I was recently at the DHS R&D Showcase and Technical Workshop presenting on the advent of Software Defined Perimeters (SDP) as an emerging solution and the most effective way to prevent DDoS attacks that continue to increase in frequency and volume. Below are the latest stats from the Verizon 2015 Data Breach Investigation Report.
Density of bandwidth (left) and packets (right) in DDoS attacks in 2015
(Figure above shows that last year bandwidth has two clusters around 15 and 59 Gbps, while velocity has clusters around 3 and 15 million packets per second.)
And it did not surprise me when someone in the audience referenced a recent SearchSecurity.com article, “Is it possible to stop DDoS Attacks” by Mike Chapple, a Ph. D., CISA, CISSP and senior director of IT with the University of Notre Dame, whose “quote of the day” was, “The most effective (and it’s not all that effective!) way to defend your network against DDoS activity is to partner with your Internet service provider (ISP) to provide clean bandwidth to your network.”
Chapple’s article prompted this blog and got me thinking about the need to increase industry awareness of SDPs and the opportunity to start effectively mitigating DDoS attacks.
The SDP is a new solution being proven by early adopters such as Coca Cola, Mazda and the DHS who have enormous financial and brand reputation interest in preventing and removing the risk of being impacted by DDoS attacks.
Here is how it works.
Today’s anti-DDoS solutions are dealt with at layer3 and layer4 of the network stack using various packet filtering and load-balancing techniques. These solutions deny access to packets including all legitimate ones thereby denying access to legitimate business transactions. This greatly impacts normal business operations and increases the risk of the business to failures.
SDP can be used to mitigate bandwidth DDoS attacks by denying bad packets and allowing legitimate traffic. The SDP Gateways (and Controllers) know what packets are legitimate. This information can be used to send block requests upstream to deal with DDoS attacks at scale. This allows legitimate packets to be allowed and normal business operations to continue despite being under a DDoS attack. This capability also allows a trace back feature that makes attribution easier.
SDPs are emerging and serve as the first layer of a new security paradigm that establishes an undetectable application infrastructure. This undetectable application infrastructure is often referred to as a “Black Cloud.” The primary objective of the SDP is to make the application infrastructure effectively “black” or undetectable that shows no domain name system (DNS) information or IP addresses
What is unique about the SDP specification is that it has evolved from a standardized “Need-to-Know” access model that has been deployed within the DoD that prevents the use of backdoors from unauthorized users and devices to new version that addresses today’s changing network perimeter.
For the first time ever, SDPs combine and integrate on-device authentication, identity-based access, and dynamically provisioned connectivity to hide critical applications from hackers. The SDP is particularly relevant for DDoS as they are able to prevent the attack and not disrupt IT operations and network access since all legitimate users continue to be authenticated and allowed access. SDP can be used in government applications, such as enabling secure access to FedRAMP, certified cloud networks, as well as enterprise applications such as enabling secure mobile phone access to public clouds.
SDP’s have been tested and proven to stop all forms of network attacks including DDoS, Man-in-the-Middle, credential theft, as well as Advanced Persistent Threats (APT). It enforces device verification before authentication that was first published by NSA a decade ago but never commercialized. It promotes the use of Mutual TLS (Transport Layer Security), which is a great idea and standard that has yet to be widely adopted. The result is the elimination of denial of service, wireless and network attacks, and the top ten OWASP application attacks that have plagued companies for decades and continue to with ever increasing intensity.
Waverley Labs, a pioneer in digital risk management and SDPs , is under contract with DHS S&T to develop an open source version of the Software Defined Perimeter. Waverley Labs will be testing a 500-600 Gbps attack that can eventually scale to a 1 Tbps DDoS attack. These tests will show that the solution can withstand attacks that are twice the amount or more of the largest DDoS attack on record today (325 Gbps)
Looking forward we expect the NEW Quote of the Day will soon be – “Software Defined Perimeters ‘Black Clouds’ are the most effective way to prevent and remove the risk of being impacted by a DDoS Attack”
Stay tuned and watch this space for additional guidance on SDPs and digital risk management services.