Lesson Learned: ISPs & CDNs aren’t enough for Anti-DDoS

Well, I suppose that many in the Hacktivist world have resolved that 2012 would be a ‘breakout’ year for them as the level of attack activity is above the record setting year of 2011’s Cyber Attacks! Whether it is the Anonymous Group joining the Occupy Wall Street protesters to launch cyber attacks on major financial institutions in New York, or the Nightmare group, working with the hacker “0xOmar” to escalate their cyber war against Israel, cyber attacks have become the weapon of choice for ‘hacktivists’ seeking to leverage the impact of conflicts and social protests.

The cyber attacks of Monday, January 16th’ on the Israeli stock market and national airline was the latest incident in a series of hacking events over the past two weeks, which have seen details of tens of thousands of Israeli credit cards posted online and websites defaced by hackers claiming to be from Saudi Arabia or Gaza. The attacks represent a new chapter in the Israeli-Palestinian conflict as Hamas spokesmen described them as new forms of Arab and Islamic resistance against Israeli financial interests. In both the New York and Israel episodes, while hacktivists used the cyber attack tools to leverage the impact of conflicts and social protests, their targets were the financial community which were vulnerable.

The Major Israeli Attacks were Application-Oriented

A chilling aspect in Monday’s cyber attack was the discovery that attackers are moving to the application layer, a sophistication that turns traditional distributed denial of service (DDoS) defenses useless. Volumetric DDoS attacks, like those launched by Anonymous, originally were about flooding victim sites with irrelevant network traffic. During the past year the Radware Emergency Response Team (ERT) has seen an increase in Application DDoS attacks. Defending against application DDoS attacks is much tougher. Application transactions look legitimate and are generated by real IP addresses and machines – it’s the users that are not real.

Most On-Line Enterprises are Vulnerable to Application DDoS

As a rule of thumb, nearly all major retail sites and most financial services defend against denial of service attacks by deploying DDoS protection from the service provider or by using Content Delivery Networks (CDN) – or a combination of both. The excessive traffic generated by attackers is mitigated using the service providers’ DDoS protection tools, or absorbed by the high capacity of the CDN provider. However, this model is proving faulty and wrought with vulnerabilities.

ISPs are NOT your friend for Anti-Application DDoS

For example, the internet service provider has great capability to detect and mitigate network DDoS flood attacks but (self proclaimed) has very limited capability to protect against application floods which, to an ISP, look identical to legitimate user traffic.

Neither are CDNs!!

On the other hand, the CDN has problems too! CDNs are easily bypassed by changing the page request in every web transaction – content cannot be cached – making the CDN act as a proxy disembarking the attack traffic directly at the target servers. Moreover, in most cases, CDNs can unwittingly publish key external ips of customers which represent Load Balancing or other key infrastructure servers making these devices known to attackers which wouldn’t otherwise have access to these device addresses.

No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume the following are the key activities heading into 2012:

  1. Cyber attacks go mainstream for activists and for financially motivated criminal organizations. Attackers’ motivation has evolved and from publicity and vandalism they are looking for financial gain or protest without going out of their homes.
  2. Reassessing the risk – your organization is likely a target. For example eCommerce sites – such as Financial Services, Retailers, Top National Brands, and On-line Government Agencies & Services – which were the prime target for financially motivated attackers, become now also targets for hacktivism. In fact, many of the current victims of the Israeli attacks stated publically that they thought the issue of defense was well enough in hand with their current CDN and Internet providers.
  3. Cyber weapon of Mass Disruption deploy multi-vulnerability DoS & DDoS attacks. This turns traditional network security measures useless, as they typically can detect and defend only some of the attack vectors.
  4. The need for complementing security technologies. Mitigating multi-vulnerability and multi-vector attacks requires more than one security technology in place, adding behavioral analysis technologies on top traditional signature detection and rate based protection.
  5. Architecting the perimeter for attack mitigation. Enterprises need LAYERED DEFENSES – – not a single ISP or Service Provider – – Deployment of complementing network security technology requires rethinking of perimeter security.
  6. Defenses are needed! Mitigation strategies are also evolving and now include active “self defense” strategies such as the notion of ‘hack back’ and ‘eco-system resistance’ which includes the notion of a multi-layered approach to DDoS attacks.

5 Comments

  1. Essy says:

    Great common sense here. Wish I’d tohuhgt of that.

  2. Luciano says:

    Hi I found your webpage by mistake when i searched Google for this concern, I must say your site is quite very helpful I also really like the design, it is good!

  3. mesmor says:

    Doesn’t sound very true on CDN cannot protect DDoS. I have been using few CDN providers and found that they are very resilient to DDoS attack.

    Your concern of attacking non-cache-able content can be easily overcome by enabling the last mile rate-limit in CDN nodes, or some unique cookie expiration/filtering.

    Another concern of Origin IP to be exposed can be easily overcome as well by taking away or hiding the Origin IP, using some kind of CDN shielding service.

    Any objection is welcome :)

    • Carl Herberger says:

      Hell Mesmor! Thanks for the kind comments and I can understand your approach and impression. Two thoughts to leave with you as you clearly haven’t experienced advanced attacks from behind a CDN as we have witnessed many companies (including one stock exchange) which has suffered tremendous outages and numerous others who have come under duress from the inherint vulnerabilities from CDNs.

      Here is what we know. A CDN is very capable for run-of-the-mill volumentric attacks. However, for x-forward-for and advanced dynamic web services call attacks it is clearly not enough alone.

      Here is what is new:
      •Point #1. Recently attackers have found a way to directly attack victim IPs by bypassing the CDN. This is because CDN-protected customer are likely to have some servers which are not behind the CDN. It is trivial for attackers to find these ips and attack them instead – – this can have very dramatic affects. As for mitigation of this – – you are correct, this needs more archicture and tools – e.g. a classic Radware DefensePro deployment would be sufficient, however, my point is that a CDN is not enough alone for protection.
      • Point #2. We already know that attackers use dynamic content to bypass CDN (the x-forward-for problem), now they are using a method to extract extremely large files with a small HTTP request. This technique requires some previous reconnaissance to be effective. This attack is sorta like an updated HTTP Smurf-Attack where a small request is amplified by a large maginified reply. The real mitigation for this is signatures that detect pulling too large files. In the future HTTP Mitigator will also do the job, once there is CDN support.

      So, you’ve illustrated many comments on protections for the x-forward-for, which btw requires additional gear behind the CDN, however new techniques are popping up everyday to get around a CDN.

      Thanks!

      • mesmor says:

        Thanks for the insights Carl, I have actually witnessed 80 Gbps of DDoS attack to my client, you are right the first wave of attack would always hit us because we are not ready. However with the CDN in front layer, and DDoS mitigation provider in 2nd layer, we are able to offload some attack traffic, and detect them in advanced, capture the attack pattern and do some further filtering on this.

        At the end it’s kind like a cat and mouse game :)

        Cheers.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>