Could Your Network Survive APDoS or Hit-and-Run DDoS?

2
17

Can you guess where a network breach first occurs?

When a CISO asked this question during a recent business trip my answer was simple:  “Sure! In the first line of defense.”  Trying to improve my chances, I quickly added, “You know what, it’s when employees share on social networks and unintentionally provide puzzle pieces to potential perpetrators.”

“No,” he said. “It happens in the CISO’s mind. At the very moment they feel secure enough…”

That was an interesting statement and come to think about it, he did have a point. If threats are becoming more and more sophisticated, then security countermeasures have to evolve at the same pace and in the same direction.

What Will The Next Attack Look Like?

Many organizations still believe that if they upgrade their infrastructure, they can contain a DDoS attack – increase pipe capacity, add more cables, add network resources and components to be able to absorb a larger amount of traffic. Or alternatively – in extreme cases – dump traffic.  It doesn’t have to be this way though and this will not stop multi-vector attacks.

Attackers have learned very well about the security solutions in the market and they have a good notion of the trends and heuristics that security experts follow.  They are translating these lessons to more sophisticated tools, such as APDoS (Advanced Persistent Denial-of-Service) and Burst Attacks (AKA Hit-and-run DDoS).  In their latest industry report, Radware’s Emergency Response Team (ERT) has indicated a growing use in these new formats.

[You might also like: Is Your Organization Prepared for Cyber Attacks? The 2015-2016 Global Application & Network Security Report]

Serious New Threats

APDoS is an ongoing DDoS attack that continues until the attacker stops the attack or the host server is able to defend against it.  Since the attack is persistent, APDoS is essentially a potpourri of attack types and will most likely involve multiple vectors aimed at all network layers simultaneously.

A typical APDoS campaign combines massive network-layer DDoS attacks and focused application layer (HTTP) floods, followed by repeated SQLI and XSS attacks occurring at varying intervals.  This can send up to tens of millions requests per second.  Now imagine that, together with the good old volumetric attack in the form of large SYN Floods, and a relatively new vector – secure-SMTP (TLS over SMTP).

APDoS attacks can persist for weeks at a time, challenging the resources of even the most sophisticated security infrastructures.

Today’s threats drive demand for automated defenses and rapid analysis and mitigation.  Think of your company for a second, is it prepared to mitigate an APDoS attack?  Unfortunately, many organizations rely on dated techniques, like trying to synchronize multi-vendor solutions – this is a patchwork of solutions that require heavy manual intervention.

The rise of APDoS attacks represents an emerging threat demanding more advanced detection and mitigation and true partnership with DDoS mitigation service providers. Attackers are demonstrating more patience and persistence, leveraging “low and slow” attack techniques that misuse application resources rather than those in network stacks. Attackers are using evasive techniques to avoid detection and mitigation; including SSL-based attacks and changing the page request in an HTTP page flood attack.

APDoS will become a hacktivists’ preferred technique and it was used in the attack against ProtonMail.

Burst Attacks aka “Hit-and-Run DDoS” use short bursts of high volume attacks in random intervals, spanning a time frame of days or weeks.  These attacks lead to frequent and inconsistent disruptions in the network server’s SLA and can prevent legitimate users from using a service.

[You might also like: Dry Lighting Cracks Against the Cloud – The Rise of Advanced Persistent DoS (APDoS)]

Hit-and-Run DDoS require access to extensive resources (computing power, botnet, applications) in order to launch high volume attacks in short bursts.  Each burst can last short periods of time – sometimes several minutes – until the server goes down. The bursts may repeat every few hours during the span of the operation.

Bursts are also sometimes used as a test. An attacker will inject a few bad packets into a network to test if it is online and functioning.  Hit-and-Run DDoS exploits anti-DDoS software and services that are used to defend against prolonged DDoS attacks.  Activating such software can take longer than the actual attack, allowing a denial of service before DDoS protection can start to defend from the attack or learn its traffic pattern – since they too may be altered during the attack.

New Threats Require New Methods

Burst attacks are becoming more and more common. Though volumetric in nature, the volumes are on a much higher scale and this introduces the risk of Internet pipe saturation.  A hybrid solution that includes on-premise protection to detect and mitigation the attacks in real-time, coupled with on-demand cloud protection for those volumetric attacks is the best approach here.

Analyzing recent Burst Attacks, Radware’s Emergency Response Team (ERT) indicated a growing use of automated, bot-based operations that generate large volumes of traffic in a short period of time.  Maintaining these peaks over a long period of time will essentially create an APDoS.

Returning to that CISO’s approach, my conclusion is that just like the perpetrators that are improving their offensive tools we need to keep our protective systems smart and adaptive.

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

2 COMMENTS

  1. Initially, you mentioned that employees sharing puzzle pieces via social media could cause a problem with a company’s network security. Do you mean employee’s sharing log-in information or are there other details that get shared that would allow someone to gain access to the system? Would you be so kind as to blog or provide a list of the things that employees should never share online?

    We are currently dealing with DDOS attacks daily and today I was shown where people in China are showing up in our “connected devices” list on two of our routers. I didn’t think this was possible unless they were within wireless range of our routers. We use ASUS routers with WPS security. Is there something better we could use? Thank you!

  2. Hi Joseph,

    Thank you for responding.

    Let me first go ahead and answer your question regarding employee behavior on social networks.
    Many compromises begin with “social engineering”. Hackers follow the target company’s employees on the web for weeks or months. It is very hard to control but here are few points to think about:
    1. LinkedIn allows finding the senior managers, staff with admin rights, and overall company structure (not to mention corporate emails and contact details).
    2. Facebook allows tracking the social connections and circle of trust of your employees.
    3. Employees are keen to share exciting news (upcoming launch, sales wins, company event).
    4. They may not be fully minded to keep caution with corporate applications, files, source code and other information.
    5. How will you secure the communications and interactions of your management via the social channels?
    Bottom line – a perpetrator can easily plan who and how they use to infiltrate your company.
    I strongly recommend an employee awareness and education program.

    Regarding the DDoS attacks you experience:
    Unfortunately it happens more and more.

    I wouldn’t feel right giving you a general answer online regarding your routers not knowing their setup, especially if we suspect they were compromised.
    I suggest linking you to one of our consultants in your area who can walk you through few recommended steps.
    Feel free to send me your contact details to benz@Radware.com.
    I’ll make sure you are contacted within 24 hours. Here is our US HQ Toll Free number: 1 (888) 234-5763.

LEAVE A REPLY

Please enter your comment!
Please enter your name here