Fighting fire with fire: about the European launch of Kaspersky DDoS Protection

Kaspersky Lab launches its solution Kaspersky DDoS Protection in Europe. A distributed network of data cleaning centers vs. distributed attacks.

Great evil lurks in the darkness of the Net, plotting to destroy the entire world… However, DDoS attacks are not worthy of such sonorousness, although it’s quite true that they are evil. As a matter of fact, it’s a long-standing global problem that is very hard to fight. And some of Kaspersky Lab’s latest activities – namely, the European launch of Kaspersky DDoS Protection – is just that sort of counterattack.

Okay, first, why is it serious? In a nutshell, a distributed “denial-of-service” attack is a bombardment of target entities – web-sites, web-services, a commercial company’s servers, sometimes even datacenters – with an immense amount of junk traffic. There are several types of DDoS-attacks, differentiated by the type of data they use, but there is always a common feature: DDoS is launched by several dozens, hundred, thousands or more computers, united into a botnet by a specific malware, otherwise it is launched from a few PC, but the traffic gets “amplified” via the vulnerable DNS servers (for instance), those respond to most likely a short request with a much longer response, that gets directed towards the target networks by using IP spoofing. Whatever the method is, the goal of the attack is always the same – remove a target entity by overloading its servers or swamping its bandwidth so that no legitimate users could get access to its resources.

For more details, kindly refer a piece on DDoS attacks we shared earlier this year.

The worst thing about DDoS attacks is that they are extremely “accessible” – botnet owners sell their “services” for a meager price (up from 50 bucks a day). Botnets are a bit of a problem that doesn’t seem solvable at the moment, given the fact that botnets sometimes are distributed across the globe. And the damage they can inflict is extensive: downtime is a costly thing on its own (businesses risk losing between $10,000 and $50,000 a day as a result of these attacks), besides DDoS may often serve as a smokescreen for even more nefarious deeds, such as intrusion followed by data theft or malware planting.

Almost a quarter of European companies (23 percent) consider DDoS attacks one of their top three business threats, according to a survey conducted by B2B International and Kaspersky Lab. This research also indicates that 26 percent of European companies consider continuity of service one of their top three IT priorities for 2015. And the DDoS attacks are commonly used to interrupt this continuity. Cybercriminals use them for extortion, sometimes it is also a tool of an unfair competition.

In a nutshell a DDoS-attack is just a lot of traffic. So in order to prevent it from drumming on your server, you need to have a bandwidth so wide that these streams of junk are just getting “lost”. However, today’s attacks peak on 300Gbps, and nearly two-third are coming in at over 1Gbps, according to Verisign. At the same time typical bandwidth reserved for a commercial company rarely exceed 1Gbps. That means that larger botnets can swamp almost any single bandwidth. Besides, DDoS attacks steadily grow in intensity, and sophistication.

ISPs routinely filter the traffic, trying to block the most obvious junk; however it’s not their field of expertise, so it’s quite often that they overlook more subtle attacks that require careful analysis to get repelled.

The most effective way to neutralize DDoS-attacks today, disregarding their type and size, is using specialized facilities – “traffic cleaning centers”, which implement a combination of traffic filtration methods.

Kaspersky DDoS Protection employs a distributed infrastructure of data cleaning centers: a distributed protection against distributed attacks. “Fighting fire with fire” in a sense. Actually it is rather about ensnaring the swarm of bad data with a fine variegated grid.

The solution combines different methods, including traffic filtration on the provider side, installation of remotely controlled appliances to analyze traffic next to the client’s infrastructure, and the use of specialized cleaning centers with flexible filters. In addition the solution’s work is constantly monitored by Kaspersky Lab’s experts, so the onset of any attack can be detected as soon as possible, and filters can be modified as required.

The software used to monitor and clean traffic has been developed in-house – just like all the other our solutions. This means that the way the solution works can be altered rapidly in response to changes in the techniques used by the attackers, even during an ongoing attack.

The possibility to rapidly adjust filters is absolutely necessary because some especially persistent attackers often change the attack methods. In such cases an extremely prompt reaction is required from the defenders in order to keep the attack target’s servers afloat and online.

In addition, Kaspersky DDoS Protection can filter most of the traffic involved in attacks on the ISP’s side. That means only a small amount of highly sophisticated junk traffic needs to be diverted to Kaspersky Lab’s cleaning centers.

This solution and its techniques and technologies had been successfully applied and perfected in Russia and CIS countries, and now it is being offered to European clients of the company.