Throughout the history of mankind, whether in warfare or crime, the advantage has swung between offense and defense, with new technologies and innovative tactics displacing old doctrines and plans. For example, the defensive advantage of the Greek phalanx was eventually outmaneuvered by the Roman legion. Later, improvements in fortifications and armor led to castles and ironclad knights, until the invention of gunpowder made them obsolete. In the 20th century, fixed fortifications and trenches were rendered outdated by highly mobile armored forces. In all these examples, the common denominator is that one side’s tactical advantage spawned new ways of thinking among its opponents, eventually degrading that advantage or reversing it completely.
Enter the digital age, where lines of code and terabytes of information determine who has the tactical advantage. Of late, the pendulum has swung in favor of cyber-attacks. Rate-based technologies, once considered adequate to handle the most advanced distributed denial-of-service (DDoS) threats, have fallen obsolete as tech-savvy adversaries move beyond the static concepts of most conservative corporate budgets and know how to overcome name-brand mitigation technologies. These ultra-adaptive hackers have given rise to the top five nastiest attack techniques in 2017.
ATTACK TYPE #1: Advanced Persistent DoS (APDoS):
Wikipedia defines APDoS as:
“…a clear and emerging threat needing specialized monitoring and incident response services and the defensive capabilities of specialized DDoS mitigation service providers. This type of attack involves massive network layer DDoS attacks through to focused application layer (HTTP) floods, followed by repeated (at varying intervals) SQLI and XSS attacks. Typically, the perpetrators can simultaneously use between 2 to 5 attack vectors involving up to several tens of millions of requests per second, often accompanied by large SYN floods that can not only attack the victim but also any service provider implementing any sort of managed DDoS mitigation capability. These attacks can persist for several weeks.”
It becomes clear that APDoS requires an array of technologies to stop the network floods, HTTP application-level DDoS and encrypted threats. Moreover, Radware is witnessing these attack techniques manifest into SMTP attacks (a relatively new vector) and secure-SMTP such as TLS over SMTP.
APDoS attacks assume many forms, but typically attackers will switch tactically between several targets to create a diversion to fool mitigation tools, all the while eventually concentrating the main thrust of the attack onto a single victim. To successfully mitigate these threats, organizations must understand the threat and make certain it has certain protections in place (e.g. high caliber detection and mitigation). To start, characterize APDoS threats into the following classes:
- “Advanced reconnaissance (pre-attack OSINT and extensive decoyed scanning crafted to evade detection over long periods)
- Tactical execution (attack with a primary and secondary victims but focus is on primary)
- Explicit motivation (a calculated end game/goal target)
- Large computing capacity (access to substantial computer power and network bandwidth resources)
- Simultaneous multi-threaded ISO layer attacks (sophisticated tools operating at layers 3 through 7)
- Persistence over extended periods (utilizing all the above into a concerted, well managed attack across a range of targets)”
The task is daunting and real. As the next generation of DDoS threats emerge, organizations must be diligent and proactive. Companies must rise above the normal corporate culture of security controls and become obsessive about removing risks and compulsive about action. After all, these organizations may literally be holding life and death decisions in their hands – and this makes their actions rather profound and very unique.
ATTACK TYPE #2: DNS Water Torture Attack
A DNS NXDOMAIN flood attack, which is also known as a water torture attack, targets an organization’s DNS servers. This type of attack involves a flood of maliciously crafted, DNS lookup requests. Intermediate resolvers also experience delays and timeouts while waiting for the end target’s authoritative name server to respond to the requests. These requests consume network, bandwidth and storage resources. They can also tie up network connections, causing timeouts.
By understanding the threat, an organization can comprehend two of the largest problems in solving this attack vector:
- First: The attacker is coming from a known legitimate source and can’t realistically be blocked while still maintain healthy DNS resolution operations over the long term
- Second: The attacker source is actually also querying legitimate requests at the same time illegitimate requests are being sent.
To counter this resource-draining threat, organizations should monitor their recursive DNS servers, keeping a keen eye for anomalous behavior such as spikes in the number of unique sub-domains being queried or spikes in the number of timeouts or delayed responses from a given name server.
Any DNS attack mitigation tool must meet unique challenges. Beyond a limited set of vendors, there is no real automated solution to mitigate this threat, as the tool must contain the following attributes:
Mitigation tools must have deep knowledge of DNS traffic behavior – The tool must understand DNS traffic and “learn” or establish baseline behaviors continuously to immediately identify abnormal DNS traffic. Moreover, the tool or technique must analyze every field in DNS traffic to identify abnormal packets and to create real time signatures.
Mitigating high rate of DNS packets – The tool must be able to challenge large amounts of DNS queries per second and to process up to – often in larger circuits – 10- 35 million packets per second of attack traffic. The attack traffic does not affect legitimate traffic while under attack.
Mitigation accuracy – With unique DNS challenges and accurate analyzing of DNS traffic behavior, an organization must be able to accurately distinguish between legitimate DNS traffic and attack-based DNS traffic to minimize false positives. This enables the service provider to continue and serve its legitimate users even under severe attack.
Provide best quality of experience even under attack – Obviously the idea of operating a service is that you must have an architecture that can guarantee minimum latency to all processed traffic, and especially to the legitimate traffic. This guarantees a best quality of experience to legitimate internet users even under attack.
ATTACK TYPE #3: Friend Turned Enemy: SSL-Based Cyber Attacks
There is a new set of challenges facing organizations leveraging encryption technologies. Cyber-attacks, including DDoS attacks and advanced web application attacks, continue to plague businesses as they continuously shift operations online. For both types of assaults, those leveraging encrypted traffic as an attack vector are on the rise, further challenging current security solutions. Most mitigation technologies do not actually inspect SSL traffic, as it requires decrypting/encrypting traffic. Recent surveys show that between 25% – 35% of enterprise communication sent via an LAN and WAN is SSL-encrypted traffic.
SSL-based attacks take many forms, including:
- Encrypted SYN Floods: These attacks are similar to standard, non-encrypted SYN flood attacks in that they seek to exhaust the resources in place to complete the SYN-ACK handshake, only they further complicate the challenge by encrypting traffic and forcing resource use of SSL handshake resources.
- SSL Renegotiation: These attacks work by initiating a regular SSL handshake and then immediately request the renegotiation of the encryption key. The tool repeats this renegotiation request until all server resources have been exhausted.
- HTTPS Floods: These attacks generate floods of encrypted HTTP traffic, often as part of multi-vector attack campaigns. Compounding the impact of “normal” HTTP floods, encrypted HTTP attacks add several other challenges, such as the burden of encryption and decryption mechanisms.
- Encrypted Web Application Attacks: Multi-vector attack campaigns also increasingly leverage non-DoS, web application logic attacks. By encrypting the traffic masking these advanced attacks, they often pass through both DDoS and web application protections undetected.
In the same way SSL and encryption protect the integrity of legitimate communications, they effectively obfuscate many of the attributes used to determine if traffic is malicious or legitimate. Identifying attack traffic within encrypted traffic flows is akin to finding a needle in a haystack . . . in the dark. Most cyber-attack solutions struggle mightily to identify potentially malicious traffic from encrypted traffic sources and isolate that traffic for further analysis (and potential mitigation).
The other major advantage that SSL attacks offer to attackers is the ability to put significant computing stress on network and application infrastructures they target. The process of decrypting and re-encrypting SSL traffic increases the requirements of processing the traffic, in many cases beyond the functional performance of devices used for attack mitigation. In a recent report, Gartner Research notes that less than 20% of organizations using common security technologies (firewall, IPS) are inspecting inbound or outbound encrypted traffic.
Even the most advanced mitigation technologies have gaps in their encryption-based protections. Few of these solutions can be deployed out-of-path, which is a necessity for providing protection while limiting the impact on legitimate users. Many solutions that can do some level of decryption tend to rely on rate-limiting requests, thereby resulting in dropped legitimate traffic. Finally, many solutions require the customer to share actual server certificates, which complicates implementation, certificate management and forces customers to share private keys for protection in the cloud. Here are some tips to consider when considering DDoS protection from encrypted attacks:
- Stateless mitigation: As previously mentioned, many security technologies are stateful in nature, meaning they maintain state throughout a session. This requires additional computing resources and poses the risk of filling session tables, at which point the device will fall over. Be sure the technologies you’re depending on for encrypted attack protection are stateless in nature to ensure ability to scale to the higher demands of these attacks.
- Asymmetric deployment options: Most security technologies rely on a symmetric deployment model, meaning they are in the path for both inbound and outbound traffic. This has key benefits for some aspects of security, but in the case of encrypted attack mitigation, adds unnecessary computational strain on the solution. Look for DDoS attack prevention technologies that can support an asymmetric deployment where only ingress encrypted traffic passes through the mitigation engine.
- Certificate management: Some security technologies that claim to cover encrypted attacks do so at the burden of operations teams that manage server certificates. Specifically, these technologies require the sharing of the actual web server certificates, meaning any change to these certificates have to be replicated in the security solution. Look for a DDoS service that can manage the inspection of encrypted traffic through use of certificates legitimately issued to the organization but not tied specifically to the web server.
- Ensuring integrity of the trust model: One of the principles behind website authentication through certificates is the confirmation to the end customer that they are engaged in a “private” communication with the intended organizations. Some service providers offer SSL capabilities that break this trust model and actually initiate a secure channel between the unknowing end user and themselves. In so doing, they essentially dup the end user into trusting them with the shared information (as well as the service provider’s certificate management).
- Optimizing legitimate user experience: As is so often the case, IT and security professionals are left to strike a balance between having lightweight security and creating such a locked-down user experience as to chase away customers. This balancing act plays out in encrypted attack mitigation as well, where some technologies employ something of an on/off switch for decrypting all encrypted traffic when a potential attack is detected. Look for technologies that can selectively apply challenge-and-response specifically to traffic identified as suspicious, thereby maintaining user experience for legitimate users sending through encrypted traffic.
The fact that many organizations are seeing an increase in encrypted traffic is, in general, a good thing. It is however, a complicating factor when it comes to encrypted cyber-attacks. The bottom line is that to provide effective protection, solutions need to deliver full attack vector coverage (including SSL), high scalability to meet the growing demands of the consumer, and innovative ways to handle management of encryption technologies (today predominantly SSL/TLS) in a manner that can be operationalized effectively and efficiently.
To learn what #4 and #5 are in this list of the top DDoS attacks and how to mitigate them, stay tuned for Part 2 of this series.
Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.