main

Application SecurityDDoS AttacksSecurity

Why Cyber Attackers are Still Defeating Your Network Security

May 7, 2014 — by Ron Meyran3

Nearly, two years ago I questioned the myth: does size really matter? and now it’s time to revisit the issue and also look at some of the changes occurring in the cybercrime scene.

The big myth of 2012 was that organizations need to prepare for enormous attacks. The attack on Spamhaus in 2013 supported this claim. The DDoS attack on Spamhaus, an international non-profit dedicated to battling spam, is considered one of the largest in Internet history — reaching 300Gbps. The massive size of this attack created a changed perspective on cyber threats, one usually reserved for financial debt.  When debt is reasonable, it’s your problem. When the debt is huge, it’s everyone’s problem.  With the Spamhaus attack – it was so massive – it threatened the integrity of the Internet infrastructure – and this became everyone’s problem.

In nearly 100% of DDoS attack cases the victim’s network infrastructure was designed to process the excessive traffic, yet it failed to maintain application availability. To understand why this occurs, let’s take a look at what has changed in the last two years and the ways cybercrime has evolved.

Attacker Disguise Themselves

Attackers have learned that most mitigation tools are using the black listing of IP addresses to block botnet-based attacks. They overcome this black listing by launching attacks with dynamic IP addresses, or use proxy servers, CDNs, anonymizers or encrypted communications to avoid detection.

Web Stealth Attacks

Web Stealth Attacks are a set of DoS/DDoS attack vectors that include brute-force attacks (e.g. attacks on the login page), file upload violations, SSL encrypted application attacks and more.

An example, which does not gain much media attention, despite its frequency increase is the login page attack.  Login page attacks embody the concept of the weak link.  Organizations invest in network security to protect their web servers and applications; they settle on demand capacity allocation plans to address accidental traffic growth; however securing the login servers is not always addressed properly.  Attackers overwhelm the login servers with relatively low volumes of login requests – in an effort to deny service from legitimate users.

Figure 1: attacks on login page are highly destructive – based on SSL to evade detection; exploits the limited resources of the login servers.
Figure 1: attacks on login page are highly destructive – based on SSL to evade detection; exploits the limited resources of the login servers.

Attackers Bypass CDN Protection

The Content Delivery market is expanding. While Content Delivery Network (CDN) solutions are being widely adopted by content providers (e.g. media companies, content aggregators, etc.), other verticals have started to use CDNs as a content-caching mechanism to provide a better user experience. Hackers overcome the powerful cache offloading mechanism, which is the core of CDN solutions, by asking for dynamic content. Using this method, attackers build attack tools that go below CDN radar and manage to saturate the application servers (in the data-center).

Figure 2: attackers bypass CDN protection  by asking for dynamic content.
Figure 2: attackers bypass CDN protection by asking for dynamic content.
Source: Global Application and Network Security Report 2013, Radware.

Change is headed your way whether you’re prepared or not and DoS/DDoS attacks are the weapon of choice.  These attacks are regularly increasing in severity and complexity, so if you’re looking for more insight to help detect, mitigate and win this battle, I invite you to please download the 2013 Global Application and Network Security Report.  It’s a great resource to learn how attackers are bypassing new mitigation tools and also offers information on what features you should look for in DoS/DDoS protection.

Like this article? Receive similar articles by subscribing to our blog today!

Ron Meyran

Ron Meyran leads the marketing activities, partner strategy and Go-to-Market plans for Radware’s alliance and application partners. He also works to develop joint solutions that add value proposition and help drive sales initiatives – designed to increase visibility and lead generation. Mr. Meyran is a security and SDN industry expert who represents Radware at various industry events and training sessions. His thought leadership and opinion pieces have been widely published in leading IT & security industry magazines and he holds a B.Sc. degree in Electrical Engineering from Ben-Gurion University and a MBA from Tel Aviv University.

3 comments

  • Jessica Dodson

    June 11, 2014 at 3:50 pm

    A smart attacker/hacker isn’t going to walk up to the front door of your system and announce themselves. It’s all going to be done in the deepest, darkest corners of your system where even your regular IT people don’t go all that often. Any loophole you missed is a potential doorway.

    Reply

  • Ron.

    June 15, 2014 at 10:12 am

    i agree with your point Jessica. attackers will typically look for the backdoors and unexpected path to cause destruction. In the case of DoS/DDoS attacks the typical attack channel is the internet access and the use of web stealth techniques is an example of such loophole IT managers often miss.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *