New Approach to DDOS Protection
Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of today's distributed-denial-of-service attacks, and organizations need a new approach to protection, says Verisign's Ramakant Pandrangi.
Pandrangi, VP of Technology at Verisign, has studied DDoS attacks, and he's concerned about recent trends.
"Large volumetric DDoS attacks are becoming more common," Pandrangi says. "And as that happens, on-premise solutions will not be able to handle these types of attacks."
What's needed, then, is an entirely new approach to protecting against DDoS. Pandrangi advocates what he calls an open/hybrid approach that relies on on-premise solutions to mitigate attacks locally, while leveraging cloud-based services when attacks are likely to overwhelm the defenses. At the core of this new approach is an open platform that allows multiple vendors to act in concert on the customer's behalf.
"This [approach], we believe, will allow businesses to have a wide range of options without the limitations of having vendor lock-in," he says.
In an interview about the new approach to DDoS protection, Pandrangi discusses:
- Latest DDoS attack trends;
- What's wrong with the traditional approach to DDoS protection;
- Details of the Verisign Open-Hybrid Solution.
As vice president of technology, Pandrangi is responsible for the technology direction and product management for the company's Network Intelligence and Availability (NIA) business, which includes Verisign DDoS Protection Services, Verisign Managed DNS Services and Verisign iDefense Security Intelligence Services.
Pandrangi has been with Verisign for more than 13 years, and prior to his current position he was senior director of infrastructure engineering, where he led and managed the teams responsible for the development of Verisign's scalable resolution services. These systems include DNS resolution for all Top-Level Domains (TLDs) operated by Verisign, related WhoIs services, Verisign's Managed DNS Services and Athena, Verisign's network and DDoS mitigation platform.
TOM FIELD: Hi, I'm Tom Field, Vice-President of Editorial with Information Security Media Group. I'm talking today about the new approach to DDoS protection, and it's my privilege to be speaking with Ramakant Pandrangi. He is Vice-President of Technology with Verisign. Ramakant, thanks so much for joining me today.
RAMAKANT PANDRANGI: Thanks Tom. I'm glad to be here.
FIELD: I want to talk with you a bit about the DDoS attack trends that you are seeing and from a couple of different angles. First, what can you tell me about the size of the attacks and the diversity of the adversaries that you're seeing in the marketplace?
PANDRANGI: So Tom we've been seeing an increase in both attack size and the complexity of attacks over the last few years. For example, in the third quarter we saw attacks on the 10GB range and above grew about 38% from the previous quarter and now represent more than 20% of all attacks on the third quarter. So what this really means is that large volume DDoS attacks are becoming more common and as that happens, on-premise solutions, you know, will not be able to handle these types of attacks, and you need to have some cloud-based protection to be able to mitigate these attacks successfully. The other thing that we are seeing is a rise in the number of attacks per customer. It's averaging approximately 3.3 separate attempts per target.
FIELD: How does that impact the potential attack-footprint within an organization?
PANDRANGI: What we're looking at is there are two major trends here. The first trend is that you know the size and complexity of attacks is going up, right. And then the second is the way people develop software is changing fundamentally and those architectures are changing fundamentally to support more agility. So we've seen people migrating from traditional data centers toward more virtualization. We see virtualization, you know, increasing within the traditional data center and we see organizations being able to use public clouds significantly. I think there is a number, you know, that talks about 1/3 of all computing being in some sort of a cloud, whether private or public, you know, cloud is where the workflow is operating today. That's a pretty big shift, but what that does is it increases the attacks of this area and makes it harder to be able to detect and mitigate attacks successfully because you have more environments to protect and you need tools that can go across these environments and get the right signals. In terms of complexity of attacks, we have noticed people used to use for example, NT-based attacks were very common and still are. It's a reflection-based attack, you know, based on user data but grand protocol with UDP. In Q3 we began to see people use another kind of reflection attack using SSDP, Simple Service Discovery Protocol, so attackers are evolving and adjusting their tactics.
FIELD: Well that segues into my next question because we started this conversation talking about the new approach to DDoS protection. Tell us what's wrong with the traditional approach given everything you've talked about in terms of trends?
PANDRANGI: Right so when I talked about when you multiple environments and you have multiple tools, you get lots of signals and it really is, how do you eliminate the noise to get the true signal? And that is extremely hard because each of these tools, like for example firewalls, intrusion spam systems, or you know intrusion protection systems, they are all reporting and detecting threats but it's not communicating with each other. So we've seen customers who have these tools and they have a cloud-based service but there's no interoperability or communication between these different devices or different solutions. We believe that in order to have faster and more effective migration, we need a shift and an open platform with device and services from different vendors can share and act on information in concert. And so what we're talking about here is a hybrid approach where you have local on-premise devices that can detect the attack quickly and mitigate the attack immediately first. However, if the size of the attack gets beyond the certain point, they need to be able to signal a cloud-based service and be able to switch over protection, you know, as the network gets swamped or other devices in the network start to see resource exhaustion.
FIELD: Ramakant, you blogged about the concept of open-DDoS protection. Could you explain that to me and then talk also about your own new Verisign Open-Hybrid Solution please?
PANDRANGI: You know like in the previous question I was describing the shift that we were talking about, the shift that is needed. And with the Verisign Open-Hybrid Solution, what we want to enable is an architecture and a framework to enable that shift. The first part of it is to create open standards for communication between on-premise DDoS mitigation or other points of signals that are available with the cloud-based DDoS protection services. So this standard, this approach we believe will allow business to have a wide range of options without the limitations of having window lock-in. We work with Juniper Networks to release a draft that we have now submitted to the ITS to create these open specifications. I talked earlier about being that customers have a wide range of devices, so for the second part we want to deliver what they call a 'Connector' that allows for signals to be obtained from these widely used devices that can communicate back with our cloud-based service. So that's the second part, and then finally for the third part, if you're in public cloud environments we want to deliver connectors that can obtain the right signal from these public cloud environments such as Amazon Web Services and still be able to notify a cloud-based DDoS protection service when the application is under attack and needs DDoS mitigation.
FIELD: So really what you've done is outline the future of DDoS protection. Tell me how your customers are now warding off DDoS attacks benefiting from your knowledge and your solutions in the area?
PANDRANGI: The way our DDoS protection or the Verisign DDoS protection service works is that we consistently monitor our customer's network traffic or we look for other signals and that alerts us to an attack. Once we've determined that the customer's application is under attack, we redirect it to our network where it is inspected and filtered so that we can send them good traffic and ensure that legitimate users get through while stopping the bad traffic. Though other botware services may believe threat intelligence is very important, threat intelligence provides context and we use Verisign's Eye Defense Service to provide that threat intelligence that lets us build filters for attack-types ahead of time. This allows our customers to rely on our service instead of having to over-provision their infrastructure or having to constantly scale their infrastructure as the size and the complexity of threats goes up. With the Open-Hybrid initiative, we are now enabling our customers to be able to take other signals that they may already have within their premise, it could be a home-grown monitoring service or other devices such as firewalls and we can now be able to monitor them beyond just the information that they had. They can use that to be able to signal our service when those resources are under stress.
FIELD: So Ramakant, given the size and complexity of the attacks, what advice do you offer your customers who want to improve DDoS protection? In other words, where should they start to assess and then meet their needs?
PANDRANGI: I think it is very important for customers to look at their network and architecture holistically. As DDoS threats continually evolve, companies need to evaluate solutions that allow them to get to the goal of faster and more effective DDoS mitigation. And this could mean that, you know, they look at local defenses, which is going back to the topic of hybrid defenses, if that warrants it, where they could local defenses to mitigate and detect and yet have a cloud-based service that can also provide them the ability to switch over as the attack grows big. The other thing they need to think about is obtaining threat intelligence and to be able to prepare for you know these multi-vector adaptive attacks that we are seeing. Finally, they really need to not forget about DNS. Securing DNS and making sure the DNS layer is protected from DDoS is very important because if you secure your application from DDoS attacks and do not secure your DNS layer from DDoS attacks, the end-users may not able to reach the application because DNS is down. So what we advise customers who look at is, look at your architecture holistically, you know this is about risk mitigation, and about planning and preparing to be able to detect and mitigate attacks.
FIELD: Well Ramakant, it's a timely topic and that is great insight. I appreciate your time and your thoughts today. Thank you very much.
PANDRANGI: Thanks a lot Tom.
FIELD: The topic has been the new approach to DDoS protection. I've been speaking with Ramakant Pandrangi, Vice-President of Technology with Verisign. For Information Security Media Group, I'm Tom Field. Thank you very much.