ViaSat is a Carlsbad, Calif.-based global broadband services and technology company, whose internet services are used by consumers throughout the world. In addition, its services are used by international military forces on the frontlines of battle, as well as commercial, business or government aircraft and maritime vessels. With that kind of customer base, it obviously must keep up its guard regarding potential DDoS attacks.
Charles Renert, ViaSat vice president of cybersecurity, laid out some best practices to combat what he calls today's “commodity-grade attacks,” the more sophisticated DNS- and NTP-based (Network Time Protocol) assaults that are currently commonplace. Under this scenario, he says, attackers send high volumes of data your way and your ability to intercept a known traffic pattern or source conducting an attack is tested.
“That's the old-school way of doing things that gets you a little way there,” he says.
Attackers use reflective capabilities, throwing large volumes at the target. Then they request DNS or NTP services as somebody else. This way, he says, “the response doesn't come back to you; it goes to whoever you're targeting.” Adding insult to injury, the increase in bandwidth increases the internet access fees companies pay their service providers, so it becomes a financial hit on both ends — being the victim and paying for the right to be the victim. “So you get 200 or 300 times bang for the buck, creating some of absolutely massive attacks as much as the 1,000 gigabit range we've seen in the last couple of years,” he says. Tools can be purchased and services can be rented by the hour to combat such tactics and techniques.
It behooves organizations susceptible to such threats to increase network capacity well and above over what's required to absorb and distribute such attacks, especially when they get into the 100-plus gigabit capacity, he says. “DDoS attacks are fundamentally repetitive. There are characteristics that you can identify. They come they come and go, and typically appear over a short period of time, such as a half hour.”
Renert says organizations should also be equipped to correlate and identify new attacks by their nature, and then have a process in that automatically drops packets redirecting the traffic.
ViaSat's approach is to combine the tools with managed service, consulting with in-house experts who can use judgment when an attack is underway to analyze detection alerts and keeping an eye on what's going on. “There are false positives; it's good to have humans in there to be able to identify what's happening. That's a good practice as well,” Renert notes.