In the famous fable "The Three Little Pigs," houses made from three different building materials - straw, sticks and bricks - are put to the test by a wolf, which tries to blow each of them down. Only the brick house survives. Unfortunately, over the years, many network and application architectures have proven more like the straw and stick huts when confronted by major distributed denial-of-service (DDoS) attacks.
These DDoS campaigns often exposed vulnerabilities that, under normal operating conditions, rarely received a second thought. For example, in early 2014, a legacy protocol most people had never even heard – the Network Time Protocol – became instrumental to some of the then-largest DDoS attempts in history, briefly supplanting DNS as the most prominent attack vector.
Like other cybersecurity threats, DDoS attacks are continuously evolving in such ways to work around common defenses. Here's what you should know about today's DDoS risk climate, and what recourse is available from trusted partners such as Telesystem:
Problem: DDoS attacks are harnessing the Internet of Things
The Internet of Things (IoT) is a massive new domain of internet-connected infrastructure, making it fertile ground for DDoS perpetrators. A typical recent incident involved a variant of the infamous Mirai botnet hijacking 13,000 IoT devices for a DDoS campaign targeted at financial institutions, according to Recorded Future. In October 2016, DNS provider Dyn also went down from an attack harnessing IoT components rather than PCs or servers.
The IoT's vast scope and unique components (e.g., small networked devices without traditional user interfaces) presents unique security challenges, especially for patch management and event monitoring. It's a huge pool of potential resources, one attackers can tap to generate the overwhelming amounts of meaningless traffic essential to DDoS attacks.
Solution: Proactive planning and managed security
Organizations everywhere are now keen to invest in the IoT. A SADA survey found IoT was one of the top two priorities for IT leaders in 2018, alongside artificial intelligence. Two-thirds reported having IoT projects in the works.
Accordingly, they must plan for the associated risks, such as becoming victims of the infrastructure-hijacking malware that frequently supports DDoS. Managed security services from Telesystem can help by providing content filtering, intrusion detection, antivirus and much more. These protections enable a proactive security strategy that constantly checks for threats and allows for regular patching and upgrades.
Problem: DDoS attacks are exploiting Memcached servers
While the IoT is a powerful set of assets for DDoS perpetrators, significant legwork is still needed to effectively leverage it against any target. Malware must be propagated at enormous scale to build a sufficiently large botnet. In contrast, taking advantage of poorly secure Memcached servers is much easier.
An early 2018 attack against code repository GitHub demonstrated the potency of this vector. The incident peaked at 1.3 Tbps, making it the largest ever documented by Akamai. The exposure of many Memcached servers to the open internet enabled similar attacks through early March 2018.
Solution: Keep Memcached and other key software up-to-date
Outdated software is one of the biggest precipitators of security issues. Memcached wasn't technically out-of-date at the time of the GitHub attack, but it did lack a crucial feature that was added shortly thereafter – disabling UDP protocols (which are magnets for DDoS attackers) by default.
Quickly updating Memcached was the best way to stay safe in the wake of the wave of attacks taking advantage of it. Similarly, it's usually prudent to apply upgrades and patches as soon as they become available and to have scalable infrastructure in place for modifying crucial systems. Telesystem's hosted VoIP solutions include essential updates and maintenance within their subscription, saving you the cost and hassle of having to handle them on your own.
Problem: Many DDoS attacks now target ISPs and business partners
As the Dyn incident demonstrated, DDoS attacks don't have to target websites individually to wreak havoc – they can instead go after the business partners the sites rely on, including DNS and internet service providers (ISPs). The result is the same, namely an unreachable service for end users.
DDoS protections from ISPs themselves can provide some degree of protection. However, these defenses are not usually enough on their own and require additional or alternative safeguards, such as having deep inspection integrated with key business services such as hosted VoIP.
Solution: Get DDoS protection included in your hosted VoIP solution
Customers using Telesystem's voice solutions, including hosted VoIP, get built-in DDoS protection at no extra charge. All traffic passing through our network core benefits from real-time inspection, detection and defense against DDoS attacks.
Our comprehensive, purpose-built security infrastructure is an essential benefit on top of the cost-effectiveness, scalability and flexibility of our hosted VoIP platform. Contact our team today for more information on how you can get started.
