December 19, 2021
Since 2020, Nexusguard Research has recorded over 4 million DDoS attacks, with Communication Service Providers (CSPs) among the prime targets, enduring more attacks than other sectors. DDoS attacks are generally characterized by high volumes of traffic that cause websites or services to suddenly slow down or become unavailable. However, since a number of causes such as network issues or a legitimate spike in traffic resulting in an increase in bandwidth resource utilization can also create similar performance issues, further analysis is usually required to deduce whether traffic coming from a source is friend or foe.
A multi-dimensional baselining approach to DDoS detection
CSP networks experience unique traffic demands that vary from business to business. Traffic volume changes dynamically during the day, peaking during busy periods and levelling off throughout the day to regular levels. However, it is possible for CSPs to be overwhelmed by regular traffic by non-malicious users, particularly prior to the start of world events such as the Olympic Games when hundreds of thousands of people are trying to access a website to buy tickets as soon as they go on sale - but that’s not to say DDoS attacks won’t be targeted at CSPs during such busy event periods. In order to perform effective attack mitigation, CSPs require rigorous DDoS detection methods to accurately distinguish DDoS attacks from legitimate network traffic.
Limitations of Threshold-based DDoS Detection
The challenge faced by CSPs is not knowing what type of traffic flows through their customers’ networks, and hence it is difficult to employ optimum security policies to combat known attack threats. The most simplistic form of DDoS detection most commonly adopted by CSPs is threshold-based detection, which is essentially based on a single metric such as traffic volume, total traffic or traffic to a particular IP address. But using threshold-based detection based on traffic volume alone to identify attack traffic is neither sufficient nor reliable, given that cybercriminals and their attack methods are becoming more sophisticated by the day.
Dynamic Threshold Baselines Determine a More Precise Attack Signature
Identifying DDoS attacks requires a large amount of high quality and accurate data to determine baselines that can be used to effectively distinguish between normal and anomalous behaviour. A network baseline is a set of metrics used in network performance monitoring to define the normal working conditions of a network infrastructure. These baselines can be compared against an incident to determine whether changes in traffic levels could indicate a problem. For example, if traffic crosses a 10% variance of a typical CSP’s traffic baselines over a period of time, these evolving traffic levels can then be assigned as dynamic thresholds that dictate the specific conditions for attack detection.
Based on the attributes of DDoS attacks, it is recommended that the following baseline metrics are monitored:
•Network protocol distribution: e.g. TCP, UDP, and ICMP protocol distribution in the network
•Distribution of top destination IP addresses
•Distribution of top source IP addresses
•Packet size distribution
•Distribution of source and destination ports
•Distribution of TCP flags
•Distribution of TCP Applications
•Distribution of UDP Applications
•Traffic flow from peers (ASNs)
•Geolocation by source IP address
Multi-dimensional DDoS Detection
Multi-dimensional DDoS detection is a methodology that combines a wide range of baseline metrics, such as network traffic behaviour, fluctuation of traffic patterns over time and ratios of different protocols compared during peacetime and battle time, to establish dynamic thresholds, thereby enabling a more elaborate and accurate detection process.
Fig 1 - A multi-dimensional baselining approach to identifying TCP SYN attacks
Owing to the similarities between network issues and DDoS attacks, analysis of the different types of data is essential prior to deciding on the course of mitigation action to take. For example, TCP SYN attacks cause a significant increase in TCP SYN flags, distribution of TCP protocols and SYN flags, as well as an increase in the ranking of victim destination IP addresses and service ports. To compound the issue, were attackers to use malformed TCP SYN packets to amplify attack traffic, analysis of the corresponding packet size distributions would also need to be taken into account as they too would change significantly. An increase in traffic volume, however, is merely an indication that something is brewing, it doesn’t point towards the root cause of it.
Taking into consideration a wide variety of baseline metrics, as is the case with multi-dimensional DDoS detection aids not only in identifying and classifying traffic data but also in providing a more accurate and effective defence system against today’s constantly evolving DDoS attacks.
Improving Accuracy using Big Data and AI
Based on our DDoS attack records over the last 13 years, other than 32 common DDoS attack types which we can routinely identify and mitigate, numerous meticulously crafted attack types designed to evade detection have continued to emerge, making identification an increasingly onerous task.
In order to handle DDoS attacks more effectively, it is recommended that CSPs build baseline data models prior to customizing their defence strategies. Baselining, however, is by no means easy to manage manually as it involves scanning huge amounts of traffic data, followed by sifting through masses of data records in order to assess whether current traffic constitutes an anomaly.
Nexusguard Smart Mode: AI-based DDoS Detection
A deep-learning-based solution powered by artificial intelligence (AI) and machine learning (ML) addresses the issues inherent in traditional detection methods. Nexusguard’s Smart Mode detection leverages big data analytics, implementing ML technology to track changes against traffic baselines autonomously and detect unusual patterns that might indicate the presence of a potential threat. Compared to traditional threshold-based detection methods, Nexusguard’s novel AI-driven Smart Mode is able to identify malicious attack patterns from high volumes of traffic data with improved speed and accuracy, making it an ideal solution for protecting CSP networks and infrastructures.
For more information on how big data and AI deliver greater DDoS detection speed and precision, check out the blog post on Nexusguard’s Smart Mode.