Tue 18 October 2016
The attack on the website of Brian Krebs and the release of the Mirai malware source code demonstrates the challenges that face the anti-bot world. At its peak, the Krebs on Security DDoS attack was generating 620Gbps of traffic, mostly from IoT devices. With the ever increasing number of internet connected devices, and their current security shortcomings, it should come as little surprise that the scale of DDoS attacks is increasing.
One of the most mind-boggling statistics from the Krebs story was the cost of defending against the level of attack his website was subjected to. It was estimated that it would cost between $150000 and $200000 to buy protection at that scale for a year. It is perhaps unsurprising then that the free protection he was getting could not be continued and his site had to be taken down.
DDoS attacks are employing more devices and becoming more sophisticated and it becomes harder and harder to respond. We should use every weapon at our disposal to prevent, detect and repulse this fraudulent traffic.
The way that the Mirai botnet adds things to its network is to search for devices which have not updated their default passwords. This is not a sophisticated and elegant solution, it is a brute force attack. Like being vaccinated to improve the immunity of the herd, those of us who know better should be ensuring all of our devices are locked down and secure to help reduce the scale of these attacks. This includes the myriad new IoT devices that most people barely realise have processors. Cameras, digital video recorders, printers and routers all have processors on them, some of them surprisingly beefy and we need to ensure we are taking basic steps to protect them from being hijacked.
As part of our efforts to secure our customers’ APIs we think quite hard about DDoS. With DDoSers becoming ever more sophisticated the character of their attacks is evolving. DDoS is becoming more dynamic, sometimes starting as a pure volumetric attack before adapting and exploiting application layer vulnerabilities. Attacks are also lasting longer and, as we can see from the Krebs attack, getting ever more intense.
Approov works against application layer DDoS attacks and sits behind a pure volumetric DDoS mitigation solution. It provides another level of protection by allowing you to check whether API calls to your servers, which may call expensive operations, are originating within an authentic mobile app.
By using our SDK we can positively identify traffic which comes from a known good source. Under normal operation this information is not as important because your servers can cope with the load. When your servers begin to suffer under a sustained onslaught from a massive botnet, the temptation might be to batten down the hatches and weather the storm. But while you are being inundated with malicious traffic, real customers are still trying to use your app. Identifying known good traffic allows you to treat it differently; you can give it priority access to the servers while rate limiting the suspicious requests.
The trends for DDoS attacks look set to continue upward, so it is important to do all we can to protect ourselves. Approov is one part of the puzzle, helping you to defend your API from application layer attacks and ensuring your customers can continue to use your apps no matter what the internet is throwing at you.