Distributed denial of service (DDoS) attacks are blunt instruments, but effective ones. The recent Dyn cyberattack – the largest in history – reminded us of the difficulty of handling these crude attacks. What makes these types of attacks special is just how persistent the attackers are: for days, they keep at it – and they say attention spans are getting shorter! The worst DDoS attacks are these lengthy ones, disrupting service for days, or even weeks on end.
To make a big sustained attack possible, the attacker must use many hosts. Imagine it all came from a single data centre – the attack would quickly be stopped by the data centre operator. Less than a day, anyway. And considering how many home networks participated in this attack, it is no wonder it is almost impossible to shut down. Thirty-thousand systems sending 10 Mbps of attack traffic results in 300 Gbps of attack traffic. Many small trickles come in from many directions, becoming a massive flood once it reaches the target.
Ideally, these attacks would be prevented outright by people keeping their home systems clean and up-to-date on patches. Maybe they'll floss more, too. Scrubbing at the target site is a tried-and-true technique, but it's a matter of capacity: scrubbing 300 Gbps of attack traffic takes some serious muscle. Stopping a DDoS attack near its many sources is much better, and this is a matter of being a good Internet neighbour. And this is where the true opportunity lies.
By deploying smaller-scale scrubbing technology at the edges of the Internet, closer to office buildings, and closer to home users, most DDoS attacks can be mitigated before they even make it out of the neighbourhood. This is especially true for ISPs and providers that operate sub-10 Gbps links to hundreds or dozens of end customers.
Often the perpetrators don't even know they are participating in a distributed attack, but their traffic patterns are clearly visible to their Internet provider or small enterprise security teams. By cleaning egress traffic before sending it upstream, you are not only a good Internet neighbour, you can also save substantial peering costs over the years. Just as it is good common sense to drop any packet with a non-local source address, it is equally good sense to scrub malformed packets that have no business on the internet. No blunt instruments needed at the source end, just snip out the few bad packets and let the majority through.
The big sites and the big links will always need special protection, but we must recognise that DDoS is a common problem we all face, and we all play a role in minimising it. If everyone is prepared to scrub a couple Mbps or Gbps of outgoing traffic, then nobody has to scrub hundreds of Gbps of incoming traffic: in effect if we can turn off the trickles, we can turn off the flood.
