Wednesday, February 2, 2011

Denial of Service Attacks Now at 100 GBS

Arbor Networks, in a just published Infrastructure Security Report, states that in 2010 there has been an increased severity in Distributed Denial of Service (DDoS) attacks. For the first time a 100 Gbps attack was reported. *

That represents a dramatic escalation in the amount of information that is piled up on a network in order to shut it down:

Since the most frequently deployed defense against DDoS is to shut down the computer links that have been jammed, a 100 Gbps attack can possibly unleash large amount of damaging transactions before all connections are finally severed.

The delays between DDoS detection and when the shut down happens can be seen from survey results of 111 technical network managers of Information Services Providers (ISPs):

Shutting down and then restarting a network hit by DDoS is not automatic (13% of responses).  It can be a time consuming affair.

The network defenders also suffer from a scarcity of qualified personnel. To stand sentry-duty in a data center could be a position that is hard to fill, as illustrated by the following:

DDoS attacks are launched from “bot” computers that have implanted programs capable of launching attacks against designated IP addresses. Attacks occur when the controller (known as the “herder) of a “botnet” triggers the release of a rapid sequence of messages.

It is interesting to speculate how many “bots” would be necessary to generate a simultaneous stream of 100 Gbps traffic.

Over 50% of the observed Internet attack traffic in the last quarter of 2010 originated from 10 countries, with USA, Russia and China accounting for 30%. ** The global average Internet connection speed is now about 2 Mbps, though it ranges from average speeds as high as 14 Mbps (South Korea) or 7 Mbps (Delaware).  Therefore, to deliver a 100 Gbps attack would take anywhere from 7,000 to 50,000 bots.

Botnets have been known to grow into large collections. The Dutch police found a 1.5 million-node botnet. The Norwegian ISP Telenor disbanded a 10,000-node botnet. In July 2010, the FBI arrested a “herder” responsible for an estimated 12 million computers in a botnet. ***

One can therefore conclude that assembling DDoS capable botnets is well within the scope of malware operators. The chances of future attacks that would exceed 100 Gbps  is high.

With an estimated 15,000 networks in place, according to DEPSECDEF Lynn, DoD is vulnerable to more powerful and most likely more frequent denial of service attacks. How to defend against that is a matter of tradeoffs between the availability of highly trained people, or investments into an installation of automating shutoffs or in ways how to acquire fail-over capabilities.

The defense of 15,000 individual networks against DDoS by human operators is neither affordable nor executable.

A defense that depends on automatic shut-offs would require retrofitting existing software with such features. It is unlikely that there is either the time or the money to do that.

The best option is to set up DoD data centers with virtual servers that can fail-over to one or more back-up servers whenever a DDoS hits. That would require migration into a virtualized environment, which is likely to show relatively fast paybacks and which can be executed by means of hypervisor software.


** Akamai State of the Internet, 2010