Be prepared for application layer distributed denial of service (DDoS) attacks, a security expert has warned Canadian service providers.
Jim Deleskie, (pictured) former director of network security for global service provider Tata Communications, told the Canadian ISP Summit on Monday that hackers are turning away from brute bandwidth attacks by infecting hundreds of PCs.
“The bad guys are getting smarter because those are a lot easier to see coming in and defend against,” he said.
Instead, increasingly hackers with one PC can generate a lot of small requests to a target server and bring it down.
For example, he said, one attack he handled over a year ago 180,000 packets a second “and took down a company big enough that I guarantee everyone in this room knows who they are.”
Firewalls are useless defences, he added, while load balancers only delay the problem.
The only answer is a true denial of service appliance that looks for anomalies in network traffic, he said.
The head of a Canadian ISP that was crippled last year knows what it’s like. The man, who asked that neither he nor his company be identified for security reasons, said in an interview it started with short random attacks.
“I didn’t know if it was a switch going out,” he recalled. Then one morning the provider’s DNS servers came under sustained attack of millions of “super small packets” amounting to 12 Gigabytes of data at a time.
For customers, online data “moved like mud.” After five hours the company managed to filter out much of the attack, although it persisted for several days.
“I was the worst five hours of my life,” he said.
Some business customers switched providers, he said, and while they didn’t say it was because of the incident, he suspects it was.
The owner believes the attack originated in China and Vancouver.
Deleskie told the conference that it’s popular to blame attacks on China, Russia and Iran, but analysis shows they come from the United States, Germany and the Netherlands. He’s sceptical that governments are behind many of the attacks.
In an interview Deleskie said that in addition to having DDoS mitigation equipment, ISPs should also have on hand an emergency contact list for vendors and peer providers to call for help.
As a result of the attack the Canadian ISP owner company has instituted improved network security procedures, which he wouldn’t detail.
But he issued this warning to other service providers: “Be prudent. It can happen to you.”