similar to ordinary web requests. Using programmatic control, they can order bots to repeat the HTTP requests rapidly and thus take down website service for ordinary users. In Cloudflare’s words, “this is a non-trivial problem to solve”.
Ali identifies two fundamental ways of tackling a Layer 7 attack:
- “making the balance between requester and server, less asymmetric by making it easier to serve web requests
- limiting requests which are in such excess, they are blatantly abusive”
Cloudflare also notes the increased trend in attackers gaining relatively new mechanisms of attack, including IoT devices, which, as Ali noted in another post earlier this year, often implement security anti-patterns unintentionally. Internet-connected cameras are advantageous to attackers as they need to be connected to networks, which have large enough bandwidth to stream video, making them a powerful launch point for the installation of malware more widely across a network.
In conclusion, Cloudflare notes that in order for applications to be resilient to DDoS attacks of whatever type, this can no longer solely be achieved via having a large network. This must be complemented with advanced tools that can filter malicious Application Layer attack traffic, which is increasingly hard to distinguish from legitimate traffic.
As attackers become more sophisticated in their attack strategies, thus CDNs like Fastly and Cloudflare must also become more adept at defence. As Fastly notes, “each side must expect different amounts of work to achieve their aims, with the defender typically paying more money than the attacker”.