Beruflich Dokumente
Kultur Dokumente
Overview
Over the past decade, the threat landscape has changed as more and more enterprises and large organizations
have moved their mission-critical services online. Competing in global markets driven by just-in-time demand,
these enterprises rely on continuous uptime to perform business transactions on a 24/7/365 model.
This shift in the business model has, however, engendered a new breed of cyberattacks designed to limit access to
these resources. Although distributed denial-of-service (DDoS) attacks technically are not new, they are more
effective today than ever before. The relative ease with which DDoS attacks can be launched, the diverse methods
by which such attacks can be executed, and the amount of damage that can be caused by a single attack make
DDoS attacks a challenge to defend against. Such attacks have proved an effective way to wreak havoc, causing
high-profile outages and interruptions to transaction processing. They can be motivated by a wide range of factors,
and the acts of taking down websites or blocking financial transactions are effective ways to make statements or
cause visible, potentially far-reaching business disruptions.
As enterprises look to defend against DDoS attacks, they are turning to DDoS prevention solutions, which offer
protection against the different categories of DDoS attacks, and which can take the form of on-premises devices or
managed services. Many vendors have entered the DDoS prevention market in recent years, and their solutions
should be evaluated carefully.
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
2
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Table of Contents
Overview............................................................................................................................... 1
NSS Labs Findings .................................................................................................................. 2
NSS Labs Recommendations .................................................................................................. 2
Analysis ................................................................................................................................. 4
The Need for Increased DDoS Protection ..................................................................................................... 4
Ease of Initiating an Attack ....................................................................................................................... 4
Why DDoS Protection Is a Challenge ............................................................................................................ 5
Difficulty in Managing Legitimate Spikes Versus Attack Traffic ................................................................ 5
Requires Increased Architecture, Infrastructure, and Expertise ................................................................ 5
Wide Range of Attack Types and Techniques............................................................................................ 5
DDoS Attack Types and Evasion Techniques ................................................................................................ 6
Evasion Techniques.................................................................................................................................... 7
DDoS Prevention Solutions ........................................................................................................................... 7
Inline Protection ........................................................................................................................................ 8
Out-of-Path Protection .............................................................................................................................. 8
Performance Metrics for DDoS Prevention Solutions .................................................................................. 8
Performance Under Attack ........................................................................................................................... 8
Other Security Requirements ....................................................................................................................... 9
Management and Configuration................................................................................................................... 9
3
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Analysis
As network bandwidth has increased and as critical assets have moved online, prevention of DDoS has become
increasingly important for the enterprise. The January 2016 attack against the BBC clearly illustrates the damage
that can be done with widely available DDoS tools and services.1 The BBC turned to DDoS protection vendor
Akamai to help mitigate the attack when its infrastructure was overwhelmed. Whether turning to service providers
or purchasing devices in-house, organizations are considering their options for DDoS prevention. From evaluating a
product’s effectiveness in mitigating attacks to ensuring that traditional enterprise-class infrastructure features are
in place, organizations must carefully assess different solutions to ensure that DDoS prevention is transparent.
The migration of government services online adds convenience but also creates targets for politically motivated
attacks, as recently illustrated during the rollout of Healthcare.gov where a DDoS attack3 compromised the site and
prevented citizens from accessing the enrollment for new healthcare services.
Why does DDoS present such a threat? There is no simple answer. Diverse attack drivers; the increased availability
of network bandwidth; the pervasiveness of botnets; poor implementation of Internet protocols and
applications/services; reliance on Internet-based services; and the high visibility and relative ease of conducting
DDoS attacks combine to create an environment where attackers can use DDoS attacks to great effect and where
victim organizations struggle to protect against these attacks.
The attacker has only to specify the IP address to attack, and the attack will commence. Other attackers might
build their own botnets, making use of the many malware kits that are available.
Security researchers are partly to blame for the ease with which attack methods can be accessed: DDoS code is
often posted on the Internet for the purpose of educating, and thus arming, others against these attacks; however,
1 http://www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html
2https://www.comscore.com/Insights/Press-Releases/2015/12/Cyber-Monday-Surpasses-3-Billion-in-Total-Digital-Sales-to-Rank-as-Heaviest-
US-Online-Spending-Day-in-History
3 http://www.scmagazine.com/cyber-attacks-on-healthcaregov-reported-to-dhs/article/321243/
4 http://channelnomics.com/2013/07/08/ddos-attacks-on-sale-for-2-an-hour/
4
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
this information also arms attackers. The cost and complexity of a DDoS attack is low in comparison to most other
attacks, and this low barrier to entry allows even non-technical individuals and groups within the general public to
launch large-scale attacks with relative ease. This puts all organizations at risk of attack, since any organization may
have detractors to its ideology, political affiliation, or business model.
No organization wants to block legitimate traffic. Accidentally turning away a customer can have significant
financial consequences for an organization. In the case of many DDoS attacks, the traffic that is used to generate
the attack often appears legitimate. How does an organization determine whether a spike in traffic is legitimate
(for example, a sale or breaking news) or an attack? This dilemma is the reason why organizations are cautious
when making decisions on throttling traffic. Without a solid understanding of baselines and historic traffic trends,
organizations are unlikely to detect an attack until it is too late.
The additional architecture, infrastructure, and expertise that an organization requires to prepare for, detect, and
mitigate a DDoS attack present another challenge. To manage the sudden influx of traffic that occurs during a
DDoS attack, organizations must have the ability to route traffic across various resources. Additional servers,
routers, and network resources (such as load balancers) must be in place to manage the additional traffic.
Depending on the size of the attack, however, having more resources may not in itself be sufficient. Organizations
may require re-routing of all traffic to block offending IP addresses and then permit non-offending IP addresses to
pass through to the protected resources. These options for mitigation require extra equipment and specific
expertise to configure the infrastructure during an attack. Many organizations do not have this level of
sophistication.
The range of DDoS attack techniques available presents yet another challenge. Historically, the concept of a DDoS
attack was simply to overwhelm the target with traffic. While many effective attacks rely on this method (the
Spamhaus5 attack used this type of attack to reach rates over 300 Gbps), attackers have also found application-
level attacks to be highly effective.
5 http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-on-spamhaus-unfolded.html?_r=0
5
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Internet Control Message Protocol (ICMP) packet floods (including all ICMP message types)
Malformed ICMP packet floods
User Datagram Protocol (UDP) packet floods (usually containing no application layer data)
Malformed UDP packet floods
Spoofed IP packet floods
Malformed IP packet floods
Ping of Death
Smurf attack
Protocol
Attackers can also prevent access to a target by consuming other types of resources. Protocol DDoS attacks are
designed to exhaust resources available on the target or on a specific device between the target and the Internet.
The devices can include routers, load balancers, and even some security devices. When the DDoS attack consumes
a resource such as a device’s TCP state table, no new connections can be opened because the device is waiting for
connections to close or expire. Protocol DDoS attacks need not consume all of a target’s available bandwidth to
make it inaccessible. Examples of protocol DDoS attacks include (but are not limited to):
SYN floods
ACK floods
RST attacks
TCP connection floods
Land attacks
TCP state exhaustion attacks
Fragmentation attacks
TCP window size attacks
6
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Application
Attackers also attempt to prevent access by exploiting vulnerabilities in the application layer. These vulnerabilities
can be within an application layer protocol as well as within the application itself. Attacks on unpatched,
vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks in order to be
successful. This style of DDoS attack may require, in some instances, as little as one or two packets to render the
target unresponsive. Application DDoS attacks can also consume application layer or application resources by
slowly opening up connections and then leaving them open until no new connections can be made. Examples of
application DDoS attacks include (but are not limited to):
Layered Attacks
As the name implies, layered attacks use diverse DDoS attacks in an attempt to overwhelm the network and any
defenses that may be in place. While some networks may be able to sustain DDoS attack, their resources may soon
be exhausted, which would allow an application DDoS attack to successfully bypass protection mechanisms and
thus render the target inoperable.
Evasion Techniques
Attackers can modify basic DDoS attacks to evade detection in a number of ways. If a single evasion is successful
and an attack passes through, then all of the defenses in place at that point are nullified. Therefore, it is critical
that any defense put up by an organization is capable of detecting and defending against the many evasion
techniques available to attackers. Some common evasion techniques use IP fragmentation and stream
segmentation. Evasion of defenses may not be critical for attackers if the goal is to overwhelm resources (whether
bandwidth or state exhaustion), but as more organizations install better defense evasion techniques, it could
become a critical component of future DDoS attacks.
7
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Inline Protection
Inline DDoS prevention solutions adopt the traditional network security device posture of mitigating, or
“dropping,” malicious traffic inline, and as such, typically consist of a single appliance (or multiple appliances for
high availability scenarios) and are often deployed in front of or behind the perimeter security device. The
appliances can be dedicated stand-alone appliances, or they can be integrated into other traditional security
products, such as IPS and next generation firewalls (NGFW). This type of solution is generally deployed in
enterprises and small-to-medium data centers, but it is not, however, limited to these environments since it can be
designed to handle high throughput scenarios.
Out-of-Path Protection
The out-of-path posture is one where the DDoS prevention solution actively monitors traffic at an ingress point for
malicious activity. Once malicious activity is detected, the DDoS prevention solution uses routing protocols such as
border gateway protocol (BGP) to redirect traffic to a dedicated appliance for inspection and to reintroduce the
legitimate (i.e., non-malicious) traffic into the network. This type of DDoS prevention solution commonly consists
of more than one appliance and is designed to work in higher throughput environments such as large data centers
and ISPs.
8
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
How easy is it to install and configure devices and to deploy multiple devices throughout a large enterprise
network?
How easy is it to create, edit and deploy complicated security policies across an enterprise?
How accurate and timely is the alerting, and how easy is it to drill down to locate the critical information that
is required to remediate a security problem?
How effective is the reporting capability, and to what extent can it be customized?
9
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Reading List
Distributed Denial-of-Service (DDoS) Prevention Test Methodology v2.0. NSS Labs
https://www.nsslabs.com/research-advisory/library/infrastructure-security/distributed-denial-of-service-
prevention-solutions/ddos-prevention-test-methodology-v2-0/
10
NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?
Contact Information
NSS Labs, Inc.
206 Wild Basin Rd
Building A, Suite 200
Austin, TX 78746 USA
info@nsslabs.com
www.nsslabs.com
This analyst brief was produced as part of NSS Labs’ independent testing information services. Leading products
were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief.
© 2016 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval
system, or transmitted without the express written consent of the authors.
Please note that access to or use of this report is conditioned on the following:
1. The information in this report is subject to change by NSS Labs without notice.
2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not
guaranteed. All use of and reliance on this report are at the reader’s sole risk. NSS Labs is not liable or responsible for any
damages, losses, or expenses arising from any error or omission in this report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND
EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT
DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE
POSSIBILITY THEREOF.
4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or
software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no
errors or defects in the products or that the products will meet the reader’s expectations, requirements, needs, or
specifications, or that they will operate without interruption.
5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned
in this report.
6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of
their respective owners.
11