The Risk DDoS Attacks Pose to Enterprises
The Role of the Firewall
A Firewall is a necessary first step in protecting an enterprise network by establishing a barrier between a trusted, secure internal network and another outside untrusted network such as the Internet. Firewalls have evolved considerably over the years, with the advent of next-generation firewalls to add application-aware filtering and intrusion detection capabilities and help customers improve their first line of defense. However, DDoS attacks are one vector where Firewalls are commonly the point of failure. In fact, Radware’s own research shows that the firewall is the cause of downtime during DDoS attacks roughly one-third of the time. The reason for this is the stateful nature of these devices, required to keep track of open sessions and transactions on the network. Maintaining session state requires use of session tables as well as other CPU resources that are finite and also responsible for other security features. Therefore under attack, the session table can be exhausted causing the firewall to fail.
Myths about Using the Firewall or IPS for DDOS Protection
A common misconception is that traditional network security devices, such as a firewall or IPS can be used protect from DDoS flood attacks. Network DDoS attacks trigger large numbers of new connections require stateful resources to manage the load. In addition, Firewalls cannot determine legitimate versus malicious users when under application DDoS attacks. An HTTP flood attack, for example, since it can be made up of millions of legitimate HTTP sessions, can fill the firewall or IPS state table and overwhelm the device. Some may suggest that investing in a larger firewall will address this problem, but in the long term the resources available to attackers to launch high traffic attacks with a large number of connections will always be greater than the capacity of even the largest of firewalls.
DDoS in Review
A Denial-of-Service DOS attack is an attack targeting the availability of network resources and applications. Unlike other kinds of attacks, DoS attacks’ primary goal is not so much to infiltrate data, but rather to slow or take down altogether a network device, an application, and/or a website. The attackers’ motivations are diverse, ranging from simple fun (simply to show they can), financial gain (to make a profit), and ideology (political hacktivism).
A Denial of Service (DoS) attack is an attempt to make an online service unavailable by overwhelming it with a high volume of traffic. It can target a wide variety of important network and application resources and presents a major challenge to users’ ability to publish and access important information.
A Distributed DoS (DDoS) attack is the most common variant of Denial-of-Service attacks where an attacker or a group of attackers employ multiple machines to carry out a DoS attack simultaneously, therefore increasing its effectiveness and strength. The “army” carrying out the attack is mostly often composed of unknowingly infected zombie computers manipulated as (ro)bots and controlled as a botnet by the attacker via a remote Command and Control Server. A botnet is powerful, well-coordinated attack and could count millions of computers. It also insures the anonymity of the original attacker since the attack traffic originates from the bots’ IP addresses rather than the attacker’s. In recent years, attackers have the ability to use spoofed IP addresses or use content delivery networks thus disguising their origin.
Though DDOS attacks may not be thought about on a daily basis by the general public, there are a number of these cases every day in the news:
Hacking in Education
Case Study: Augusta County Public Schools, Virginia
The Virginia school was unable to maintain uninterrupted access to online resources for testing and SOL.
Summary: Technology coordinator Gary Bryant cites an attack in 2015 consisting of a UDP flood from a botnet, which completely swamped the school system’s inbound network pipe. The attack impacted the technology center, which is responsible for providing and maintaining just under 7,500 devices across the county’s 20 elementary, middle and high schools, as well as maintaining a Web presence for the school system. The attack threatened the school’s ability to satisfy government standards for online testing systems, which require uninterrupted access to Standards of Learning (SOL) information and testing hosted by the Virginia Department of Education.
DDOS for Hire
Case Study: Fiverr Testing Stresser Services
Summary: DoS for hire services often refer to themselves as ‘stressers,’ services that are intended for people to stress test their own websites and servers. But since these stressers don’t require users to prove website ownership prior to these so-called stress tests, stressers have become a simple way to aim a DDoS attack at any website a user wants. According to www.informationsecuritybuzz.com, in 2015 the average cost of using a stresser was $38 per hour, and the low end of the pricing spectrum was around $19. However, recently it has become even cheaper to inflict major harm on businesses, as according to the Underground Hacker Marketplace Report, using a stresser on the Russian underground is just $5 per hour.
DDOS attacks can be inexpensively bought or available through Opensource. Reportedly, one of the tools that has enabled the WikiLeaks organization is the open source Low Orbit Ion Cannon (LOIC), an open source network stress testing and denial-of-service attack application written in C#. WikiLeaks has been a mainstream reporting organization wreaking havoc on political figures and parties, most recently at the US Democratic Party National Convention.
More recently released into the public domain, the High Orbit Ion Cannon (HOIC), has been made available as a denial-of-service attack application written in BASIC and designed to attack as many as 256 URLs at the same time.
According to www.esecurityplanet.com, there is a clear link between DDOS attacks used as a decoy to mask the primary intent of stealing personal or corporate data. The report cites that 55 percent of all DDoS targets were also victims of security breaches where attackers stole funds, customer data or intellectual property. Nearly half the time the victims had viruses or other malware installed or activated on their systems during the DDoS attack.
Malware-infected Mobile Bot Attacks
We have even seen the rise of smartphone botnets over the last few years. Malware like DroidJack is easily leveraged to target mobile users via malicious 3rd party app stores that are offering popular games like Pokémon Go, but with a surprise waiting for them inside the unverified Android application package, APK. Once infected, devices can perform multiple autonomous activities including launching denial of service attacks.
Stay tuned for Part 2, coming soon.
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
Louis Scialabba is Director of Carrier Solutions Marketing for Radware and is responsible for leading network security and application delivery marketing initiatives for wireless, wireline and cloud service providers. Mr. Scialabba has 21 years of experience in the communications and networking industry in a variety of roles, including Solutions Marketing, Sales, Business Development, Product Line Management, and Engineering. Prior to joining Radware, Mr. Scialabba spent much of his early career at Tellabs, where he was Director of Mobile Routing Technology Planning for the 8600, 8800, and 9200 product lines. He later became the Head of North America Marketing for Aviat Networks. Mr. Scialabba earned a Bachelor of Science degree in Computer Engineering from the University of Illinois and a Master of Business Administration degree from St. Xavier University in Chicago.