Tom Field: To start with Trey, talk to me a little bit about DDoS and the types of attacks that you're seeing predominantly on organizations today.
Trey Guinn: Yes. We see, as you can imagine, a wide range of DDoS attacks but I like to put them in the context of how you would attack a brick and mortar business. Let's say you had a pizza store and you wanted to try to DDoS a pizza store. Of course, a DDoS is a Distributed Denial of Service attack where you're trying to exhaust the resources so that you can't service legitimate customers. You can imagine that you could attack a pizza shop in 2 ways. One, you could order 500 fake pepperoni pizzas and cause them to run out of pepperoni or you could just make thousands of phone calls and tie up their phone lines so that no legitimate visitors could actually call in.
It works a similar way on the website, with someone's website or web property. One way you try to attack them is to stop their ability to even accept network connection and that's with volume metric attacks. You try to overwhelm their resources to respond to those requests. That's knowing a layer 7 or application layer attack. Another type of attack we've seen online is the rise DNS based attacks. This is interesting because it's, the DNS infrastructure is essentially the internet phone book. If you run your pizza shop, how people would actually look up the phone number to your pizza shop. Now what attackers are doing is to launch very high request rate queries towards your DNS infrastructure. That makes it so that no one can look up the address to your website or to your internet property because they've basically taken the phone book offline.
The ability to mitigate these is challenging because these requests look just like normal DNS queries. In order to mitigate an attack against DNS infrastructure, you have to have a DNS infrastructure able to answer this very high rate of DNS queries. You just need a very large DNS infrastructure that's distributed globally so you keep your DNS infrastructure available and fast.
Tom Field: Trey, when you look at these different types of attacks on organizations, how do they differ from one another from the organization's perspective?
Trey Guinn: These types of attacks differ in the complexity and in challenge in launching the attacks. They have a similar effect on the business that they cause the business to be offline and no longer able to serve requests but how you mitigate the attacks is different. The frequency in which you see these attacks differs based on how hard they are to actually launch. The most easy type of attack to launch is a volume metric attack. This is like a cave man with a club. They are very, very easy to launch. You can essentially flood someone with a massive amount of traffic and cause them to not be able to, basically you're filling up their internet pipes and make it impossible to serve legitimate queries over those same connections. The more complex attack is, and sometimes also to mitigate are finding points inside your web application that are expensive to serve then requesting those over and over again to exhaust resources either in the web application tier or in your database tier.
Tom Field: Trey, that's a good description of how the types attack differ from one another but let's talk about mitigation. How should mitigation techniques also differ?
Trey Guinn: With volume metric attacks, the challenge there is that even though someone is sending a massive amount of essentially garbage traffic, it's very obvious that that traffic is illegitimate but you have to accept it all in order to make that distinction. There's no way to absorb a volume metric attack without having very, very big pipes. This is something that's not possible to do in a single location with on premise solutions. When you start talking about 500 giga bits of traffic, you just can't absorb that in one location. In that instance you have to use a global network that is absorbing the attack in many locations so that where an attack is trying to attack from lots of locations and concentrate on one point, we're load balancing attacks across a large network. That's how you have to deal with volume metric attacks.
Application attacks require application intelligence where you now are looking at all the requests, these are harder for the attackers to launch because they have to be more attuned to you specific application and they are more expensive for the attacker to launch. This is a more motivated attack for will attack at the application. Then, you need to be able to identify in an application level what kind of requests are being made? Are they legitimate? Even, who are making these requests? Are they making requests from IP's that are trusted or un-trusted and having a strong understanding of can I trust this request? Should I slow it down or de-prioritize it?
Tom Field: One of the big topics when you speak with any security leader today is extortion. Tell me what you're seeing for ransom based DDoS attacks? How are they typically launched against organizations?
Trey Guinn: The folks that are doing ransom based attacks will use volume metric and application level attacks, as when and if they do the attack. The interesting the we've found is that there are a lot more attackers sending out ransom notes than those actually doing attacks. It's even to the point where the counter way to do this is to claim to be someone who's famous in the news, say I'm going to attack unless you pay me "x" number of bit coins. Then they send you an address that's in bit coins to you. Clearly, no one should ever pay for a ransom based attack. It's a terrible idea because it will not stop the attack from coming.
In addition to that, we have seen many of these ransom notes that go out and it's clear based on how they accept payment that they have no way to determine who has actually paid the ransom. There's no expectation that there is either going to be an attack or even a correlation between who pays and who gets attacked. It's actually technically impossible for them to do this on most of these ransoms. It's just a quick and easy way for someone to send an email and hope you will pay them up anyways.
Tom Field: You're very clear about this: don't pay the ransom. If organizations don't pay, how then should they respond to ransom based DDoS attacks?
Trey Guinn: They should report the ransom based DDoS attacks to local law enforcement. The FBI has a hotline for this as well. Just to report it and let them know that it is occurring but I would say the primary way you want to react is to make sure that you have a posture that you are able to absorb and deal with DDoS attacks because ransom based or not, they are just the nature of doing business on the internet today.
Tom Field: Trey, there are lots of players in the DDoS mitigations base as you know. Talk to me about how CloudFLare distinguishes itself in this space. Tell me about the results that you've delivered to your customers.
Trey Guinn: One of the things that differs in how CloudFlare offers DDoS mitigation is that we are an always on service. We wanted to make sure that we are immediately in real time, be able to deal with DDoS attacks. Because we are an always on service, we have to make sure that we are not making the experience any slower for our customers. We have to actually deliver performance advantages in addition to DDoS mitigation. The traditional approach are what are called BGP scrubbing solutions. Those are on demand services and while they work when they're turned on, the fundamental problem we see with those is that what you have to do is you have to get attacked, then you have to detect that attack. You have to decide that there's not some problem in your infrastructure, that really the reason you've just gone down is because there's an attack. Then, you get ahold of that provider and then flip on the service.
You have this gap where you're basically guaranteeing down time when an attack happens between that and when on demand service comes into play. I would say one of the key differentiators is that we are an always on service. We're going to deal with those attacks before they've impacted your service. Beyond that, we also have the world's most up to date IP reputation data base because of the breadth of our network. Also because our scale really exists in absorbing these very, very large volume metric attacks.