Mitigate EDoS Attacks: Creeping Normality and the Boiling Frog Fable

Written by: Don Gray | Published on: December 18th, 2019

About The Author

Don Gray
CTO Don Gray is responsible for the continued development of the PacketViper technology roadmap, harnessing his extensive experience in cybersecurity software strategy and technology development. Previously Don contributed to blogs and threat intelligence reports for NTT Security (formerly Solutionary).

Everyday Denial of Service (D0S)

The boiling frog is a fable describing a frog being slowly boiled alive. The premise is that if a frog is put suddenly into boiling water, it will jump out. However, if the frog is put in tepid water which is then brought to a boil slowly, it will not perceive the danger and will be cooked to death. The story is often used as a metaphor for the inability, or unwillingness, of people to react to sinister threats that arise gradually rather than suddenly.

I have seen similar situations in organizations’ computer networks.

Let’s look at a scenario where the public-facing network suddenly grinds to a halt. It’s a three-alarm emergency! All hands on deck!  After some quick investigation, it turns out to be a DDoS – a Distributed Denial of Service attack. Up to 99% of the network traffic directed at the organization’s perimeter is bad, unwanted, potentially malicious. Something has to be done. NOW!  Urgently!

For dealing with DDoS attacks, there are special tools available, cloud-based services, network devices. None of these are cheap but they can be quite effective in helping organizations weather the storm of a high-volume attack.

What about Denial of Service (DoS) attacks?

Okay, let’s scale it back a notch.  Perhaps it’s not a DDoS but a slightly more sedate DoS – Denial of Service attack. Maybe only 66% of the traffic directed at the perimeter is bad, unwanted, potentially malicious.

Though not as urgent as the DDoS scenario, the sudden change in the utilization of devices, response time and throughput of the network, and load on applications would initiate a serious response. Something would have to be done like a new, bigger, faster network infrastructure. Maybe some of those same tools that would be used to combat the DDoS would be employed.

Finally, though it may not make the newspapers, the board would be called to respond to the threat and understand its impact on the organization’s bottom line.

Mitigate the Everyday Denial of Service (EDoS) attack.

Lastly, let’s scale it back one more notch. Say 33% of the traffic directed at the perimeter is bad, unwanted, potentially malicious. Unfortunately, we don’t have a special name for this, it’s just the everyday reality for almost any network connected to the Internet.  Let’s make up a name: EDoS.

Every single day 1 out of every 3 dollars that organizations spend on connecting themselves to the Internet is wasted on bad, unwanted, potentially malicious traffic directed at their perimeter.

Just think about the “fistful of dollars” spent on increasing firewall capacity, consumption-based SIEM invoices, analysts’ time, and storing logs.

Jared Diamond in his 2005 book, Collapse: How Societies Choose to Fail or Succeed coined the phrase “creeping normality” to describe how seemingly huge disasters often happen “not with a bang but a whimper.” Creeping normality is the way a major change can be accepted as a normal situation if it happens slowly through unnoticeable increments of change. The change could otherwise be regarded as objectionable if it took place in a single step or short period.

But much like the boiling frog, this change to our networks’ traffic has happened very gradually to the point where we just accept it as normal. As Diamond pointed out, someone chopped down the last tree on Easter Island because it was what they had always done before.

It’s time for a paradigm shift.

It’s time for EDoS to take its place next to DDoS and DoS as things to be fought against and defeated. Let PacketViper show you how. Use decoys and sensors at the perimeter to identify what is at best unwanted, and at worst, potentially malicious traffic. Reduce attack vectors, stop threats at the reconnaissance phase of the Cyber Kill Chain®, and enable threat hunting – all at the perimeter.

Deception360 can go to work on your behalf to fight the EDoS your facing and reduce your pending capital expenditures on ever larger and more expensive infrastructure.