The first major cyberattack was an unintended distributed denial-of-service (DDoS) attack carried out by a Cornell graduate student in 1988. Thirty years later, DDoS remains among the most destructive cyber challenges facing military, enterprise and public network infrastructure.

With our growing reliance on cyber infrastructure across all sectors, the risks and dangers of DDoS attacks are greater than ever. For government, DDoS could be particularly harmful as mission operations increasingly depend on reliable network access. We’ve seen DDoS attacks hit political campaigns and the Pentagon has faced attacks of 600 gigabits per second (Gbps), a figure that was unheard of a few years ago.

The real question: How are defensive measures evolving to deal with the problem?

Types of DDoS attacks

DDoS attacks are largely botnet-induced, volumetric attacks on key targets. Mirai botnet is perhaps the most notable attack in recent years because it used internet-connected DVRs and webcams to shut down Twitter, Facebook, Reddit and Amazon. These volumetric attacks can push hundreds of Gbps of malicious traffic to a single target, making defending against them and protecting critical cyber infrastructure extremely difficult.

There are also low-volume, or protocol and application-layer DDoS attacks that aim to exhaust the resources of targets. This is usually done by sending malformed network traffic in particular ways. That is, either at the packet level (send bad packets to a target system and force it to react anomalously) or at the protocol level (misuse a protocol’s valid exchanges and cause resources to be exhausted).

For example, Slowloris is a common protocol attack where a single machine creates multiple partial HTTP connection requests to a target server but doesn’t complete them. By holding the connections open, the targeted server eventually reaches max capacity, thus creating a denial of service.

Current DDoS defense

Most DDoS defenses use a filtering as a service or “traffic scrubbing” as a service approach, often delivered through a third party or internet service provider (ISP). These scrubbing services aim to stop attacks by filtering out illegitimate malicious traffic. While these services can be effective, they have weaknesses and cannot solely be used to combat modern DDoS attackers.

For example, large volumetric attacks can overwhelm the filter capacity. To respond, the scrubbing service increases its bandwidth, which requires more resources and increases costs. This becomes a costly arms race between the scrubbing service and the attacker, and fundamentally, attackers will always outpace over-provisioning as a defense.

These scrubbing services generally cannot completely filter the bad traffic without also dropping some of the legitimate traffic.

Also, DDoS response and recovery processes can be manual rather than automated. For instance, a victim might notice their network service quality is poor because they’re facing a high-volume attack. The victim then notifies the scrubbing service to activate filtering out the bad packets of traffic. But because this can be expensive, victims (including agencies) may turn off the scrubbing service once an attack subsides, leaving them vulnerable again and setting up the cycle to repeat. This is a reactive, slow process at a time when identification and mitigation speed is critical.

New approaches to defense

To improve protection against DDoS attacks, government agencies and industry must find new tactics and technologies to provide comprehensive defense against both high-volume and more precise, low-volume attacks. Cyber infrastructure designs inherently need to withstand DDoS attacks to the extent possible.

Three strategies for delivering a comprehensive DDoS defense include:

* Disperse high-value network assets: DDoS attackers target a systems’ most valuable information assets, centralized servers that include email, chat, login or DNS servers that are valuable sources of data. This makes it easier for attackers, only needing to identify these data hubs. One tactic to combat this is to decentralize or disperse the log data or DNS IP information an adversary wants to target. This will make it more difficult for attackers to target data assets and minimize the impact of attacks.

* Deceptive defense: One the best ways to defend against a predator is to trick them. Agencies can do the same to defend against DDoS attackers. Through game-theory planning, real-time analytics and sophisticated network maneuvering, adversary attack activity can be tracked, and appropriate counter maneuvers can be implemented. For instance, an attacker could be fooled into thinking their attack is successful when it’s not.

* Sensor-driven response: Organizations need an adaptive DDoS capability to identify and mitigate attacks, especially zero-day precision attacks that happen in real time which exhaust targeted servers’ computing capacity while flying under the radar of scrubbing techniques. With high fidelity sensors, organizations can quickly detect potential malicious activity, send an alert that will trigger an investigation and initiate appropriate mitigation responses.

Where do we go from here?

Current DDoS solution techniques are not enough. Attackers have proven they can overpower and sneak past traditional scrubbing services.

To survive, organizations need network and information systems whose designs are fundamentally more resilient to DDoS, not just patches and filters to blunt the attacks.

Innovative and adaptive strategies to confuse, confound and outwit attackers can be both more effective and less costly than an escalating arms race.

Tony Bogovic is vice president at Perspecta Labs.

More In Thought Leadership
Why isn’t Russia doing more to jam GPS in Ukraine?
The importance of GPS as a military tool was underscored by Kremlin media in November 2021 as troops were massing along the Ukraine border. After Russia demonstrated it could destroy a satellite in space, a television commentator known to be an unofficial mouthpiece of President Putin said the nation could “blind NATO” by shooting down all GPS satellites.
Mission Possible: Securing remote access for classified networks
The Federal government understands the significance of remote access on meeting mission objectives now and in the future. Agency leaders are looking to the private sector for technology that helps them maintain the highest security levels while meeting the ease-of-access demands of today’s worker – and can be implemented quickly.
Cross-Domain Technologies Are the Key to JADC2
JADC2 aims to build a cross-service digital architecture that can enable rapid and precise data exchanges across domains in order to improve decision-making at the strategic, operational and tactical edges of war fighting.