Protecting Research and Education Networks from DDoS attack
Research and Education Networks (RENs) continue to drive innovation of networking technologies — through the need to share enormous amounts of data, quickly and securely. Just as packet networks have come a long way since the first malware worm appeared in the ‘80s, so has the sophistication of cybersecurity attacks. Networks need to protect themselves from these outside attacks and, as malware reminds us, inside attacks as well. The seriousness of these attacks requires stronger medicine than strong passwords, multi-factor authentication, and patching firewalls.
It’s a question of scale
Cyberattacks happen quickly and can have wide reaching impact. This is partially the result of the proliferation of connected consumer electronics devices and IoT, and the numbers of these devices will only continue to grow. It is clear that the challenge is getting bigger over time.
DDoS attacks, which are the most common threat, can be carried out by any network-attached device. Even a simple IoT security camera can be captured and instructed to send out requests to the attack target as a “bot”. When millions of requests hit the target at the same time, it simply overwhelms it, either slowing it down or crashing it, thus causing a “denial of service” (DoS). When a malicious software program is controlling these bots, it can manage a “botnet” of hundreds of thousands of devices, coordinating the attack to come from virtually anywhere, which is called a “Distributed DoS” or DDoS.
Some bots can be high-powered servers, which can send out thousands more requests per second than an IoT device. Recently, a botnet called Mantis carried out a DDoS attack that hit 26 million requests per second (rps). Cloudflare reported that in less than 30 seconds, the 5,067-device botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries.1 In their report, they added that this is by no means the biggest botnet, just the fastest they’ve observed. They are watching one with over 730,000 bots made up of IoT devices that can’t generate requests very quickly (on average 1.3 rps vs. 5,200 rps for Mantis) but coming from a much bigger and wider net.
Attacks are roughly doubling every year. Today, botnet DDoS attacks number in the tens of thousands daily, each involving anywhere between several thousand and several million IP addresses.
The leaky perimeter
RENs have historically relied on perimeter security. But there are several trends that mean that RENs are less contained than they once were. The combination of physical and virtualized network domains contributes to the problem as it’s harder to monitor for ingress and egress DDoS traffic. Researchers and educators working from home using shared computers over Wi-Fi home networks creates the potential for leaks.
Zero-trust networking is one solution but is only as strong as good security habits. During the pandemic, there was a big uptick for RENs in terms of phishing, Zoom bombing and, no surprise, DDoS attacks. Hybrid networks and home working increase the attack surface and make it important to have a defense strategy that protects the network from the inside and outside.
Getting a bigger picture
With complex DDoS attacks, the ability to identify affected traffic becomes more difficult, especially as these attacks are based on unknown real devices (botnets), not spoofed IP addresses from well-known attack domains. This renders some of the current tools costly to implement and unworkable.
For instance, scrubbers can clean traffic, but work best when the request traffic is coming from a limited number of identifiable domains. But with distributed, volumetric attacks, the number of devices sending requests can be overwhelming for this kind of approach. Blocking most of the requests means casting the net so wide that it can also catch perfectly good traffic, known as false positives. As attacks scale, the cost of scrubbing becomes prohibitive, thus it is often only used to protect the highest priority services and users.
Emerging network-based approaches are showing promise. Big data solutions track, map and analyze billions of endpoints and flows, providing a dynamic supply map of the entire Internet. These solutions employ AI and machine learning to comb the data from router logs and, using a library of known attack patterns, are able to parse out the attack vectors and isolate the sources. They can pinpoint which bots are participating in the attack and then instruct edge routers to block traffic from those IP addresses. They reduce false positives and cost-effectively remove most of the bad traffic. All this can be done automatically.
RENs have long been a proving ground for the latest and most advanced technology advancements. Research and education are intrinsically reliant on data networks, and the costs associated with losing service are growing. The proliferation of poorly secured IoT devices, the growth in home-based work, and the increasing prevalence of hybrid networks is growing the attack surface and making it difficult to ensure that attacks don’t come from within the REN.
Nokia Deepfield big-data security solution combines with our high- performance IP networks to protect the whole REN from volumetric DDoS attacks, at a petabyte-level scale, with zero-touch automation. Deepfield Defender provides highly scalable, big data-driven analytics for real-time DDoS detection, detailed reporting, and agile mitigation. Deepfield Secure Genome gives you an up-to-date, detailed, internet-related security data feed for improved DDoS detection accuracy.
To learn more about the Nokia approach to DDoS protection:
• Visit the Deepfield Defender web page
• Read the Deepfield Defender datasheet
• Download our latest white paper on Nokia IP optical networks for research and education networks
• Learn more about Nokia IP Network Security
• Watch our plenary presentation from EMEA SReX
1 Record DDoS Attack Clocked at 26M Requests per Second” Cybersecurity Connect, 17 June 2022.