There are a lot of factors that contribute to the poor performance, or even downtime, of an OT network, including distributed denial of service (DDoS) attacks. DDoS attacks often originate from outside bad actors looking to intentionally take your systems down. But that isn’t always the case. A DDoS can also be completely unintentional. Luckily, also easily corrected.
How many issues will you solve today?
What is a DDoS Attack?
A denial-of-service attack is any act that makes a machine or network unavailable for legitimate use. In extreme circumstances, these attacks may knock a network offline entirely. A denial of service is accomplished by two common actions: crashing services with malicious programming, or flooding services with so many requests the target device can’t keep up.
Flood services are far and away the most common cause of a denial of service. And most times many different hijacked source devices are used—creating a “distributed” attack—which is much harder to defend against. In a big, robust IP-based network, a flood-based, distributed denial of service (DDoS) attack can employ staggering amounts of resources (because IP networks are built to handle a lot of data, and do it fast) in order to overwhelm the target.
In 2017, Google thwarted the largest-ever DDoS attack, and the numbers are hard to wrap your brain around. Bad actors hijacked over 180,000 servers around the world with spoofed packets and directed them to start firing 167,000,000 superfluous request packets per second at Google’s servers. At one point, the data rate reached 2.54Tbps—that’s a staggering 317GB every second.
The “Unintentional” DDoS
DDoS attacks are almost always associated with cybersecurity, but it doesn’t have to be. At Optigo Networks, we use the term “unintentional DDoS” to mean a denial of service NOT caused by a deliberate attack. Remember, a DDoS can result from simply asking a device, a piece of software, or a service to do too much. It doesn’t have to be malicious.
As Optigo Networks’ Chief Technology Officer and Co-Founder Pook-Ping Yao puts it, “99% of the time… it’s not the wires, it’s not the routers or the switches. It’s a denial of service — and it’s probably your fault.”
You’ve probably heard terms like “device oversubscription”, “device flooding”, or “device saturation” before, and the effect of an unintentional DDoS is the same: You max out the device’s CPU/Memory/IO. This leads to slow operation, instability, and eventually, crashes and critical failures. Excessive network traffic can also lead to unintentional DDoS, causing network congestion and reduced performance.
If you’ve ever left too many tabs open on your browser to the point where everything stops working, congrats! You’ve denial-of-service’d yourself.
While the Google example above is an extreme case, it’s important to contrast a robust IT/IP-based network with an OT network to understand just how easy it is to create a denial-of-service scenario.
Why are Operational Technology Networks Susceptible to DDoS Attacks?
In many respects, building automation and OT networks are built to be the opposite of an IT network. OT network infrastructure is different from IT network infrastructure in that it prioritizes stability and longevity over speed and flexibility.
- OT network devices are built to be ‘low and slow’: They are optimized for ultra-low-cost and ultra-long-lifespan, not performance. Think 15-year-old underclocked ARM processors.
- Protocols like BACnet use a high amount of broadcast traffic (basically, every device is processing every packet).
- OT network devices don’t employ many common resilience features (rate limiters, filters, backpressure, etc.) that IT network devices have.
- Protocol gateways and protocol routers are very common in OT systems. These devices are bottlenecks between the different segments of the networks. These can quickly become problematic when there’s a high amount of network traffic.
- The overall demand for data from our OT systems (digital twins, IoT devices, real-time data collection, etc.) is expanding exponentially.
All of these factors make it easy to overload an OT device, leading to a cascade of issues across the whole network. OT network cables are buried in drop ceilings, devices are hidden behind walls and pipes. They were never meant to be seen or heard from again. The underlying systems in an OT network weren’t designed to handle much traffic, and certainly not the rates you see in an IT network.
So if we’re talking about how to stop DDoS attacks of our own making, we’re talking about clearing up the scenarios that create them.
How to Stop DDoS Attacks: Identify the Cause with OptigoVN
OptigoVN’s suite of diagnostics will continuously monitor and measure system performance. Here are some clear signs that point to device saturation.
Memory and CPU usage
A strong indicator that a device is on/over the edge of what it can handle are measurements like free memory (higher is better) and CPU utilization (lower is better). For Linux or Windows-based servers, for example, your resource monitor will show you. Check with your vendor to see if they have a monitoring solution or panel.
OptigoVN has many diagnostic tools designed to help gauge the utilization rates of your hardware. Alerts including Busy Backrouter Pressure, Excessive Token Hold Time, Partially Unreachable Device, or Unacknowledged Requests can all be a clue that one or more devices on your network are at capacity or failing.
Response Times
How long did a read request take to come back? They should be relatively quick (~100ms – 0.5sec). OptigoVN diagnostic alerts like Excessive Broadcast Traffic, Slow response times, and Router Rejecting Network Messages are a possible indicator that devices on your network might be misconfigured and generating too much unnecessary traffic, causing bottlenecks and delays.
Dropped Packets
A device may drop packets in an attempt to mitigate overload and keep up with the flood of traffic, but dropped packets can also be related to issues with the destination address, causing network congestion. OptigoVN has several alerts to to help resolve routing and addressing issues, including Duplicate device, instance number, and network number diagnostics to track down the individual culprits.
How to Stop DDoS Attacks: 5 Ways to Fix the Issue
- Reduce broadcast traffic: Broadcast is the first thing to get under control because it goes everywhere. Reducing broadcasts will improve the performance of all devices. In BACnet, pay close attention to your BBMD configuration. Does every BBMD need to be forwarded to every other BBMD? If you have duplicate BBMDs, it will multiply the amount of broadcast rate by 2x-4x.
- Identify and tune devices: Ask yourself: what’s creating all that broadcast traffic to all reachable computer systems? Can you reduce discovery periods? Can you eliminate alarms and alerts? A common mistake is to set a lot threshold causing excessive notification for no added value.
- Rate limitation is another method of mitigating DDoS attacks which involves setting limits on how many requests the server can receive in a particular timeframe. The network limits traffic and prevents threats from overpowering system resources.
- Reduce poll rates: Are you reading some data every 5 seconds that you only need every 5 minutes? It is time to audit your configurations/programming and tune those read rates to your needs where possible.
- Dedicate functions to different devices. Are you able to leave devices doing just one thing? If possible, don’t designate a device to run an application AND act as a router or BBMD, it’s an added strain on limited computing power. Let one device run an application, and another act as the network routing point. If your device has a resource monitor, you can see the difference once you dedicate it to just one function. Different traffic patterns, such as broadcast, can significantly impact network performance, so optimizing device functions can help manage these patterns effectively.
The Case for Separate Networks
Having separate IT and OT networks gives contractors, systems integrators, facilities managers, and control engineers discreet control over their networks. Separate systems are also a good choice for cybersecurity. The separate IT infrastructure can be controlled administrator, and protected by firewalls or monitored to avoid hackers.
Prevent Self-Inflicted DDoS Attacks with OptigoVN Diagnostics
One of the most effective ways to stop an unintentional denial of service attack is to prevent the scenarios that cause them to happen in the first place. With 28 out-of-the-box diagnostics designed to give you deep network visibility, you can address issues within OT networks before they become the cause of downtime. Pinpoint trouble spots down to the device level within a fraction of the time it would take to do it manually.
OptigoVN diagnostics can support operational technology by providing insights that help manage and secure OT environments. Ensure reliable communication of OT devices and get the results you want in seconds, not days.
Ready to see the difference OptigoVN can make? Create your free account, and get started today!