Schneier is right about the DDoS threat: 'We see the worst-case scenario every year', says Level 3

Tier-one provider uses threat intelligence and advanced routing and filtering to see off attacks

A short while ago, security expert Bruce Schneier indicated that state actors are probing the internet's supporting infrastructure using carefully calibrated distributed denial of service (DDoS) attacks on backbone providers, possibly with a view to bringing them down.

"It reminds me of the US's Cold War programme of flying high-altitude planes over the Soviet Union to force their air-defence systems to turn on, to map their capabilities," Schneier said.

Independent cyber security consultant Orlando Scott-Cowley said that Schneier's analogy is valid, although mapping a country's cyber defences is more difficult than snooping on their air defences.

"In this instance spying on the other side's defensive capability isn't as easy. We should expect to see more of these probing activities, and expect them to get noisier as we all try to work out what each other's digital missile silos look like."

Dale Drew (pictured), chief security officer at tier-one network provider Level 3 Communications, agreed that DDoS attacks are becoming more serious, although he declined to point the finger at state actors.

"Level 3 has seen an uptick in the size, scale and, at times, the sophistication of DDoS attacks," he told Computing. "We see attacks hit 250 Gbps, and I'm certain they'll only get bigger. As the cybersecurity field and black hats gain knowledge and understanding of the internet and threat ecosystem, we have seen attacks increase in sophistication."

Level 3 combats DDoS attacks through a combination of traffic filtering and threat intelligence - gathering data of how attacks occur, where they come from and how computers become involved in them - and sharing that information.

"Internet infrastructure providers design for huge amounts of resiliency and interconnectivity, whether that is our network, peering points with others or the folks that run the root DNS servers, we all take it into account," Drew said.

"It's the beauty of trying to provide low-latency access and high reliability - we naturally build to be resilient to direct attacks."

Among the technologies Level 3 can bring to bear is BGP FlowSpec, a protocol used to protect against large-scale DDoS attacks, or redirect specific traffic towards a data centre or filter. This technique is being adopted by big networking firms such as Cisco and Juniper and backbone providers like Level 3 as it allows them to react quickly to DDoS attacks.

"If people attack our network, we have the ability to employ sophisticated filtering and scrubbing at the network edge using network-wide capabilities such as our FlowSpec-enabled edge, to ensure the attack doesn't make it further than the first ingress point," said Drew.

"Level 3 starts with implementing bad IP filtering using its FlowSpec-enabled backbone, and then enables fine-grain filtering by routing traffic into one of our global scrubbing centres."

Sharing information with other providers is increasingly important, given the global nature of the threat, he explained.

"Level 3 participates in an information sharing exchange with other tier-one ISPs to quickly identify threats to the global internet ecosystem and to collaborate on techniques to combat those threats.

"Additionally, there is starting to be a lot of good conversation and industry collaboration around the threat landscape. Most companies in the ecosystem want to work to make the internet, and consumers, safer overall."

Even with such planning, technological investment and intelligence sharing, though, Level 3 "experiences the worst case scenario every year".

"Attack traffic becomes more sophisticated and brings to bear more bandwidth consumption than we have ever seen in years past. As such, we know the threats will only grow and morph," Drew said.

"However, if we continue to invest in threat intelligence and threat research, we can begin to track the activity and, most important, the motives of these bad actors. If we know what they're after, and why, it gives the good guys a leg up in protection.

"Last year we mitigated a 400 Gbps attack, this holiday season might bring an even larger attack. I think the industry needs to focus on collaboration and threat research so we can try to stay one step ahead."

Drew was not wrong. Shortly after this interview another ISP, OVH, was hit by a 1Tbps DDoS attack.

Commenting on Drew's remarks, Scott-Cowley (pictured) said: "Level 3's defensive capability sounds impressive and they're clearly thinking about these large scale, state sponsored attacks in a lot of detail.

"We're already seeing DDoS attacks well over the rates Dale has mentioned - OVH reported a 1Tbps DDoS attack just this week, so Dale's predictions that this problem is only going to get worse are accurate."

It is hard to know how much defensive capability is sufficient, given that we know so little about the capacity of the attacker.

"My biggest concern with these alleged state-sponsored probing and fingerprinting attacks is, that given enough digital ‘firepower' even the most prepared nation, provider or enterprise could be knocked offline," Scott-Cowley said.

"These state-sponsored probing attacks are there to determine not just how well protected we are, but also to find out what we might do in the event of some sort of outage - do we have diverse routing? Failover? Resiliency? Once ‘they' know all our routing configurations, hitting them all at once to effectively ‘hobble' our connectivity [becomes a possibility]."

Interested in cyber security? Join us on October 5th for a Cyber Security Strategy Briefing and in November for our Enterprise Security and Risk Management Summit 2016.