With companies becoming increasingly vulnerable to DDoS attacks, they need to know what to look out for and how to best protect themselves if they are targeted. DDoS stands for a ‘distributed denial of service’ and what this means is a cyber attack that comes from multiple sources around the world. It is this multipronged angle that is the reason legacy or traditional defence systems aren’t the most effective response.
“The types available put a box on your network to try and filter out the traffic,” says Raymond Maisano, Head of Australia and New Zealand at Cloudflare. “The reason that doesn’t serve most customers today is because these attacks are coming from global resources. So there’s a lot more load and physical boxes on the network that don’t really hold the capacity under load.”
What’s the alternative? Maisano says that organisations should look for a cloud provider that has the level of bandwidth and capacity to provide comprehensive protection. Some providers will have DDoS scrubbing centres that move the traffic somewhere it can be cleaned and then passed back to the customer.
The downside of this is that it involves a number of steps, so it takes time and increases latency for the customer.
A provider like Cloudflare has a different approach, he says. “Across our global network of 250 points of presence around the globe, every single one of our points of presence acts as a DDoS scrubbing centre.”
The difference is that this enables the attack to be addressed at the source, as opposed to the destination.
There are a couple of advantages to this approach:
traffic isn’t routed, meaning there is no load provided at the end of where the service is located, and if an attack is coming from such sources as China, Russia, the Americas or Korea, blocking at the source means it is stopped immediately and only allows clean traffic to forward to the customer, plus there is zero latency or performance impact because the block happens within 20 to 50 milliseconds of the attack being launched. Most importantly, says Maisano, with a provider that has sufficient resources and is able to perform globally, it can use the capacity it has built up – in Cloudflare’s case, this is 100 terabits of capacity.
“That’s a hundred times bigger than most of the attacks we’ve seen,” says Maisano. “We have enough network capacity to allow our customers to continue to operate as though they’re unaffected, even under massive load.”
Why are cyber attacks increasing?
There are many reasons an organisation may face an attack, says Maisano. The growing prevalence has much to do with organised crime, he believes, leading to more attacks with financial gain and extortion as their motive, rather than coming from someone who is disgruntled with an organisation and simply wants to disrupt its operations.
“Those sorts of criminal resources generally try to find weak points into networks and then try to remove the data so they can say to the customer, ‘we have your data, pay us a ransom’,” says Maisano. “This is actually giving them a faster means of monetising their efforts.”
He also notes the unfortunate fact that it’s now possible to buy a DDoS attack on the dark web.
For just a few American dollars, cyber criminals can purchase a 24/7 attack, target it as they wish and release it – using global resources to attack. The ease of infiltrating the organisations being attacked and the massive reach is what has fuelled this transition to the monetisation of the attacks, says Maisano, and why we are seeing an increase in prevalence.
To pay or not to pay
While understanding the reasons behind some organisations feeling obligated to pay, Maisano agrees with the advice from the ACSC (Australian Cyber Security Centre ) and AFP (Australian Federal Police), which is to not pay the ransom, as organisations that do are more likely to be impacted again.
“Jurisdictions and companies that pay ransoms may even be targeted multiple times as they are seen as attractive targets,” he says.
If an organisation is subject to an attack, it should first and foremost reach out to the ACSC and the AFP to get advice. The next move should be to look at building up its cyber security tolerance and protection, advises Maisano, by talking to a company like his.
“We’re continually deploying new points of presence and we’re continually interconnecting with other networks,” he says. “There are 10,000 interconnecting peering arrangements that we have with other organisations to continue to build our capacity.”
Process
To build up its cyber security tolerance by partnering with an appropriate provider that is really across its systems and processes, an organisation can ensure full protection, says Maisano.
“The good thing is, it’s a service, so we work with our partners like AC3, who understand the customer’s environment and help them on the path to configure their on-ramp onto our network.
“Essentially, we can do this without any disruption to their current services. Being able to connect through DNS (domain name system) changes on their network allows them to move their network traffic,” says Maisano.
“For anything that’s internet-facing, we can do that within hours. Anything that’s a network layer may be done over a few weeks as the best path forward for implementation is designed.”
This results in the provider sitting between the customer and the rest of the internet, like a virtual traffic police officer.
Outlook
The statistics are concerning, notes Maisano, with Australia suffering an alarmingly high number of attacks recently. According to Accenture’s ‘Cyber Investigations, Forensics and Response’ report, in the first six months of 2021, the country accounted for 11 percent of attacks, behind only the US (70 percent) and the UK (24 percent).
“Given that we’re about five percent of the global market, to be in the top three of the attacked countries in the world is a place we’re unlikely to want to be,” says Maisano. “If you unpick that, all the attacks that came in and took over a lot of weak points then became the bots of the next generation of attacks in the following quarter,” says Maisano.
“Certainly you can draw that correlation between the two.
“Essentially, there’s a whole list of traffic that happens on the Australian network that searches for weak spots. So this is an area where customers need help. This happens in real time and organisations need to protect themselves for what happens today, not what happened last week,” he concludes.