With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever. Let’s face it, getting ready for the next cyber-attack is the new normal! This ‘readiness’ is a new organizational tax on nearly every employed individual throughout the world.
Amazingly enough, attackers have reached a level of maturity and efficiency – taking advantage of the increased value and vulnerability of online targets, and resulting in a dramatic increase in attack frequency, complexity and size.
Advanced Persistent DDoS campaigns are now the norm – hackers are launching blended campaigns combining higher-volume network vectors alongside more sophisticated application vectors. The global growth of IoT devices provides a great breeding ground for hackers to enslave more and more devices, resulting with botnets in sizes never seen before.
To further complicate things, attackers are taking advantage of SSL-encrypted traffic to camouflage their attacks, making it hard to determine malicious versus legitimate traffic.
Relying on humans to block attacks is not scalable. Organizations dependent on manual-based protection are not fully protected from today’s threats.
Automation is the core of a successful attack mitigation solution. You need to make sure you have the right algorithm for faster, real-time response.
Answer: Cyberattack Mitigation Solution
The new cyber-attack landscape has given rise to the concept of an Attack Mitigation Solution (AMS) combining all the necessary protections for making organizations resilient to cyber-attacks with a single-vendor, hybrid solution and service. This notion integrates real-time WAF, SSL and DDoS protection on-premise and in the cloud; Real-world AMS solutions should be transparent, be as automated as possible and come with vendor-supported fully managed services to ensure perfection in deployment and execution.
Paradigm Shift: Darknet Access
Hacking used to require a distinct set of skills and capabilities. These days, attack services are bought and sold via marketplaces on the Clearnet and Darknet—a phenomenon that is closing the gap between skilled and amateur hackers and fueling an exponential increase in threats.
Thanks to the growing array of online marketplaces, it’s now possible to wreak havoc even if you know virtually nothing about computer programming or networks. As attack tools and services become increasingly easy to access, the pool of possible attackers—and possible targets—is larger than ever. While many hacktivists still prefer to enlist their own digital “armies,” some are discovering that it’s faster and easier to pay for DDoS-as-a-Service than to recruit members or build their own botnet. Highly skilled, financially-motivated hackers can be invaluable resources to hacktivists seeking to take down a target.
By commoditizing hacktivist activities, hacking marketplaces have also kicked off a dangerous business trend. Vendors are now researching new methods of attack and incorporating more efficient and powerful vectors into their offerings. Already some of the marketplaces offer a rating system so users can provide feedback on the tools. Ultimately, this new economic system will reach a steady state—with quality and expertise rewarded with a premium.
Tools of the Trade
Denial-of-service (DoS) attacks have come a long way since the days of LOIC and other GUI-based tools. Today, hackers are abandoning “old school” GUI and script tools and opting to pay for attacks via stresser services. They no longer need to acquire technical expertise or tools; instead, they can simply engage attack services to carry out an attack on their behalf.
Many notorious DDoS groups—including Lizard Squad, New World Hackers and PoodleCorp—have entered the DDoS-as-a-Service business, monetizing their capabilities in peacetime by renting their powerful stresser services. Groups sometimes use their tools against high-profile targets to showcase and promote their attack services. As the point of entry continues to decrease, novice attackers can carry out larger, more sophisticated assaults. For just $19.99 a month, an attacker can run 20-minute bursts for 30 days using a number of attack vectors, such as DNS, SNMP and SSYN, and slow GET/POST application-layer DoS attacks.
Most tools offer basic TCP, UDP and HTTP attack vectors with slight variations. Some enable the attacker to customize payload options—including packet size, randomized data, threads and sockets per thread—in the tools. While low and slow attacks are not prevalent in the popular 2016 toolkits, HTTP attacks are a popular vector. When an operation is underway, hackers can easily bypass mitigation solutions and overwhelm server resources with simple POST/GET floods that appear to be legitimate traffic.
New Attacks Types Threaten Organizations
Preparing for “common” DDoS attacks is no longer enough. As attack tools are becoming more sophisticated and easily available, hackers are constantly evolving and finding new attack types and threats to breach existing mitigation technologies.
- IoT Botnets have earned their “right” as one of the top threats for organizations given the dramatic increase in the use of IoT devices to create powerful botnets. Most notable is the Mirai botnet, used to carry out the largest DDoS attack in history in the fall of 2016. This botnet utilized 60+ factory default credentials found on BusyBox-based IoT devices and created the most powerful botnet seen to this date. Mirai introduced new and sophisticated attack vectors including the Generic Routing Encapsulation (GRE) Flood Attack and DNS Water Torture Attack. With additional botnets uncovered in 2017, including Hajime and BrickerBot, it is clear that the impact botnets will have in cyber security has just begun.
- DNS Attacks: DNS is a critical infrastructure component for any organization. While organizations and service providers take security measures to protect the DNS infrastructure, attackers are generating more sophisticated attacks, with increased impact on the service. Sophisticated attackers take advantage of the DNS protocol behavior to generate more powerful attacks– including DNS Water Torture and DNS Recursive attacks. Mitigating these attacks requires tools that can learn and gain a deep knowledge of the DNS traffic behavior.
- Burst Attacks and Advanced Persistent Denial of Service (APDoS) Campaigns include short bursts of high volume attacks in random intervals and attacks that can last weeks, involving multiple vectors aimed at all network layers simultaneously. These type of attacks have a tendency to cause frequent disruptions in a network server’s SLA and can prevent legitimate users from accessing services.
- SSL/Encrypted Attacks: With 10% year-over-year growth, attackers are using SSL protocol to mask and further complicate attack traffic and malware detection in both network and application-level threats. Many security solutions use a passive engine for SSL attack protection, meaning they cannot effectively differentiate encrypted attack traffic from encrypted legitimate traffic and can only limit the rate of request.
- Layer 7 Application Attacks: With the incarnation of IoT botnets, Layer 7 attacks have leveled their prevalence to the one of network attacks (64% of organizations). These attacks come in two varieties: application DoS attacks that target resource exhaustion by using the well-known Hypertext Transfer Protocol (HTTP), as well as HTTPS, DNS, SMTP, FTP, VOIP and other application protocols that possess exploitable weaknesses, allowing for DoS attacks. Much like attacks targeting network resources, attacks targeting application resources come in a variety of flavors, including floods and “low and slow” attacks.
- Ransom DDoS Attacks: In 2016, ransom was the number one motivation to attack organizations, accounting for 41% of all cyber-attacks that year. Ransom denial-of-service (RDoS) attacks are one form, where perpetrators send an email threatening to attack an organization—rendering its business, operations or capability unavailable—unless a ransom is paid by the deadline. These attacks have grown in number every year since 2010 and typically come in the form of a volumetric distributed denial-of-service (DDoS) attack. RDoS attacks are particularly insidious because they do not require the attacker to hack into the target’s network or applications.
- Reflection/Amplification Attacks: Reflection and amplification attacks take advantage of a disparity of request and response ratios in certain technical protocols. For instance, the attacker could use a router as an amplifier, taking advantage of the router’s broadcast IP address feature to send messages to multiple IP addresses in which the source IP (return address) is spoofed to the target IP. At high rates, these responses have generated some of the largest volumetric DDoS attacks to date.
- Telephony DoS (TDoS) Attacks involve launching a high volume of calls against the target network, tying up the system from receiving legitimate calls. In recent years, these attacks have targeted various businesses and public entities, including the financial sector and other public emergency operations interests. In its 2016-2017 Global Application & Network Security Report, Radware predicted that TDoS attacks would rise in sophistication and importance, catching many by surprise.
- Dynamic Content and CDN-based Attacks: Organizations often use Content Delivery Network (CDN) providers to support global site and application performance. Trouble is, CDNs provide a particularly insidious cover for attacks as organizations cannot block traffic coming from the CDN’s IP addresses. Malicious actors have made an art form out of spoofing IP addresses to not only obfuscate their identity but also to possibly masquerade as seemingly legitimate users based on geolocation or positive reputational information about IP addresses they are able to compromise. Dynamic content attacks further exploit CDN-based protection by overloading origin servers with requests for non-cached content that the CDN nodes simply pass along.
What it Takes to Stay Protected
Integrated (Not Point) Solution to Protect from Multi-Vector Attacks
In order to fight evolving threats, organizations need to implement the most adequate security solutions to fully protect against new threats and all types of attacks.
Attackers are deploying multi-vector attack campaigns by increasing the number of attack vectors launched in parallel. In order to target an organization’s blind spot, different attack vectors target different layers of the network and data center. Even if only one vector goes undetected, then the attack is successful and the result is highly destructive.
To effectively mitigate all types of DDoS attacks, multiple protection tools are needed.
- Cloud DoS protection to mitigate volumetric attacks that threaten to saturate the internet
- DoS protection to detect and mitigate all types of network DDoS
- Behavioral Analysis to protect against application DDoS and misuse attacks. Those attacks are harder to detect and appear like legitimate traffic so they can go unnoticed without a behavioral analysis
- Intrusion Prevention System (IPS) to block known attack tools and the low and slow
- SSL protection to protect against encrypted flood
- Web Application Firewall (WAF) to prevent web application vulnerability
NEED for Next-Generation Algorithms and Leading Automation
Automation is at the core of a successful attack mitigation solution. To withstand the dynamic and constantly evolving threat landscape, organizations need to have the right algorithms in place to shorten the time to mitigation, overcome hacker sophistication and automatically respond to attacks.
Information security problems have been largely defined by nefarious bots usurping the controls of modest and imperfect security departments. When it comes to detection quality and mitigation speed, humans are simply unable to match highly-crafted automated bots. Malicious bots have proven effective—exacting steep tolls on careers, finances and, even the existence of companies themselves.
In the end, the only successful defense is to deploy a powerful set of good ‘bots’ focused on rooting and eradicating the hordes of bad bots.
Read “2017-2018 Global Application & Network Security Report” to learn more.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.