In February last year, one of the leading internet service providers in Slovakia suffered from the largest DDoS attack in the history of the country. The total volume of the attack exceeded 400 Gbps. Servers of its customers were down for tens of minutes… and not only the targeted ones. The attack wasn’t identified by automated tools and few hours passed from its start to successful resolution of the situation and restoration of the services.
In this case, the sources of the attack were thousands of servers and various networks including unsecured household devices, computers, printers and other “things” connected to the Internet. With the rise of IoE / IoT, increasing capacity of networks, massive digitization, automation and robotization we will be facing these types of attacks more often and their consequences will be much more damaging. To do that, attackers will make use of sophisticated, automated tools (the availability of professional attacks on the internet for several tens of EUR is well-known even today). This is not marketing of security vendors. The importance of effective cyber defence also highlights independent authorities such as World Economic Forum (see the chart). Needless to say that WEC points out that cyber-attacks have bigger impact and likelihood than many other risks, including terrorism. And the market is starting to react.
European law obliges ISPs to immediately eliminate DDoS attack or neutralize the particular infrastructure segment which behaves as a source of the attack. But how to identify it in near real-time? What happens in the first tens of minutes when the important part of the critical infrastructure is down does not need an explanation – hospitals, power engineering plants, ISP’s, water management etc., will become the targets of various types of cyber-attacks in the near future. Nowadays we are living in a time of lull before the storm. And that is also the reason why the European legislation is taking steps in building more directives about cybersecurity.
An early automated detection and mitigation of the attack should be one of top priorities for ISPs. Many of them, especially the larger ones, consider using the services of both internal and external scrubbing centres, in-line tools, and out-of-path solutions for comprehensive DDoS protection. These tools are directly dependent on the early detection of DDoS.
DDoS attacks can be identified by using the network behavior analysis that supports an automatic flow data analysis. This way we can smartly identify long-term DDoS attacks that use different system vulnerabilities, spoofing, reflectors, amplification and similarities. DDoS attacks are different in nature, but their identification based on the analysis of flow data is highly feasible.
Without interfering with the infrastructure in the off-line mode, it is possible to use resources that are actually available to providers. With a suitable combination of scrubbing centre, out-of-path solution and support for protocols such as PBR, RTBH, BGP Flowspec can these attacks be early identified and mitigated. Last year, Flowmon Networks introduced a new tool, the DDoS Defender, which is a part of Flowmon solution. It enables a near real-time detection and therefore fast mitigation of volumetric DDoS attacks precisely on the basis of flow statistics. DDoS Defender complements the attack detection in the Flowmon ADS system. By using Flowmon you can prevent service outages caused by DDoS and avoid that unpleasant experience of the Slovak ISP.