Evolving DDoS Threat and Standards Based Mitigation Techniques

Ken O'Kelly - Juniper NetworksSanjay Chohan - Juniper Networks

The DDoS threat vector fall into either the ‘volumetric’ or ‘low and slow’ camps. The volumetric DDoS attacks are blunt high data volume and although these attacks are easy to detect they can be difficult to stop without causing major disruption. The second camp of DDOS attacks use increasingly more sophisticated techniques where the attacker targets the weakness of the back-end systems and with a relatively small number of requests can take up a lot of the intended targets resources. These attacks are difficult to detect and can go under the radar of many DDoS prevention systems.

In this talk we present how ‘thinking outside the box’ it is possible to identify both of these types of attacks. Instead of trying to identify signatures as they enter the network, this new anti-DDoS technique analyses the availability of network resources and how the traffic entering the network affects the resource availability.

Once the DDoS traffic is identified it is then important to stop this traffic as close to the edge of the network as possible. We will discuss the different techniques that are available to network administrators to signal that there is an active attack to the routers across a network. Traditionally, this was done by telling the routers to ‘dump’ all the traffic to the destination address that was being attacked. Whilst this prevented the attack traffic from entering the network, this technique also blackholed legitimate traffic destined for the attacked address - which in essence is a win for the attacker.

A more powerful way to block the DDoS streams would be to stop only the specific DDoS flow. This can be done using the Flowspec protocols, a RFC based protocol that has been around for several years, and has the ability to disseminate flow specific information to routers on the network. We shall discuss how using the Flowspec protocol it is possible to effectively share information regarding ‘DDoS flows’ to all your network devices, customer’s and even peers and therefore stop only DDoS traffic before it even hit the target network.

The presentation will also show how moving forward, the Internet providers and their customers will need to work together to be able to identify and stop DDoS attacks.