Following recent escalation of cyber attack campaigns by the Anonymous group and most recently the pro-Palestinian “hacktivists” (Saudi Arabian hacker “0xOmar”) that tried over three days to bring down the Israeli stock market, national airline website and several major and vulnerable private banks, I am hearing more and more about online companies that are looking for Geo IP blocking capabilities. Not that I have anything against Geo IP analytics and blocking measures, however this specific requirement means that organizations have really decided to deny access to their legitimate audience. Or, in other words, these companies are giving up as they don’t believe that their current security capabilities can really differentiate between legitimate to non-legitimate users under attack. Under pressure, they choose to simply block everything that is coming from countries they believe are not safe.
Well, that means we lost for two main reasons:
- Second and maybe most important, public online sites that were meant to be open for everyone are under siege, and prefer to deny traffic to large audiences.
Radware’s Emergency Response Team was able to come in and rescue many of Israel’s major online companies while they were under attack. We were able to change the Geo IP blocking approach by designing an end to end security solution that is deployed both on the service provider side (of the protected online company) as well as on the customer premises. That approach allowed blocking these recent cyber attacks without the need to unnecessarily block legitimate traffic through methods such as GeoIP blocking.
Limitations of Existing Tools
Getting back to the reasons why these companies originally lost trust lies in the following operation limitations of the existing security tools:
On premises security solution – On premises security equipment suffered from volumetric attacks that consumed the overall pipe which renders them, strong as they may be, useless – too late to block the attacks on the customer premises in such cases.
Service Provider Security Solution – The assumption that the service provider’s security tools can solve these recent attacks was misleading for the following main reasons:
- Low & Slow -security equipment on the service provider side was not able to detect and prevent the “low & slow” (sometimes called “Slow and Silent”) DoS attacks from way up there in the cloud. These attack types simply went under their radar and hit the target sites very badly (attack tools like R.U.D.Y , Socketstress, the Slowloris attack techniques and its variants and more are all part of this family of DoS threats).
- Application level floods – Application level attacks were not effectively mitigated. The level of “intimacy” with the customer’s application that is required for effectively preventing application level attacks doesn’t exist up there in the cloud (far from the customer site.)
Encrypted DoS attacks went under the radar as well – there was no way the customers would allow using their keys in the cloud.
As illustrated above, the following inherent security limitations exist on the service provider side:
- Low & Slow – Goes unnoticed
- Encrypted DoS attacks – Goes unnoticed
- Application level DoS
- Non-tuned thresholds and lack of behavioral analysis technologies, that effectively learn the protected site’s behavior, result in ineffective protection.
- Random request techniques force CDN’s to raise the “curtain” and forward all the attacks directly to the customer premises.
On the other hand, if only CPE security tools are deployed, then simple volumetric attacks can saturate the line and render the CPE useless, i.e., deny any traffic to the site.
Radware’s annual security report, which is about to be released, will expose more facts about the recent attack developments. It will prove that in the past two years all serious cyber attack campaigns include volumetric as well as the low and slow attacks vectors, both generated simultaneously.
Taking all these into consideration, a suggested security architecture that uses both CPE and service provider security tools to protect sites, and as long as these include all the necessary attack mitigation techniques, is the only effective way to protect sites. A security framework that includes the customer premises as well as service provider layers of defense will gain back the trust of organizations.