Opinion: Trends in DDoS attacks and protection

Almost no day passes or the Dutch press makes mention of DDoS attacks, which seriously hampers the services provided by businesses, governments or institutions. The impression that is created is that these types of attacks only increase in size and number. Four experts were asked to respond.

Gijs van Gemert, Serverius

Growing amount of DDoS attacks?

On the question of whether there was an increase in telephone conversations and e-mails, various answers followed. CEO of Serverius Gijs van Gemert reacted with a counter question: “What is the definition of DDoS attacks and protection? What do you want to achieve?” That question turns out to be equally important. For some, having a clean network is the protection. Others, such as Serverius, focus on keeping applications accessible. So there is a difference in what needs to be protected. That determines the way you look at attacks. According to Van Gemert, it also explains why various signals about the size and number of attacks are issued. “We do not see any increase in the number and volume of attacks.”

According to van Gemert, two developments are responsible for this. The first is that the larger carriers, the parties that handle the bulk of internet traffic, now see that they also have a role to play. It is their customers who are abused to unintentionally carry out such attacks. As an example he mentions carriers with a lot of traffic from consumer providers. That’s where the vulnerable and infected computers and routers that are essential for DDoS attacks are. The second reason is that the technology is getting better. “Windows updates can hardly be turned off anymore,” he explains. “That seems like a detail, but it does have a huge impact on keeping home computers and networks safe. This eliminates the absolute ease with which a botnet can be built up and maintained to carry out DDoS attacks. “

Eric Bais from A2B-Internet shares Van Gemert’s opinion when it comes to volume and volume. “Real big attacks are still possible, but we do not see that much. The global DDoS protection providers can reasonably manage this by filtering and distributing the UDP traffic. That method works. “According to him it is easier and faster to carry out attacks that are just against or over the capacity of the target. That is also what Octavia de Weerdt of Nawas signals. According to Wim Zandee of F5 there is an increase in the number of attacks. He also sees an increase in volume, but that is why the market must not be distracted. “It does not detract from the fact that there are also many smaller DDoS attacks that might escape attention,” says Zandee, explaining that many systems only recognize a DDoS attack as such if it has a certain volume size.

The idea that the DDoS attacks increase in every respect, as suggested in the press, therefore seems to be in need of an overhaul. What the answers make clear is that the subject can be looked at in different ways.

Eric Bais, A2B-Internet

“If you really want to tackle this, you have to put a dedicated team on it for many years”

Wim Zandee, F5

Trends Then the trends were seen. Zandee mentions two. As the first trend, he points to the use of Botnet assisted attacks and IoT devices such as Botnets. “With Mirai we saw attacks with hitherto unknown numbers and size. The layering and refinement was also unique. Due to the emergence of poorly secured and unstable IoT equipment, a large future enemy is lurking in front of us, “he explains, adding that IoT
devices speak a different language in the field of protocols. “It is therefore important to keep monitoring these IoT protocols and to take security measures here.”

According to Zandee, the second trend is that more and more information flows are encrypted. Approximately 60% -70% of the communication is already encrypted and that will only become more. Due to the increase in cryptography, encrypted attacks on the application infrastructure are becoming more and more traditional security measures can not deal with this. That is why, according to him, it is necessary to invest in measures that are prepared for this and have the possibility to stop the encrypted attacks.

The trends that stand out for Nawas are of a different nature. De Weerdt sees that most DDoS attacks are now being made through an intermediary. They deliver the so-called stresser or booter services. This is the development of a business model that does not involve advanced attacks. “They are not in the interest of the provider. He wants to achieve his turnover with as little effort as possible, “says de Weerdt. Another trend that Nawas sees is that DDoS attacks more often have multiple vectors. Bais’s response to the demand for trends is twofold. The laying down of more capacity is in his view no longer the solution, because that is an arms race that leads nowhere. He sees that happening less. “Where the market benefits a lot more, and what we see increasing, it is smarter to deal with the resources that are already there.”

Van Gemert sees as a trend that the amount of attacks does not seem to increase, but that two important developments are visible around the impact. “We see that the impact of attacks is increasing. This is due to the type of attack and the chosen targets. Furthermore, we clearly notice that the acceptance of this impact is under pressure. “By this he means that customers are increasingly critical of the bank if the bank app does not work and on companies whose favorite websites are unreachable.

The aforementioned trends predictably led to questions about the future. Are the current often hardware-based solutions still sufficient and in which corner should the solutions be found. Is that in the form of cooperation, knowledge sharing or is government control needed?

De Weerdt: “integrated solutions in one appliance are no longer sufficient. It is better to invest in good detection together with a scrubbing center than in your own anti-ddos appliance. For a front-line defense with overflow to a scrubbing center it can be a good solution. However, good detection remains a precondition. “According to Zandee, the collaboration of different systems at the right places in the infrastructure, for the application, on the DDoS premise network at the provider and cloud scrubbing centers is essential. He adds that the balance between hardware and software should not be weighed on the basis of profit or loss, but rather on the intended result. That is why, in his view, a scalable hardware solution is still fine under certain circumstances. “For handling and securing a very specific application you can operate better close to the application and a software solution generally fits perfectly. So it depends on what you want to protect and what controls you want to bring in. “

Octavia de Weerdt, Nawas

Bais refers to his earlier comments on applying more intelligence for detection and control. He explicitly mentions systems where inbound traffic is settled on the basis of a ranking, classification and which can work side by side with open APIs and reinforce each other.

Van Gemert’s answer mainly focuses on the current Dutch situation. “We bar little knowledge in this area in the Netherlands and the market is too dependent on third parties and foreign parties. The initiatives to make the Netherlands more resilient miss, in my view, practical knowledge, depth and they are too dependent on a handful of suppliers. If you really want to take this up, you have to put a dedicated team into that job and that for years in a row. “Van Gemert thinks
that the whole market and also the government is not going to let this down. “Despite all well-intentioned initiatives, we still lack knowledge and resources in the Netherlands. There is too much focus on quickwins, while the subject is totally inappropriate. In that respect, they have done much better for each other in Germany. There is serious funding and commitment of the parties. “The lack of what Gemert calls the knowledge the wrong questions are asked and that leads to the wrong solutions. The result of this is that the results of DDoS protection can be disappointing.

Obviously, Nawas’ reaction to the demand for the future is another. There is a lot to see in the development of the existing cooperation. Nawas prefers not to see a role for government in the form of legislation. Zandee indicates a lot to see in more and better cooperation, but also appears positive about the role of the government. In his view, legislation is absolutely necessary, with the AVG / GDPR being a good step. By this he refers to the obligation to take appropriate measures to prevent the leakage of data.

It is an intriguing idea that the quality of anti-DDoS services can and should continue to increase due to the AVG / GDPR. Whether it remains with an idea or reality will learn time.