By Byron V. Acohido
Andy Ellis, Akamai’s CSO, is the designer and patent holder of Akamai’s SSL acceleration network. Last Watchdog asked him to put massive DDoS attacks into context.
LW: What’s driving volumetric DDoS attacks?
Ellis: I suspect that what we’re seeing is rapid explosion in capabilities driven not by “new” vulnerabilities, but by a critical mass of knowledge, combined with the widespread availability of both initiating botnets and reflection systems. Every network needs the DNS and NTP servers that provide reflection and amplification points; while the widespread availability of easily compromised servers in consumer cloud networks provides growing launch capabilities.
We’ll see DDoS attacks like this continue to happen, likely with increasing regularity. Criminal operators engaged in extortion have found that they can operationalize money-making campaigns; fraudsters seeking to cover their tracks with distraction-DDoS will continue to operate, and nation-backed adversaries will continue to use it as a weapon of economic warfare.
LW: What can or should be done?
Ellis: Besides buy amazing DDoS defense services? Fundamentally, we have a public health issue on the Internet: Compromisable systems can forge packets at open reflectors.  That’s three capabilities an adversary needs to exploit; limiting any one of them is beneficial. All ISPs should be implementing BCP38, or egress filtering, and not allowing traffic to originate from their network that doesn’t come from a net block they know about. Organizations operating reflectable services should be controlling access to those systems, and rate-limiting outbound responses. And, of course, people should be maintaining their systems.
LW: Anything else?
Ellis: While these attacks seem large, fundamentally these are the easy attacks.  We’re already seeing attacks that aren’t merely bandwidth-based. They’re smaller, but they look more like end-users to most defenses, and those can be problematic for the unprepared to defend themselves against.
