Lesson Learned: ISPs & CDNs aren’t enough for Anti-DDoS
Well, I suppose that many in the Hacktivist world have resolved that 2012 would be a ‘breakout’ year for them as the level of attack activity is above the record setting year of 2011’s Cyber Attacks! Whether it is the Anonymous Group joining the Occupy Wall Street protesters to launch cyber attacks on major financial institutions in New York, or the Nightmare group, working with the hacker “0xOmar” to escalate their cyber war against Israel, cyber attacks have become the weapon of choice for ‘hacktivists’ seeking to leverage the impact of conflicts and social protests.
The cyber attacks of Monday, January 16th’ on the Israeli stock market and national airline was the latest incident in a series of hacking events over the past two weeks, which have seen details of tens of thousands of Israeli credit cards posted online and websites defaced by hackers claiming to be from Saudi Arabia or Gaza. The attacks represent a new chapter in the Israeli-Palestinian conflict as Hamas spokesmen described them as new forms of Arab and Islamic resistance against Israeli financial interests. In both the New York and Israel episodes, while hacktivists used the cyber attack tools to leverage the impact of conflicts and social protests, their targets were the financial community which were vulnerable.
The Major Israeli Attacks were Application-Oriented
A chilling aspect in Monday’s cyber attack was the discovery that attackers are moving to the application layer, a sophistication that turns traditional distributed denial of service (DDoS) defenses useless. Volumetric DDoS attacks, like those launched by Anonymous, originally were about flooding victim sites with irrelevant network traffic. During the past year the Radware Emergency Response Team (ERT) has seen an increase in Application DDoS attacks. Defending against application DDoS attacks is much tougher. Application transactions look legitimate and are generated by real IP addresses and machines – it’s the users that are not real.
Most On-Line Enterprises are Vulnerable to Application DDoS
As a rule of thumb, nearly all major retail sites and most financial services defend against denial of service attacks by deploying DDoS protection from the service provider or by using Content Delivery Networks (CDN) – or a combination of both. The excessive traffic generated by attackers is mitigated using the service providers’ DDoS protection tools, or absorbed by the high capacity of the CDN provider. However, this model is proving faulty and wrought with vulnerabilities.
ISPs are NOT your friend for Anti-Application DDoS
For example, the internet service provider has great capability to detect and mitigate network DDoS flood attacks but (self proclaimed) has very limited capability to protect against application floods which, to an ISP, look identical to legitimate user traffic.
Neither are CDNs!!
On the other hand, the CDN has problems too! CDNs are easily bypassed by changing the page request in every web transaction – content cannot be cached – making the CDN act as a proxy disembarking the attack traffic directly at the target servers. Moreover, in most cases, CDNs can unwittingly publish key external ips of customers which represent Load Balancing or other key infrastructure servers making these devices known to attackers which wouldn’t otherwise have access to these device addresses.
No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume the following are the key activities heading into 2012:
- Cyber attacks go mainstream for activists and for financially motivated criminal organizations. Attackers’ motivation has evolved and from publicity and vandalism they are looking for financial gain or protest without going out of their homes.
- Reassessing the risk – your organization is likely a target. For example eCommerce sites – such as Financial Services, Retailers, Top National Brands, and On-line Government Agencies & Services – which were the prime target for financially motivated attackers, become now also targets for hacktivism. In fact, many of the current victims of the Israeli attacks stated publically that they thought the issue of defense was well enough in hand with their current CDN and Internet providers.
- Cyber weapon of Mass Disruption deploy multi-vulnerability DoS & DDoS attacks. This turns traditional network security measures useless, as they typically can detect and defend only some of the attack vectors.
- The need for complementing security technologies. Mitigating multi-vulnerability and multi-vector attacks requires more than one security technology in place, adding behavioral analysis technologies on top traditional signature detection and rate based protection.
- Architecting the perimeter for attack mitigation. Enterprises need LAYERED DEFENSES – - not a single ISP or Service Provider – - Deployment of complementing network security technology requires rethinking of perimeter security.
- Defenses are needed! Mitigation strategies are also evolving and now include active “self defense” strategies such as the notion of ‘hack back’ and ‘eco-system resistance’ which includes the notion of a multi-layered approach to DDoS attacks.