Last year a few noteworthy things happened in terms of cryptocurrencies. The IRS won their case against Coinbase and over 14,000 people who traded over $20,000 USD in 2015 now have to face the IRS. Exchanges in Asia started forcing KYC (Know Your Customer) requirements on customers as did most of the rest of the world. Bitfinex decided to block all U.S. customers in November of 2017 due to regulatory issues and uncertainty. What this means is that Bitcoin and cryptocurrency is becoming harder to trade anonymously and without paying taxes. This is what happens because of legitimacy from regulation, lawful trade and taxation. I am not saying there isn’t much debate still regarding the legality, legitimacy or utility of cryptocurrencies; I’m saying 2017 had a significant change in how it is viewed. Today, the SEC in the U.S. has been discussing forcing cryptocurrency exchanges to register with the SEC and there is no definitive answer to what this is going to mean or if it is going to happen.
By now, almost everyone has heard of Bitcoin and blockchains. Mainstream news, investment platforms, Wall Street, and everyone else is talking about this technology as the most amazing discovery since the internet. Many have called a Bubble on the Crypto Coins and likened it to Tulip Mania, while others caution about the Dot Com Bubble and how this has the same look and feel of that. One thing is for certain: There will be some winners in the technology space, and some form of blockchain technology will live on, just like the dot com did. We all still use the internet and dot com companies as an everyday thing. Can we look at the past “dot com bust” and predict the future of blockchain, cryptos and the future of this technology?
A year ago, we bought a fixer-upper well below market value. We knew that we would have the opportunity to make some investment in smart tech. When Amazon sent a Smart Home Consultant to our house, they said we were farther ahead than most of the people they met with. I was trying to get them to help me make my lights flash blue and green when the Seahawks NFL team scored a touchdown. We’ve since solved that problem, and along the way, we had to take many important security measures.
In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.
10 years ago, I left my position as the principal architect at a major U.S. financial institution. We developed the standards for how SSL was used inside the bank and their systems. Because of the weakness of ADC hardware at the time, we standardized on the “fastest and lightest” ciphers that would allow us to be compliant for online banking. In today’s age, many would argue that is absolutely foolish. But is it?
We know that SSL has changed a lot in the last 10 years. Old ciphers are now considered insecure, obsolete, and out of PCI compliance. In looking at what many companies have shared about how they deal with SSL, we know there’s a blend of “just enough” cryptography to pass, and “Next-Gen” crypto, as some are calling it. According to Gartner, 50% of traffic in enterprises today is encrypted.
Most organizations cannot rely solely on on-premise solutions because of the volumetric aspects of DDoS attacks. Multi gigabit-sized attacks cause on-premise connection lines to fill up, and organizations to go offline. Vulnerabilities with CDNs also has limitations for organizations. On-premise and cloud-based solutions offer protections that most ISPs are not able to deliver effectively. Some ISP’s have much better detection and DDoS mitigation capabilities, and next-generation offerings may include WAF and DDoS automation and integration. Every ISP is different and actual protections will vary over time and with vendors.
When BrickerBot was discovered, it was the first time we’ve seen a botnet that would destroy an IoT device, making it unusable. We’ve had cameras in the lab for our research on the Mirai botnet, so one was volunteered to be the guinea pig. Watching our beloved research lab’s IP-enabled camera turn into a useless paperweight was somewhat bittersweet. We knew BrickerBot v1 aimed to destroy insecure IoT gear, and this was validation. We had to either take it apart and solder a serial connection to it to re-flash it, or just spend the $60 on a new one to continue our IoT botnet research.
Today, many organizations are now realizing that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because nothing diminishes load times or impacts the end users’ experience more than a cyber-attack, which is the silent killer of application performance.
As high-availability and high performance distributors of content to end-users, CDNs can serve as a lynchpin in the customer experience. Yet new vulnerabilities in CDN networks have left many wondering if the CDNs themselves are vulnerable to a wide variety of cyber-attacks, such as forward loop assaults.
So what types of attacks are CDNs vulnerable too? Here are top 5 cyber threats that threaten CDNs so you can safeguard against them.
Blind Spot #1: Dynamic Content Attacks
Attackers have learned that a significant blind spot in CDN services are the treatment of dynamic content requests. Since the dynamic content is not stored on CDN servers, all the requests for dynamic content are sent to the origin’s servers. Attackers are taking advantage of this behavior and they generate attack traffic that contains random parameters in the HTTP GET requests. CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests and they fail to provide online services to legitimate users, creating a denial-of-service situation.
Many CDNs have the ability to limit the number of dynamic requests to the server under attack. This means that they cannot distinguish attackers from legitimate users and the rate limit will result in legitimate users being blocked.
Blind Spot #2: SSL-based attacks
SSL-based DDoS attacks target the secured online services of the victim. These attacks are easy to launch and difficult to mitigate, making them attackers’ favorites. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using the customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin can easily take down the secured online service.
During DDoS attacks when WAF technologies are involved, CDN networks also have a significant weakness in terms of the number of SSL connections per second from a scalability capability, and serious latency issues can arise.
PCI and other security compliance issues are also a problem as sometimes this limits the data centers that are able to be used to service the customer, as not all CDN providers are PCI compliant across all datacenters. This can again increase latency and cause audit issues.
Blind Spot #3: Attacks on non-CDN services
CDN services are often offered only for HTTP/S and DNS applications. Other online services and applications in the customer’s data center such as VoIP, mail, FTP and proprietary protocols are not served by the CDN and therefore traffic to those applications is not routed through the CDN. In addition, many web-based applications are also not served by CDNs. Attackers are taking advantage of this blind spot and launch attacks on applications that are not routed through the CDN, hitting the customer origin with largescale attacks that threaten to saturate the Internet pipe of the customer. Once the Internet pipe is saturated, all the applications at the customer’s origin become unavailable to legitimate users, including the ones that are served by the CDN.
Blind Spot #4: Direct IP Attacks
Even applications that are serviced by a CDN can be attacked once the attackers launch a direct attack on the IP address of the web servers at the customer origin. These can be network based floods such as UDP floods or ICMP floods that will not be routed through CDN services, and will directly hit the servers of the customer at the origin. Such volumetric network attacks can saturate the internet pipe, resulting in taking down all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” the data center can leave the applications directly vulnerable to attack.
Blind Spot #5: Web Application Attacks
CDN protection for web applications threats is limited and exposes the web applications of the customer to data leakage, data thefts and other threats that are common with web applications. Most CDN-based web application firewall capabilities are minimal, covering only a basic set of predefined signatures and rules. Many of the CDN-based WAFs do not learn HTTP parameters, do not create positive security rules and therefore it cannot protect from zero day attacks and known threats. For the companies that DO provide tuning for the web applications in their WAF, the cost is extremely high to get this level of protection.
In addition to the significant blind spots identified earlier, most CDN security services are not responsive enough, resulting in security configurations that take hours to manually deploy and to spread across all its network servers. The security services are using outdated technology such as rate limit that was proven to be inefficient during the last attack campaigns, and it lacks capabilities such as network behavioral analysis, challenge – response mechanisms and more.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Among the reasons to marry DDoS & WAF (web application firewall) together, beyond a single pane of glass, beyond single vendor and quick technical response, and higher quality detection and mitigation – it makes sound business sense. Today, a good number of companies have developed the understanding that DDoS defense is critical to maintaining an exceptional customer experience (CX). Because of the extremely competitive nature of business these days, we are seeing more companies make the investments into digital transformation and customer experience. According to Gartner, customer experience is the new king.
Last week, I was doing research in the DarkNet marketplaces to keep on top of the current trends in the threat landscape. One of the advertisements that struck me as typical was an advertisement for a DDoS botnet for rent. It wasn’t that there was a botnet for rent, as those are everywhere. It was the Listing Details that put together a value proposition for attacking somebody that caught my eye. It says:
“Another advantage of the DDOS attack that you probably don’t know is the loss of Google Organic Ranking. Google really don’t like unreachable URLs or slow website. As soon as they find a decrease of availability or speed, your target will be temporary removed from results and then it will lose his Google ranking. Two weeks after a four days DDOS attack, I have seen a website going from first page to third page.”