Is the DDoS threat insurmountable, or can we tame the beast?
Clear and present danger of DDoS
Last year, in our Nokia Deepfield Network Intelligence Report: Networks in 2020, we shared some observations and stats on the Distributed Denial of Service (DDoS) traffic trends. We noticed a significant increase in the aggregate levels of DDoS traffic (40% increase within two months of the pandemic across five major US service provider networks), an interesting correlation between the gaming traffic and DDoS, and the increased level of abuse of North American and European amplifiers (sites that can respond with an amplified response to queries sent to them).
Here, we outline some of the key trends that we have observed lately, along with some bad and good news.
How big is the DDoS problem today?
On May 4, 2021, a Belgian network provider providing connectivity services to the government, including remote learning and COVID-19 vaccines registration, was hit by a DDoS attack with traffic originating from 257,000 IP addresses from 29 countries, and leaving many customers in Belgium without vital connectivity.
The DDoS problem is real, and the intensity of volumetric DDoS attacks is increasing.
We looked at the peak daily DDoS (amplification, reflection, and spoofed flood) traffic across a number of service providers of different types (global transit, residential broadband, regional providers, webscale, hosting etc.) between January 2020 and May 2021. We noticed a 100% increase in the “high watermark levels” as they have grown from 1.5 Tb/s (January 2020) to over 3 Tb/s (May 2021).
Figure 1. Peak daily DDoS traffic (in Tb/s) from January 2020 to May 2021 across observed service providers
While most DDoS attacks are a nuisance (e.g., to individual gamers), the bandwidth representing high-bandwidth and high packet intensity volumetric attacks is a reason for concern. These large-scale DDoS attacks can inflict major damage on individual and large-scale connectivity and service availability and result in damages costing hundreds of thousands or even millions of dollars in production and operational losses.
Anatomy of a volumetric DDoS attack
The most damaging volumetric DDoS attacks generally use IP header modification (IPHM) or IP address spoofing to hide the perpetrator’s IP address(es). This spoofing, combined with amplification and reflection, can lead to a high volume of traffic going to victims’ systems. Typically, DNS and NTP reflection/amplification are used, along with TCP/UDP /ICMP floods and other spoofed-packet floods.
Figure 2. Anatomy of a typical volumetric DDoS attack
Can a DDoS problem get any worse?
The short answer is yes. DDoS attacks have evolved quite a bit, and today an attack may combine many different techniques employed simultaneously. At Nokia Deepfield, we have been tracking the internet security context for years; according to our Nokia Deepfield research, there is a potential for 10-12 Tb/s DDoS attacks (4-5 times the size of the largest DDoS attacks reported so far, using an amplification factor of 200-500) to happen more frequently. An attack with this level of intensity can cripple the service availability of a service provider of any size.
Can DDoS attacks be stopped?
As seen in Figure 2 above, DDoS traffic has two components: a relatively small amount of spoofed traffic heading out to amplifiers and amplified/reflected traffic going to victim systems.
Amplified traffic, while large, can be blocked using packet length filtering in routers. However, in a dynamically changing environment, a service provider needs to have the ability to install and remove a very large number of ACL filters in real-time to achieve this blocking.
The good news here is that IP routing technology has evolved a lot. The latest generations of advanced, high-performance IP routers (like Nokia Service Routers based on FP4 chipset) now incorporate significant processing power to, in addition to its “core” routing tasks, perform additional packet filtering, processing and telemetry tasks, which transform these routers into high-performance attack sensors and security policy enforcement devices.
Defeating reflection and spoofing requires more work and better network intelligence with improved detection algorithms (with some ML/AI techniques) and big data-based processing, facilitating a network-wide perspective on all traffic, including DDoS. Tracking the internet-related security context can greatly help improve detection accuracy; with this added level of detail, “fingerprinting” of malicious servers, domains, and botnets becomes possible.
Taming the beast: Bringing volumetric DDoS to a stop
In the detailed analysis that is presented at NANOG82, Dr. Craig Labovitz shows how IPHM (spoofed) and reflected traffic can be traced using TTL (time-to-live), protocol port combinations, and topology – to identify the origins and location of IPHM traffic. This analysis helped us to understand the current DDoS threat landscape better.
The good news is that the origins of the most damaging volumetric DDoS traffic can be traced and localized. The further consolidation of the internet (since 2019, when we captured it in our NANOG76 presentation) means that a service provider can significantly narrow the observation horizon when monitoring for DDoS activity and gives us hope that a war against DDoS can be won.
Using a combination of two advanced technologies - advanced network and security analytics and advanced IP routing made secure-by-design, volumetric DDoS traffic can be eliminated from the network – by the network itself.
The current state of technology allows this blocking to be achieved with a very high confidence level, with a minimal number of false negatives and positives.
This structural, network-focused approach to DDoS security is just a first (albeit a giant step) towards improved network security.
It is equally important for every participant in the network security ecosystem to understand the dangers that DDoS poses to the availability of internet content and applications and critical connectivity services. With this knowledge and a commitment to solving the DDoS problem, all of us - as a community of end-users, vendors, service providers, cloud builders, regulators and governments – can go a long way towards making our networks, services and subscribers more secure.
For details on our DDoS analysis, please join Dr. Craig Labovitz, CTO, Nokia Deepfield, at his NANOG82 presentation.
The details of Dr. Labovitz’s analysis will be captured in his future blogs here.