DDoS: First Line of DefenseSophisticated Attacks Require New Level of Protection
Stephenson, executive vice president of Corero Network Security, has studied this new wave of attacks. "They're moving up the network layer stack, if you will, and they're going from being more brute-force, kind of network-flood attacks into the application layer attack," he says. "This is to be expected; it's been happening in other parts of the industry. It also makes the attacks more difficult to detect and block."
DDoS attacks have existed for years. But the latest wave brings new threats to organizations. How should they defend against these attacks? Ashley Stephenson of Corero Network Security offers insights.
Traditional technology defenses are insufficient against this new strain of DDoS, Stephenson says. What is required now is what Corero describes as a new First Line of Defense - one that helps organizations overcome the core challenge of distinguishing between attack traffic and genuine customer traffic. Essentially, the First Line of Defense helps dig a technological moat around a site.
"We're really implementing an inspect, detect and then protect mechanism right here at the edge of the enterprise infrastructure," Stephenson says.
In an interview about defending against the new, sophisticated DDoS attacks, Stephenson discusses:
- What's new about the attacks we're seeing;
- Why traditional defenses are insufficient;
- How organizations can mitigate their risks by deploying a new defensive strategy.
Stephenson is an experienced IT industry executive and Internet technology entrepreneur with operating experience in the US, Europe and Asia. In recent years he has spent the majority of his time providing strategic advisory services on the evolution of the global IT market. Previously he co-founded or lead several technology companies as Chairman or CEO, including Reva Systems (acquired by ODIN) and Xedia Corporation (acquired by Lucent). He was awarded "CEO of the Year" by the Massachusetts Telecommunications Council for his work at Xedia Corp.
Stephenson began his career at IBM R&D in the U.K. For several years he taught Entrepreneurship as an Adjunct Professor in the Babson College MBA program. He has served on the Board of Directors of many venture-backed startups and industry consortia. Stephenson is a graduate of Imperial College, London (Physics) and an Associate of the Royal College of Science. He is the holder of several U.S. patents.
TOM FIELD: As you know, unknown sources have been launching these DDoS attacks against U.S. banks. From your perspective, what's the full potential impact of these attacks, just beyond the denial of service?
ASHLEY STEPHENSON: That's a good question and one of the concerns that we have is that we don't know what the full impact of these attacks is or could be in the future. The current state of monitoring of many networks doesn't allow them to see the details of the attacks that have been taking place, and in fact may have even been missing some of the attacks all together. All we really have seen at the moment is a tip of the iceberg, which is when a DDoS attack is sufficiently large as it takes a bank down or offline, and then it usually makes the news.
FIELD: I know that you have spoken to many organizations about these attacks. What's your assessment about their level of preparedness?
STEPHENSON: They're increasing their level of preparedness, which is why they're talking to vendors like Corero. They want to know what kinds of tools and systems are available to help protect their networks. The preparedness against cyberattacks is an evolving situation so what we're seeing at the moment is an increase in attacks. Recently it's been in the news, these specific attacks against banks. Then we're characterizing what kind of attacks there are and recommending solutions that are capable of protecting against these new vectors of compromise.
What's New About Attacks?FIELD: What's new about the attacks that we're seeing?
STEPHENSON: What we've observed from the information that has been shared with us and from direct observation of the attacks is that they're moving up the network layer stack, if you will, and they're going from being more brute-force, network flood attacks into the application layer attack. This is to be expected. It has been happening in other parts of the industry. It also makes the attacks more difficult to detect and block.
FIELD: You've talked a little bit about what's new about these attacks and I think it's important to point out DDoS has been around for more than a decade now. Tell us a little bit about what's different about the threat today and what we need to know about the organizations that are being attacked?
STEPHENSON: It's an interesting twist why they're being attacked. It turns out that people tend to think of a specific attacker and a specific victim, but what we observe when we're monitoring networks or protecting networks for our customers is that there's a variety of attacks out there all the time. It's a little bit like leaving your door open on a busy street. You might get somebody who targets your property to steal things from you, or you might just get a casual thief wandering in and taking stuff. We see a complete range of attackers, from the specifically targeted attacks from competitors or organized crime, even from other nations, all the way down through to people doing it for fun or just a laugh. It's not one particular type of attack that an institution needs to be concerned about. It's the range of potential attackers and motivations that are out there. To be honest, it's part of doing business on the Internet.
The Problem with Traditional DefensesFIELD: What's wrong with the defense that most organizations employ against something like a DDoS attack?
STEPHENSON: I'm generalizing here, but the majority of the attacks that are seen and combated today are very obvious attacks. Ones where there's a significant rise in the level of network activity which sets off an alarm, obviously that lets people know there's a problem so that they can respond to it. What's happening increasingly though is with the application layer attacks. It's much harder to distinguish the attack traffic from genuine customer traffic, and so we have a problem where you need more surgical tools to go in and combat the attacking connections or packets on the network, while leaving the good customer traffic intact and allowing the service that, in this case, the bank is offering to be provided to their online customer base.
FIELD: You've talked about what's wrong with the defenses that many organizations are employing. Let's talk about technologies that they use. Why are the traditional technologies to prevent DDoS insufficient today?
STEPHENSON: Obviously, the people who have built these enterprise networks, back-end servers and services that can support hundreds, thousands, tens of thousands, and in many cases even hundreds of thousands of customers on the web, they've obviously built good infrastructures. But what we find is most of those infrastructures have been built, sized and constructed for the good case, where real customer traffic entering the network needs to be sorted, processed and responded to. What they haven't been designed for is the bad or malicious traffic cases. And so, by erecting a first line of defense, we're able to keep that malicious traffic off this infrastructure that was designed for the good or happy path, as we sometimes call it, for the traffic. That's important because the infrastructure that's already deployed and operating day-to-day, obviously in good times, demonstrates that it can work to solve the problem and deliver the service that the enterprise wants to its online customers.
What we're trying to do is maintain that good zone, or green zone, of operation, and by blocking the bad zone or red zone traffic from entering that network, we're preserving the network and extending its life of operations for the way it was designed. Now if you don't have that first line of defense in place, the malicious traffic we've been talking about can infiltrate your infrastructure and your network and is capable of causing a variety of havoc at different levels, layers and systems within your infrastructure. Often, these systems have not been designed to deal with these DDoS, or other blended threat, attacks. That's the benefit of erecting this first line of defense at the entrance to your network. You're preserving the operating environment within your infrastructure that it was designed for.
The attacks are also evolving and getting more sophisticated, learning to navigate their way around your infrastructure or target exposed weaknesses in your infrastructure. Again, by adopting a first line of defense strategy, you are able to block those before they get into the depths of your network. It's an ancient idea, probably like a moat around a castle or a wall around a city, and what we're really saying is that as soon as the network traffic hops off the Internet onto the network that you own as an enterprise, we're suggesting that right at that point you install equipment and systems that are able to sort through the traffic and block as much as possible of the potentially malicious network packets that are entering your network. That's the idea of the first line of defense. It means the very first inspection that takes place on this traffic that's coming from the Internet. We're really implementing an inspect, detect and protect mechanism right here at the HOV enterprise infrastructure.
New First Line of DefenseFIELD: Tell me a little bit how organizations are using your first line of defense solution and about the results that they've seen. What benefits do they realize?
STEPHENSON: People who have realized they're victims or have observed that they're being targeted by some of these attacks have decided to take this approach and establish a barrier right at the entrance to their infrastructure. They install equipment that allows them to operate a first line of defense and immediately they start to get data on what kind of potentially malicious traffic is entering their network. Even before they start blocking anything, they receive great insight into what kind of traffic is coming into their network and our product in particular is designed to help them understand the good traffic versus bad traffic mix on that connection. Then once they've seen that level of insight into what's going on at the entrance to their network, they can then selectively apply controls which block or limit the potentially malicious traffic from entering their environment.
FIELD: For organizations that are at risk of these new attacks - and we realize that we're all at risk, not just financial institutions - how do you recommend that they approach risk mitigation?
STEPHENSON: Risk is a combination of the potential threat out there or the vulnerability, multiplied by the likelihood that it will apply to you. The very first thing I think you can do in managing your risk is to get some visibility as to what's going on in terms of your network and the services you offer. The no-man's land as it were, or the no police land, of the Internet, I think we've all in this day and age come to learn that the Internet is not policed in the sense of any traffic, any site, any user is initially of unknown trust. What we're doing in terms of helping them with their risk assessment and also minimization is putting in a first line of defense, inspecting the traffic, analyzing its potential threats - which immediately gives them an assessment of how exposed they are - and then also giving them the tools to block the attacks as well as record the attacks so they can also develop a historical knowledge of how they're doing with respect to this malicious traffic that's arriving at their site from anywhere in the world.