DDoS Yourself First – Part I: Auditing for DDoS Vulnerabilities


What happens if your company has reason to believe that it may come under a DDoS attack in the near future or recently suffered an attack? These questions probably come to mind:

-How do I know if the attackers will be successful?
-How can I test my environment myself for expected attacks?

Shouldn’t I already have a good answer for these questions? After all, many organizations pay good money to deploy high performance security and risk teams and expect them to stay on top of questions like these.

However, please understand that I have over 15 years in providing and conducting penetration testing and vulnerability assessments, and today’s STANDARD SECURITY TESTING DOES NOT TEST FOR AVAILABILITY ISSUES!! 

So, given that, how does one assess the likelihood of falling prey to an attacker or being victorious in mitigating the attack?


An Epiphany 

What will it take for most security professionals to recognize that the problem all companies are having fighting Hacktivists is THEIR problem too?!? Yes,  if you’re doing the same thing today with your security program that you were doing 24 months ago – this “old way” of DDoS protection just isn’t working in protecting environments from ideological-based or “Hacktivist” attacks.

That model DOES NOT WORK!


Acknowledge that risks HAVE changed – – Have You?

For the last 18 months security professionals around the globe have watched as a group of cyber hacktivists dismantled the web defenses of some of the most respected financial and ecommerce sites and “walked right into” their secure data bases and holdings to make a statement.

These attacks were not the work of the numerous and very prolific organized crime syndicates whose botnets are constantly prowling and seeking network vulnerabilities to exploit for criminal financial gain, but, instead, they stem from a group of hacktivists who happened to disagree with these particular companies adherence to a governmental request.


Ideological Threats require – Big “A” Thinking 

Availability security is different than security confidential data and making transactions with high integrity.

This is the threat landscape all network service providers face today, not just on a day-to-day basis but every minute-by minute.  Many forms of attacks on your network are known and more easily defeated but the most daunting attacks are those whose form is not known, not yet seen or perhaps not yet recognized. There are also the attacks that are known, but the modes in which the attacks are leveraged are not known. That is why perimeters are successfully being compromised. In the case of most of the recent attacks, the customary way of deploying security technology is not able to defend against these new attackers.


So – – What is the new model?

To be effective, a defense system must first be able to identify the attack as it is forming or in process of attacking the network. Second, it must determine which incoming traffic has a malicious intent and which is traffic is legitimate. The legitimate traffic must be allowed to pass so that commerce can still be conducted and the illegitimate traffic must be quarantined from the rest of the network and dispensed.  In addition, a network defense system must cope with various and multiple attacks in real time.

Standard network-security solutions depend on static signature protection against known application-vulnerability exploits and rate-based protection against high-volume attacks and unknown attacks. Static signature-protection technology, deployed by Network-IPS, firewalls, and anti-viruses, can only identify predefined attacks. This type of traditional perimeter security relies on periodic signature updates, leaving the business vulnerable to zero-minute attacks, and offers no solution against non-vulnerability–based attacks.

Rate-based technology is designed to suppress abnormal traffic patterns. This technology is deployed as means of mitigating high-volume attacks or zero-minute attacks. However, a rate-based solution does not differentiate between attack traffic and legitimate traffic. Packets and sessions, good and bad, above predefined thresholds are dropped. Rate-based technology offers no protection against lower-rate attacks (for example, brute-force attacks, low rate malware propagation, slow network and application probes). Furthermore, rate-based technology cannot prevent improper-use scenarios where attack traffic such as an HTTP page flood appears identical to legitimate application requests as in a flash crowd.

Coming Soon:  Part II:  The Rise of the “Availability Vulnerabilities”

In my next post I will address the specific vulnerabilities required to be tested in order to develop some reasonableness to the efficacy of an internal control infrastructure.


Please enter your comment!
Please enter your name here