Eliminating Single Points of Failure, Part 1


The Risk DDoS Attacks Pose to Enterprises

The Role of the Firewall

A Firewall is a necessary first step in protecting an enterprise network by establishing a barrier between a trusted, secure internal network and another outside untrusted network such as the Internet. Firewalls have evolved considerably over the years, with the advent of next-generation firewalls to add application-aware filtering and intrusion detection capabilities and help customers improve their first line of defense. However, DDoS attacks are one vector where Firewalls are commonly the point of failure. In fact, Radware’s own research shows that the firewall is the cause of downtime during DDoS attacks roughly one-third of the time. The reason for this is the stateful nature of these devices, required to keep track of open sessions and transactions on the network. Maintaining session state requires use of session tables as well as other CPU resources that are finite and also responsible for other security features. Therefore under attack, the session table can be exhausted causing the firewall to fail.

Myths about Using the Firewall or IPS for DDOS Protection

A common misconception is that traditional network security devices, such as a firewall or IPS can be used protect from DDoS flood attacks. Network DDoS attacks trigger large numbers of new connections require stateful resources to manage the load. In addition, Firewalls cannot determine legitimate versus malicious users when under application DDoS attacks. An HTTP flood attack, for example, since it can be made up of millions of legitimate HTTP sessions, can fill the firewall or IPS state table and overwhelm the device. Some may suggest that investing in a larger firewall will address this problem, but in the long term the resources available to attackers to launch high traffic attacks with a large number of connections will always be greater than the capacity of even the largest of firewalls.

DDoS in Review

A Denial-of-Service DOS attack is an attack targeting the availability of network resources and applications. Unlike other kinds of attacks, DoS attacks’ primary goal is not so much to infiltrate data, but rather to slow or take down altogether a network device, an application, and/or a website. The attackers’ motivations are diverse, ranging from simple fun (simply to show they can), financial gain (to make a profit), and ideology (political hacktivism).

A Denial of Service (DoS) attack is an attempt to make an online service unavailable by overwhelming it with a high volume of traffic. It can target a wide variety of important network and application resources and presents a major challenge to users’ ability to publish and access important information. 

A Distributed DoS (DDoS) attack is the most common variant of Denial-of-Service attacks where an attacker or a group of attackers employ multiple machines to carry out a DoS attack simultaneously, therefore increasing its effectiveness and strength. The “army” carrying out the attack is mostly often composed of unknowingly infected zombie computers manipulated as (ro)bots and controlled as a botnet by the attacker via a remote Command and Control Server. A botnet is powerful, well-coordinated attack and could count millions of computers. It also insures the anonymity of the original attacker since the attack traffic originates from the bots’ IP addresses rather than the attacker’s. In recent years, attackers have the ability to use spoofed IP addresses or use content delivery networks thus disguising their origin.

DDoS attack illustration: A DNS flood attack

[You might also like: How Do You Create a Flight Plan to a Never-Ending Journey?]

Though DDOS attacks may not be thought about on a daily basis by the general public, there are a number of these cases every day in the news:

Hacking in Education

Case Study: Augusta County Public Schools, Virginia

The Virginia school was unable to maintain uninterrupted access to online resources for testing and SOL.

Summary: Technology coordinator Gary Bryant cites an attack in 2015 consisting of a UDP flood from a botnet, which completely swamped the school system’s inbound network pipe. The attack impacted the technology center, which is responsible for providing and maintaining just under 7,500 devices across the county’s 20 elementary, middle and high schools, as well as maintaining a Web presence for the school system.  The attack threatened the school’s ability to satisfy government standards for online testing systems, which require uninterrupted access to Standards of Learning (SOL) information and testing hosted by the Virginia Department of Education.

DDOS for Hire

Case Study: Fiverr Testing Stresser Services

Summary: DoS for hire services often refer to themselves as ‘stressers,’ services that are intended for people to stress test their own websites and servers. But since these stressers don’t require users to prove website ownership prior to these so-called stress tests, stressers have become a simple way to aim a DDoS attack at any website a user wants.  According to www.informationsecuritybuzz.com, in 2015 the average cost of using a stresser was $38 per hour, and the low end of the pricing spectrum was around $19.  However, recently it has become even cheaper to inflict major harm on businesses, as according to the Underground Hacker Marketplace Report, using a stresser on the Russian underground is just $5 per hour.

Opensource DDOS

DDOS attacks can be inexpensively bought or available through Opensource.  Reportedly, one of the tools that has enabled the WikiLeaks organization is the open source Low Orbit Ion Cannon (LOIC), an open source network stress testing and denial-of-service attack application written in C#.  WikiLeaks has been a mainstream reporting organization wreaking havoc on political figures and parties, most recently at the US Democratic Party National Convention.

More recently released into the public domain, the High Orbit Ion Cannon (HOIC), has been made available as a denial-of-service attack application written in BASIC and designed to attack as many as 256 URLs at the same time.

Decoy Attacks

According to www.esecurityplanet.com, there is a clear link between DDOS attacks used as a decoy to mask the primary intent of stealing personal or corporate data.  The report cites that 55 percent of all DDoS targets were also victims of security breaches where attackers stole funds, customer data or intellectual property. Nearly half the time the victims had viruses or other malware installed or activated on their systems during the DDoS attack.

Malware-infected Mobile Bot Attacks

We have even seen the rise of smartphone botnets over the last few years. Malware like DroidJack is easily leveraged to target mobile users via malicious 3rd party app stores that are offering popular games like Pokémon Go, but with a surprise waiting for them inside the unverified Android application package, APK. Once infected, devices can perform multiple autonomous activities including launching  denial of service attacks.

Stay tuned for Part 2, coming soon.

ert_2016-17_cover-2

Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Louis Scialabba

Louis Scialabba is Director of Carrier Solutions Marketing for Radware and is responsible for leading network security and application delivery marketing initiatives for global service providers. Mr. Scialabba has over 23 years of experience in the communications and networking industry in a variety of Sales, Marketing, and Engineering roles. Prior to joining Radware, Mr. Scialabba spent much of his early career at Tellabs, where he was Director of Mobile Backhaul Product Planning and Product Management. He later became the Head of North America Marketing for Aviat Networks. Mr. Scialabba earned a Bachelor of Science degree in Computer Engineering from the University of Illinois and a Master of Business Administration degree from St. Xavier University in Chicago.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center