Q9 Networks

Published January 18, 2017

DDoS Attacks – the Threat to Revenue and Reputation is Real

Article, Colocation, DDoS Attacks, Interconnectivity

healthcareAn advanced DDoS mitigation service could be the ‘icing on the cake’ for security-minded Q9 customers who want to ensure that denial-of-service attacks won’t prevent their own customers and prospects from accessing their critical online business, whether it be for revenue-generating transactions or to access company, product or service information.

Without a mitigation service, a DDoS attack can result in considerable damage to business and reputation – the tangible element of lost productivity and lost revenue, as well as the intangible element of reduced reputation and customer confidence.

“Many businesses still don’t view this as a significant threat until an event actually happens, but then it’s too late – the revenue opportunity may be lost and they are left scrambling to rebuild customer confidence,” cautions Lee Emptage, Product Manager at Q9 Networks.

A Little ‘Denial-of-Service 101’
The Wikipedia description for denial-of-service is as succinct as any: a DoS attack is an explicit attempt to prevent legitimate users of a service from using that service, typically by overwhelming or ‘flooding’ the IT system resources supporting that service.

Although there are many types of DDoS attack vectors, including SYN Floods, Teardrop Attacks, Peer-to-Peer Attacks, Application-Level Floods, Permanent DoS Attacks and NUKEs, just to name a few, the most common is perhaps the User Datagram Protocol (UDP) Flood.

A UDP Flood can be initiated by sending a large number of UDP packets to random ports on a remote host. The host will: check for the application listening at that port; discover that no application is actually listening; and respond with a “Destination Unreachable” packet. With a large number of UDP packets, the victimized system is forced into sending many such response packets, and eventually the system’s network resources are overwhelmed, leaving it unreachable by other, potentially legitimate clients. Because of the large volume of traffic created, this type of attack, it is referred to as a “volumetric attack”. The most serious attacks are ‘distributed’ (i.e. originating from many, if not thousands of, different sources), and often involve the forging of IP sender addresses – “IP address spoofing” – so that the location of the attacking machines cannot easily be identified, nor can filtering be done based on the source address.

‘Democratization’ Fuels Increasing DDoS Attacks
In the broader Internet security context, many organizations are still focused mainly on preventing ‘hacking’ or penetration attacks, considered by perpetrators to be the ‘holy grail’ since it may get them through all the security measures and into the system, where they have direct access to critical business data and potentially sensitive information.

However, as a tool to breach the standard security measures put in place by most organizations, DDoS is seeing increasing use, and the growing size and frequency of DDoS is raising the profile of this attack vector. Here are some interesting trends and results of recent research by experts in DDoS and mitigation:

  • There are, on average, 55,000 confirmed and expected DDoS attacks per week.3
  • The number of DDoS attacks continued to increase substantially in Q2, 2015, once again setting a record and more than doubling the number of attacks observed in Q2, 2014.1
  • Average peak attack bandwidth and volume increased slightly in Q2, 2015 compared to Q1, 2015.
  • 95.7% of confirmed and expected attacks are from 1-5 Gbps.3
  • The average size of confirmed attacks increased to 5.53 Gbps, 52% higher than in Q1, 2015.2
  • Mega attacks are on the rise. In Q2, 2015, there were 12 attacks peaking at more than 100 Gbps and 5 attacks peaking at more than 50 million packets per second.1
  • For the third quarter in a row, the industry most frequently targeted by DDoS attacks in Q2 was IT Services/Cloud/SaaS.2
  • The Financial (and Payments) sector was the second most targeted industry in Q2, making up 22% of attacks, up from 18% in Q1.2
  • Canada is the third most-frequent volumetric attack destination.

Regardless of how much DDoS is growing in terms of attacks and bandwidth, they are becoming increasingly more common and can result from everything from disgruntled employees, political motivation, dissatisfied customers, cyber terrorism and more. “Tools for launching DDoS attacks are now readily and widely available to the masses on the Internet – the so-called “democratization of DDoS” – enabling virtually anyone with an Internet connection to launch attacks,” says Nam. In addition, the increasing proliferation of botnets and other packet ‘reflectors’ that enable wide-scale distributed attacks is a key factor enabling modern DDoS volumetric attacks.

Q9 Customers May be Vulnerable to DDoS
“The ‘Fear, Uncertainty & Doubt’ (FUD) publications all seem to focus on the largest DDoS attack to date, but those attacks, although increasing in frequency and size, are still exceptionally unique and rare within the whole global DDoS attack context,” states Nam, adding that, “These are clearly atypical attacks, and the research we see indicates that 98.8% of all attacks are below 10Gbps.”

Most organizations use today’s standard 1 Gbps Internet access ports (some use 10 Gbps) since this is all they require to cover the vast majority of their inbound Internet traffic requirements. As a result, even a small attack of only 1Gbps volume would flood most organizations. Without some type of DDoS prevention or “mitigation” technology as part of their IT infrastructure, a Q9 customer’s traffic could become significantly slowed and their own customers may not be able to reach them at all. If an attack is of sufficient size and duration, the Q9 Network Operations Centre (NOC) team might even have to “null route” the customer – a.k.a. “black holing” – which means stop advertising the customer’s IP address(es). This would mean that all the traffic, including legitimate, valuable customer traffic, has no end destination and thus just gets dumped.

While firewalls are a critical component of an overall Internet security strategy, they don’t provide protection against volumetric attacks. Their primary role is to inspect packets for malicious code and thus provide a security barrier against unauthorized attempts to penetrate the system. It takes advanced, purpose-built DDoS mitigation technology to provide a solid barrier against volumetric attacks, and it is fast becoming a fundamental security requirement for any customer with a major business presence on the Web – whether for revenue generation or just for customer-facing information – to have such protection in place. “In addition, the consuming public has increasingly less patience and less faith in companies that do not demonstrate some level of care and attention to Internet security,” explains Q9’s Lee Emptage.

Q9 DDoS Protection Service Secures Critical Infrastructure
As one more component of the highly secure, high-availability data centre facilities for which it is already widely known, Q9 now offers customers an affordable, monthly DDoS Protection Service (DPS) that combines hardware and software into a purpose-built detection system to combat DDoS attacks. The system uses industry-leading technology, operated and supported by Q9’s highly skilled NOC personnel, to ensure 7×24 protection.

“As a leading data centre service provider in Canada, Q9 has selected industry-leading technology and has built up in-house expertise and operates the systems ourselves within Q9 data centres, so our focus continues to be about delivering excellence in IT,” states Lee Emptage. DPS augments Q9’s aggregated bandwidth service by not only allowing customers to utilize multiple upstream Internet Service Providers, but to also have advanced DDoS mitigation across all these providers and across unlimited IP addresses by subscribing to only a single DDoS service. “Without Q9’s aggregation, customers would have to contact each upstream provider and contract for each of their individual DDoS mitigation services and then aggregate all the resulting bandwidth,” explains Nam.

The Q9 DDoS mitigation system consists of two main elements – a detection system and a traffic ‘scrubber’. Unlike other dimensions of Internet security in which the actual data content (i.e. ‘payload’) carried by the traffic is inspected (e.g. packet inspection by firewalls), the DPS detection system analyzes the metadata (e.g. routing, request and response data) associated with all inbound traffic from the public Internet. The system detects attacks by looking for certain types (and the rate) of traffic most commonly associated with DDoS attacks, including TCP SYNs, NTP traffic and SSDP traffic.

The SSDP (Simple Service Discovery Protocol), for example, was designed mainly for internal networks and is almost never seen on the Internet; so if a large volume of inbound SSDP traffic is detected, in all probability it is an attack.

The Q9 DPS system looks at the rate of each of these protocols flowing to each destination (i.e. customer port) inside the Q9 network and if a pre-established threshold is reached, the detection system assumes the traffic is malicious. A decision is then made, either manually or automatically, to redirect all traffic through a scrubbing device, which in turn forwards only ‘clean’ traffic to the customer ports.

Flexible and Affordable
The monthly DPS service fee is based on the size of the attack traffic flow a customer wishes to be able to withstand. For those not sure of their mitigation requirements, Q9 recommends its 3 Gbps service, which would cover 95% of all known confirmed and expected volumetric attacks.3 Customers have the flexibility to increase their service level if greater coverage is required.

‘Hindsight Security’ Simply Doesn’t Work
According to Lee Emptage, a big perception Q9 has to deal with when it comes to Internet security is that a lot of companies see DDoS mitigation as “Since I haven’t been attacked yet, why do I need protection?” This is a bit like asking “Why do I need fire insurance for my home since it hasn’t caught on fire yet?” Well, if it does, it’s too late. Likewise, if a volumetric attack is not blocked, the damage to business and reputation will happen.

The risks and threats associated with DDoS are real, and attacks are happening more and more frequently. Unless companies have a service for protecting their Internet traffic and ensuring access by their legitimate customers, they are at risk on multiple levels. “Any business across any sector can be attacked at virtually any time for a myriad of reasons that are simply unpredictable,” cautions Nam, who concludes by saying that, “Without a DDoS mitigation service, companies are effectively operating their business in a semi-lawless, wild west type of environment. A little insurance can go a long way toward security and peace of mind, and Q9’s new DPS service provides an affordable solution.

1 Akamai [State of the Internet] Security Q2 2015 Report at www.StateoftheInternet.com
2 Verisign Distributed Denial of Service Report 2nd Quarter 2015, by Verisign, Inc., 2015 at www.verisigninc.com/assets/report-ddos-trends-Q22015.pdf
3 Arbor ATLAS Threat Intelligence Bulletins, June 25 – September 24/2015