No, a yottabyte DDoS attack has not happened. Someday we will have a yottabyte DDoS, just not today. Tomorrow we will have another press release on “the largest DDoS attack ever.” Will that be important? No, bragging about the size of DDoS Attacks is a distraction to the realities of the Internet and the real issues that are needed to impact DDoS’s growth.
I’m reminded in other fields that talk about “if size matters.” The response you get is, “it is how effective vs. size.” Bragging about “size” is the same for DDoS. The size of attacks will continue to grow (see explanation below), but the dangers wait with those who know how to make DDoS practical, precise and damaging.
In my experience, “DDoS size” claims are distractions that will get organizations surprised by the unexpected. They get diluted to think that the only DDoS attacks are attacks the throw lots of packets and overwhelm your system. They think DDoS attacks are growing and getting worse when the reality is something different. Fears about a “Yottabyte DDoS Attack” sell “DDoS capacity,” but focusing on capacity leads to consequences. The “consequences” results in organizations building DDoS defenses for the wrong DDoS threat profile and missing easy architectural fixes that become targets for DDoS. You can have a DDoS defense that can defend against a terabyte of reflective UDP floods, but get taken out by a megabyte state-level attack directly on the origin firewalls that local up the state tables.
Why do DDoS attacks sizes keep growing?
Why does the Internet keep growing? I once did a blog post at the end of the Spoofer Project (see Everyone should be deploying BCP 38! Wait, they are). The article’s conclusion was ‘success’ – we got ~80% of the Internet doing Source Address Validation (SAV). We’re finished! We’ve entered the 80/20 zone – where the first 80% is easy, and the last 20% gets exponentially more complex.
Lots of my peers didn’t like that “we’re finished conclusion. They want to work harder, keep deploying SAV and strive to get 100%. While the criticism was ironic (I was a primary instigator of the SAV technology, curated new ways to deploy, and worked with CSPs/ISPs worldwide to get deployment), the passion to do more SAV was an expression of valid concern.
Anti-Spoofing is critical to inhibit bad guys from exploiting vulnerable systems and sending spoof DDoS attacks. We all know the realities of the 80/20 problem: the first 80% is easily deployed while the last 20% becomes increasingly harder to deploy. The problem with that 20% was the Internet. It would not stop growing.
That 20% of the Internet that was size “X” back when I wrote – (in 2012) – is now “X6”. As the Internet grows, the number of devices that can spoof source IP addresses continues to grow. Those ever-increasing devices have access to more bandwidth and packet per second (PPS) capacity. The Internet is not going to stop growing. There will always be 20% without SAV deployed. Many of those devices in the 20% will have exploitable vulnerabilities. Our SAV aspirations will not get any easier.
The Democratization of Innovation – Double Edge Sword
In no time in human history can so many people in so many parts of the world curate, create, and take to market technology that benefits local society. From Columbia to Uganda, to New Zealand, to (name the place), entrepreneurs are solving problems. Most of these solutions are connected or hosted on the Internet. The vast majority of them do not think about security. They are vulnerable to external exploitation and abuse. So now our problem compounds:
- The Internet will continue to grow
- 20% of that expanding Internet will have spoofable address space
- “Democratized Innovation” opens that door for people all over the world to deploy their interconnected devices.
- Most of those “interconnected devices” have exploitable security vulnerabilities.
- Miscreants will hunt and exploit those vulnerabilities, turning those devices into malicious tools – like DDoS.
These are the factors leading to “the biggest DDoS Attack” that will happen next week and be more extensive than before.
Ever Growing DDoS Attacks! What Now?
Different departments expand systems, capacity, and capabilities as organizations grow in separate “swimlanes” of activity. It is not uncommon to start with a robust DDoS resiliency response plan only to have “growth” unknowingly invalidate all the assumptions. The security teams are often the “afterthought” until there is a major DDoS incident.
To illustrate, an organization sets up a robust service with 100 Gbps of network capacity with a 2:1 system capacity of 200 TPS (to handle DDoS state load and Internet surge load incidents). Months later, the network department upgrades its network capacity to 400 Gbps. But the system is still 200 Tps. The organization is exposed. They do not realize they are exposed to a DDoS risk. It takes a ransomware incident to wake up the organization. A minor DDoS attack should be used to “incentivize ransomware payment” becomes a major DDoS outage.
How do you avoid these risks? Designate Resiliency Engineers. Their job is the look at the overall resiliency of the entire solution. Security and DDoS Attacks are included in their sphere of work, but their primary focus is the resiliency of all the answers. A resiliency engineer would see a DDoS attack as a resiliency problem, not a security problem. Why?
Because the Resiliency Engineer will know the only way to stop a DDoS attack is by having the person doing the attack stop, get bored, shift focus, work harder, or fear they will get caught. The Resiliency Engineer knows there is NO TECHNICAL WAY TO STOP A DDOS ATTACK. The attacks will continue until the people behind DDoS stops or are arrested and forced to stop. Like the Internet, the 20% spoofable space, and infected tech continue to grow, the resiliency engineer of creatively building solutions that can deliver in the middle of a DDoS attack will be more critical.
We may not have a Yottabyte DDoS Attack tomorrow, but we will at the rate the Internet is growing. Next time you see the “biggest DDoS attack ever,” turn to your team and review your resiliency architecture, your capacity models, and your DDoS Runbook.
Don’t wait for a DDoS Attack, prepare with the DDoS Attack Preparation Workbook!
Practical and seasoned DDoS preparation guidance is gathered in one set of guides. This critical tool would help all organization leverage their own talent to expand their knowledge, focus on the most critical, and prioritize results. Head off a Yottabyte DDoS Attack tomorrow by making your network hard to attack today.