Corero Network Security on why DDoS mitigation strategy must improve

The Mirai botnet attacks last year revealed painful realities about the distributed denial of service threat landscape, and those realities must be addressed before the problem gets even worse, according to Corero Network Security's Dave Larson.

Larson, CTO and COO of Corero, recently spoke with SearchSecurity about why DDoS mitigation strategy has to change in the wake of the Mirai botnet attacks and why he expects powerful, 1 TB DDoS attacks to be more common in 2017. Larson explained Corero's approach to the growing problem, which involves using automatic DDoS mitigation appliances that are often managed by Corero rather than the clients themselves.

In addition, Larson discussed the effects these powerful DDoS attacks will have outside of the technology industry and warned that inaction by both service providers and IoT device manufacturers will lead to government action and new regulations. Here are excerpts of the conversation with Larson. For the audio version of the interview, listen to this episode of the Risk & Repeat podcast.

What is Corero's DDoS mitigation strategy?

Dave Larson: We're in the business of building basically infinitely scalable automatic DDoS edge defenses. What that means is it's appropriate for any large-scale operation, whether it's a data center operator, a traditional carrier or a conglomerate operator of some kind. It's for anywhere there's a significant amount of Peering or "dirty" peering or transit edge bandwidth. And that could even be a private entity like a large gaming company or a large bank. One of the traditional problems with DDoS attacks is you have to have enough capacity to deal with the problem to begin with. We would argue that if you have the capacity, then use it to your advantage and actually sync all the attacks, get rid of everything that's a problem in the network, and allow the good traffic to transit. The problem with that is, historically in the market, there hasn't been technology that could do that. So it has always been deployed out of band in something like a "scrubbing" center. We are very much a new entrant to the marketplace although our product has been in the market now for almost two and a half years.

And we have been deployed the majority of the time as an automatic DDoS mitigation device at full capacity scale of the edge. Some example customers that we have that are public are Liquid Web, a large North American hosting company, and Jagex, a large game company in the U.K. They host a game called RuneScape that has about a million and a half subscribers. We've protected that now for two and a half years.

RuneScape has been hit with DDoS attacks a lot, correct?

Larson: Yes, tons. And believe me, for a long time they were unable to sustain their online contests. But with our solution in place, they've been able to run pretty much with minimal, if any, outages and it's entirely auto-mitigated. We also have service provider-type entities like Block Communications as a conglomerate operator in the Ohio and Pennsylvania region; Telesystem, Line Systems, Buckeye CableSystem are some of their brands. OTT Communications in the northeast is another example. There's also Spear Communications in the Carolinas. There's a whole bunch of different ones that I can point to. The cool thing about us, though, is that in almost all of those examples, we are covering all their edge bandwidth. Block Communications is a good example; we cover all of their peering bandwidth. They offer cable, phone, VoIP and wireless services, and we protect their entire edge at about 180 GB of capacity in their region. And they're a very vocal advocate for us because they deployed the product and it solves the problem. They don't have to think about it. They didn't add any people; they didn't add anything. We manage and operate the service for them with our hardware that they purchased in their environment.

Is that sort of the normal approach or normal model from customers -- to buy the DDoS mitigation appliance and have you guys manage it?

Larson: Yes. Some can't. We certainly have customers like that. We have government customers that cannot [outsource management]. They need to learn how to operate the product themselves and of course, we provide professional services and training that allows them to do that. But the majority of our customers do have us manage the product. And frankly if you look at the tier two and three operator space generally, none of them can afford their own security staff. So they've never bought a product in the past because they couldn't operate it. Or they couldn't afford it either in many cases. One of the reasons I think we're winning is our cost model is significantly lower from an acquisition cost.

But on the heels of the Mirai botnet attacks, we put an announcement that says we will sell a terabit of manage DDoS capacity to an operator for a million dollars. That's about 25% of the cost of what you would be able to buy from competitors like Arbor Networks, and that's just acquisition alone. And then Arbor doesn't manage it for you. You'd have to staff 11 to 15 people on a 24/7/365 basis. So no one can address what we do. The beauty of it is we're not just saying we can do it. We have customers that have been in production for two years in this mode of operation, and they're happy to advocate for us.

We've only seen a few of DDoS attacks that have that kind of capacity, but do you think they're going to be common going forward?

Larson: I think these [attacks] are proof points of something that's going to become ubiquitous. A terabit attack is no longer [uncommon]. Just look at the fact that three of them occurred reliably in a space of three weeks and the fact that the Mirai botnet code was made open source. We already are seeing evidence through our competitors like Cloudflare and other cloud service operators that are indicating there are already derivatives of Mirai in use. The main thing is that we think terabit is going to be commonplace. We think it's going to be highly morphological because these processor entities in cameras, DVRs, thermostats or whatever are Linux environments. You can get them to do whatever you want, and they have relatively high bandwidth. So when you get hundreds of thousands or millions of these devices together, they're a problem. And we think that's going to be a case. But because that's the case, really, the end users have nothing they can do about this. And end users simply, with very few exceptions, don't have a capacity to deal with [DDoS mitigation]. So this has to be done at the large cloud data center operation level and at the service provider level where there is a bandwidth glut that can be brought to bear on the problem and still allow good traffic to transit into the network or through the network.

And if the service provider community doesn't do something about this, they will get regulated because the attack on Dyn already has legislation moving through Congress. And if they want to wait for that to become something, then I can guarantee it'll be more costly, less effective and it'll just be a waste of their time. It won't actually get to the root of the problem. It'll open them up to litigation. Because as soon as it's a compliance initiative or regulatory requirement that they don't comply with, it means that they can suffer damages in terms of litigation. And so I spoke at two telecommunication conferences, one in Portsmouth, N.H., one in Hilton Head [Island], S.C., last week where I was advocating to the community that they had better take this seriously. This is no longer something where you can say, 'Oh, net neutrality, it's not our problem. We can't touch the bits.' You have to touch the bits because you're the only people that have the bandwidth that can do it.

Do you think the IoT device manufacturers will also be under the gun in terms of potential regulations?

Larson: I think they are. It's interesting because in a global economy, and the way these things are built and sourced, it's hard to decide how to attach damages [from attacks] and get damages returned to you. In the case of the original Mirai stuff, most of that was attributed to a Chinese manufacturer of DVRs and cameras. And the main problem with it was hardcoded credentials that couldn't be changed. So that manufacturer rightly issued a recall. The problem is there's almost nothing to enforce a recall. So even though they have millions of devices that they have shipped, it's not clear to me how you can enforce a recall --unless, as an edge provider, you identify that device is on your network and then blacklist it and say, 'No, it can't [be on the network].' The problem with even doing that is you have to actually get down into the set-top environment or the modem environment inside the house so that you get access to the MAC address of the originating offending device and then you can blacklist it there.

This isn't an easy problem to solve, but I think the ISPs have an obligation to at least take steps to show that they're taking the problem seriously so that they can in good faith state that they're trying to get it off their network. They can hold end users accountable. They can certainly identify the attack. They can tell where it's coming from because it's going be masked behind a NAT (network address translation) address that's associated with their edge router somewhere in the environment. So they can say, 'There's an offending Mirai device, it's in this particular device, and I'm going to shut you off entirely until you mitigate and take the system offline and send them for the recall.' That they can do today, but they have to take it seriously, because even in that environment -- even though it was largely localized and a lot of the Mirai attack was coming out of Asia Pacific -- it was still spread out among so many different service provider entities that it wasn't hurting them.

Does getting rid of net neutrality change the regulation picture?

Larson: No. I don't think net neutrality really has any real bearing on DDoS, to be perfectly honest, because what net neutrality is about is about preferential treatment for economic gain or bias. And it's intended to make that go away. And reasonable people can agree or disagree whether that's a hindrance or a help to the overall innovation and business environment. I personally don't take a position on that one. But what I can say is it definitively has nothing to do with whether or not you have the right to get rid of DDoS traffic because DDoS is reliably identifiable as malicious. And so passing malicious traffic in the auspice of net neutrality is laziness, in my opinion. It's just saying, 'I don't want to do it, or I'm so used to the cost associated with doing it because I buy Arbor equipment and I don't want to expand my footprint to do it well.' And I can understand that economic argument. The reality of it is that we're changing DDoS mitigation to a point where you can actually get to at least peering capacity with the attack. And you can do it economically if you can get to a terabit for a million dollars. These operators have spent millions and millions and millions of dollars, and none of them have a terabit of capability. Our largest customers are a very large and growing hosting company, but in Q1 we announced they purchased 720 GB of capacity. They've deployed it in their environment, and they have more capacity at DDoS than AT&T and Verizon combined.

Stay tuned for part two of this interview with Corero Network Security's Dave Larson.