DDoS Emotions, Acceptance and Mitigation

Artur Bergman is the founder and CEO of Fastly. He was CTO at Wikia, managed LiveJournal’s engineering team, and was an operations architect at Six Apart. He gave a keynote at Velocity recently talking about DDoS attacks and their impact on your team.

https://www.oreilly.com/ideas/ddos-emotions?imm_mid=0e5241&cmp=em-webops-na-na-newsltr_20160624

My first DDoS attack was a 55 Gbps ICMP Flood. This was back in 2002 when having a GigE connection in a datacenter was a big deal. One minute everything is fine, the next nothing works. It’s like being swallowed up in a hole. Logging into the datacenter’s portal to open a ticket I was given the usage graph on the first page. Confusion kicked in because not only was the interface maxed out, but it was maxed out in the wrong direction (just like Spamhaus’s below).

https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/

We were lucky:

  1. The attack happened during reasonably normal hours.
  2. Our datacenter’s support portal gave the bandwidth graph on the first page. I couldn’t even quantify the amount of time this saved us.
  3. The transit carrier was able to quickly identify, and filter the attack on their edge routers.

I still remember the attack like it was yesterday. In fact I remember every single DoS attack that I’ve been involved with. And I agree with Artur that the range of emotion both during and after sticks with anyone who has been through one — confusion, anger, helplessness, fear, etc… To put it bluntly, they suck.

Most DDoS attacks are a game of bandwidth — whomever has more wins. We routinely see attacks well over the 100 Gbps mark. The public record now stands at over 600 Gbps. Every year the attacks just get larger and larger. Trust me, you can’t win this game.

Acceptance is the first step to dealing with DDoS attacks. In today’s world it’s just part of the costs of doing business. The second step is to deploy the proper countermeasures for your organization. What this means is specific to each organization and depends on a number of factors. I’ll loosely group your options into two buckets: active and reactive.

Active mitigation can be as simple as using a CDN or a service like CloudFlare or Prolexic. Reactive mitigation is offered by a number of independent startups, and almost all of the major IP backbones. No matter what you chose you should absolutely configure and test your strategy before it hits the fan.

To paraphrase Artur, just remember that the attackers “are assholes” and the best thing you can do is activate your plan, let your partners go to work and get back to your life.

HIPAA
HITRUST
FEDRAMP
ITAR
PCI
SOC