Nearly, two years ago I questioned the myth: does size really matter? and now it’s time to revisit the issue and also look at some of the changes occurring in the cybercrime scene.
The big myth of 2012 was that organizations need to prepare for enormous attacks. The attack on Spamhaus in 2013 supported this claim. The DDoS attack on Spamhaus, an international non-profit dedicated to battling spam, is considered one of the largest in Internet history — reaching 300Gbps. The massive size of this attack created a changed perspective on cyber threats, one usually reserved for financial debt. When debt is reasonable, it’s your problem. When the debt is huge, it’s everyone’s problem. With the Spamhaus attack – it was so massive – it threatened the integrity of the Internet infrastructure – and this became everyone’s problem.
In nearly 100% of DDoS attack cases the victim’s network infrastructure was designed to process the excessive traffic, yet it failed to maintain application availability. To understand why this occurs, let’s take a look at what has changed in the last two years and the ways cybercrime has evolved.
Attacker Disguise Themselves
Attackers have learned that most mitigation tools are using the black listing of IP addresses to block botnet-based attacks. They overcome this black listing by launching attacks with dynamic IP addresses, or use proxy servers, CDNs, anonymizers or encrypted communications to avoid detection.
Web Stealth Attacks
Web Stealth Attacks are a set of DoS/DDoS attack vectors that include brute-force attacks (e.g. attacks on the login page), file upload violations, SSL encrypted application attacks and more.
An example, which does not gain much media attention, despite its frequency increase is the login page attack. Login page attacks embody the concept of the weak link. Organizations invest in network security to protect their web servers and applications; they settle on demand capacity allocation plans to address accidental traffic growth; however securing the login servers is not always addressed properly. Attackers overwhelm the login servers with relatively low volumes of login requests – in an effort to deny service from legitimate users.
Attackers Bypass CDN Protection
The Content Delivery market is expanding. While Content Delivery Network (CDN) solutions are being widely adopted by content providers (e.g. media companies, content aggregators, etc.), other verticals have started to use CDNs as a content-caching mechanism to provide a better user experience. Hackers overcome the powerful cache offloading mechanism, which is the core of CDN solutions, by asking for dynamic content. Using this method, attackers build attack tools that go below CDN radar and manage to saturate the application servers (in the data-center).
Source: Global Application and Network Security Report 2013, Radware.
Change is headed your way whether you’re prepared or not and DoS/DDoS attacks are the weapon of choice. These attacks are regularly increasing in severity and complexity, so if you’re looking for more insight to help detect, mitigate and win this battle, I invite you to please download the 2013 Global Application and Network Security Report. It’s a great resource to learn how attackers are bypassing new mitigation tools and also offers information on what features you should look for in DoS/DDoS protection.