As a result of the massive cyber attacks that took down Dyn’s managed Domain Name Servers (DNS) network on October 21st, hundreds of thousands of websites became unreachable to most of the world.
DNS are like the phone books or roadmaps of the Internet. These services maintain a directory of domain names and their corresponding IP address. It’s easier for people to remember a domain name than an IP address, so when a user types a web address such as Radware.com into their browser they are actually directed to 91.240.147.21.
[easy-tweet tweet=”DNS are like the phone books or roadmaps of the Internet.” hashtags=”tech, DNS, cloud”]
The attack on Dyn has made it feel that no site is immune as it took high-profile cloud services like Twitter, Spotify and Netflix offline. The problem intensified later in the day when the attackers launched a second round of attacks against Dyn’s DNS system.
So how can cloud services survive such destructive attacks?
Researchers have long warned about the risks of a vast majority of Internet clients centralising their networks by using a handful of DNS providers. Coupled with this problem are a large number of Internet clients using only one DNS provider for both their primary and secondary DNS. When DynDNS went under attack, those that did not use redundant DNS services found service unavailable and users unable to reach their website.
In many ways, it is a similar situation to the ‘cyber-domino’ affect that has been a popular method among cybercriminals over the past few years. It involves using a knock on effect tactic where the attacker will take down a company’s website and network operations by launching an attack on the hosting provider or ISP that the company relies on. Take the ISP or hosting company down and the company will be taken offline as well, as will many other companies who use the same provider who become innocent victims in the attack.
The main difference with these new attacks that affected DYN is that they used infected Internet of Things (IoT) devices that became a virtual cyber army for the attacker. Security evangelists have long been talking about the potential for IoT-driven attacks, a message that has often been met with a combination of eye rolls and scepticism. That’s likely no longer the case after these latest attacks, which also-also raised the issue of identifying where the responsibility for technology starts and ends.
Without question, these assaults signal a new age of attacks that will force many businesses to question not only their own cyber security strategies but also those of the service providers who they depend on upon for availability.
Here are three key things to look for when reviewing cloud service providers to help you to establish whether they are prepared to defend against the new wave of attacks:
Hybrid, automated mitigation capabilities
Successfully defending a network from such a major attack requires multi-vector attack detection in an always-on fashion, along with an ability to automate the process of redirection of traffic to cloud-based mitigation resources. Be sure your provider is utilising hybrid mitigation capabilities, ideally leveraging the same technologies on-premise and in the cloud to ease automation and speed time for effective and accurate mitigation.
Layer 7 attack detection
In the past, most large-scale DDoS attacks have leveraged network attack vectors (Layer 3/4). However, new attacks are reportedly sending through massive amounts of HTTP floods, making most Layer 3/4 attack detection methods useless. Be sure your service provider has effective application (Layer 7) attack detection and mitigation capabilities.
[easy-tweet tweet=”Most large-scale DDoS attacks have leveraged network attack vectors” hashtags=”cloud, tech, DDoS”]
Separate network for DDoS mitigation
The ideal architecture features a separate, scalable infrastructure specifically for volumetric DDoS attack mitigation where attacks can be rerouted when they reach predetermined thresholds. These DDoS scrubbing centres should ideally be located close to a major Internet peering point, providing the distinct advantage of not having to backhaul large amounts of traffic across a network backbone, which increases costs to the service provider and results in a necessity to drop certain customers who are under sustained volumetric attacks.
For now, it appears the attacks have abated. However, they should stay in the forefront of the minds of cloud businesses as indicative of the direction of large cyber security attacks. It has become vital to not only reconsider your defence strategy, but also those employed by the providers you rely upon. After all, it’s not just their service that depends on it, but yours too.
As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today's security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. He discovered BrickerBot, provided the updated Hajime report and follows closely any development and new threats in the IoT landscape. Prior to Radware, Pascal worked with the largest EMEA cloud providers on their SDN and next gen data centre strategies as a consulting engineer for Juniper. As an independent consultant Pascal architected sensor networks, automated and developed PLC systems and lead security infrastructure and software auditing projects. At the start of his career he was a regular presenter at IBM conferences for Perl and Unix kernel development.
Comments are closed.