Preventing volumetric DDoS attacks such as this, especially those that are designed to 'look' like or are in fact legitimate traffic (just high volume), are virtually impossible for most if not all enterprises at the data centre or even the local ISP level. They need to be able to protect against such attacks at the edge of the Internet, by leveraging a cloud security solution. A solution that is able to distribute their service or service entry point across the Internet.
For an enterprise looking to protect itself, it needs to assess their approach and strategy at three levels.
Data centre(s) resilience: how does your organisation ensure that its data centre is resilient to DDoS attacks, especially at the application level? These attacks may not even impact network bandwidth, yet exploit vulnerabilities in the application or database services within the technology stack.
Geographical resilience: how does your organisation protect itself at a geographical level? Let's say an enterprise has multiple service providers servicing its primary data centre, but a regional issue similar to the Spamhaus DDoS attack occurs. What is your strategy and approach to business continuity?
Service resilience: how does your organisation protect underlying critical infrastructure and application services, such as domain name system (DNS)? DNS is an often overlooked service, yet as seen in the Spamhaus attack, DNS is often an after-thought for many organisations resulting in insufficient geographical and capacity resilience. Furthermore, what is the strategy for providing resilience to the services provided by third parties or even hosted by third parties such as a cloud provider (irrespective of whether they are a IaaS, PaaS or SaaS cloud provider)?
On any given day, we deliver 15-30 percent of the world's Web traffic, including some very high profile sites. We also receive large volumes of DDoS attacks and provide DDoS protection services to act as a buffer between our customers and the attackers. In a typical week, Akamai and/or our customers are the target of two significantly-sized attacks of 10 or more gigabits per second (Gbps) and countless smaller attacks, and we're very successful in defending against them.
Attackers and motivation
In an attack situation, people want to know who the attackers are and what their motivation may be. The attackers and their motives have been linked to everything from hacktivism to cyber war to organised crime. Speculation is interesting; useful, actionable information that can help protect your business is significantly more valuable.
Information, especially during a security incident, is critical for a number of reasons. This is because the attackers will change tactics, techniques, and procedures until they find one that is effective against their current target and enables them to achieve their objectives with the least amount of effort and risk. As a result, threat intelligence is very perishable: what the attackers are doing today is different from what they were doing last month and very different from what they'll be doing in the future.
Sign up for MIS Asia eNewsletters.