The idea of an Internet of Things (IoT) botnet is nothing new in our industry. In fact, the threat has been discussed for many years by security researchers. It has only now gained public attention due to the release and rampage of the Mirai botnet. Since Mirai broke the 1Tbps mark in late 2016 the IoT threat has become a popular topic of conversation for many industries that utilize connected devices. Not only are companies worried about if their devices are vulnerable but they are also worried if those devices can be used to launch a DDoS attack, one possibly aimed at their own network.
Distributed Denial of Service attacks, commonly called DDoS, have been around since the 1990s. Over the last few years they became increasingly commonplace and intense. Much of this change can be attributed to three factors:
1. The evolution and commercialization of the dark web
2. The explosion of connected (IoT) devices
3. The spread of cryptocurrency
This blog discusses how each of these three factors affects the availability and economics of spawning a DDoS attack and why they mean that things are going to get worse before they get better.
Evolution and Commercialization of the Dark Web
Though dark web/deep web services are not served up in Google for the casual Internet surfer, they exist and are thriving. The dark web is no longer a place created by Internet Relay Chat or other text-only forums. It is a full-fledged part of the Internet where anyone can purchase any sort of illicit substance and services. There are vendor ratings such as those for “normal” vendors, like YELP. There are support forums and staff, customer satisfaction guarantees and surveys, and service catalogues. It is a vibrant marketplace where competition abounds, vendors offer training, and reputation counts.
Those looking to attack someone with a DDoS can choose a vendor, indicate how many bots they want to purchase for an attack, specify how long they want access to them, and what country or countries they want them to reside in. The more options and the larger the pool, the more the service costs. Overall, the costs are now reasonable. If the attacker wants to own the bots used in the DDoS onslaught, according to SecureWorks, a centrally-controlled network could be purchased in 2014 for $4-12/thousand unique hosts in Asia, $100-$120 in the UK, or $140 to $190 in the USA.
Also according to SecureWorks, in late 2014 anyone could purchase a DDoS training manual for $30 USD. Users could utilize single tutorials for as low as $1 each. After training, users can rent attacks for between $3 to $5 by the hour, $60 to $90 per day, or $350 to $600 per week.
Since 2014, the prices declined by about 5% per year due to bot availability and competing firms’ pricing pressures.
The Explosion of Connected (IoT) Devices
Botnets were traditionally composed of endpoint systems (PCs, laptops, and servers) but the rush for connected homes, security systems, and other non-commercial devices created a new landing platform for attackers wishing to increase their bot volumes. These connected devices generally have low security in the first place and are habitually misconfigured by users, leaving the default access credentials open through firewalls for remote communications by smart device apps. To make it worse, once created and deployed, manufactures rarely produce any patches for the embedded OS and applications, making them ripe for compromise. A recent report distributed by Forescout Technologies identified how easy it was to compromise home IoT devices, especially security cameras. These devices contributed to the creation and proliferation of the Mirai botnet. It was wholly comprised of IoT devices across the globe. Attackers can now rent access to 100,000 IoT-based Mirai nodes for about $7,500.
With over 6.4 billion IoT devices currently connected and an expected 20 billion devices to be online by 2020, this IoT botnet business is booming.
The Spread of Cryptocurrency
To buy a service, there must be a means of payment. In the underground no one trusts credit cards. PayPal was an okay option, but it left a significant audit trail for authorities. The rise of cryptocurrency such as Bitcoin provides an accessible means of payment without a centralized documentation authority that law enforcement could use to track the sellers and buyers. This is perfect for the underground market. So long as cryptocurrency holds its value, the dark web economy has a transactional basis to thrive.
DDoS is very disruptive and relatively inexpensive. The attack on security journalist Brian Krebs’s blog site in September of 2016 severely impacted his anti-DDoS service providers’ resources. The attack lasted for about 24 hours, reaching a record bandwidth of 620Gbps. This was delivered entirely by a Mirai IoT botnet. In this particular case, it is believed that the original botnet was created and controlled by a single individual so the only cost to deliver it was time. The cost to Krebs was just a day of being offline.
Krebs is not the only one to suffer from DDoS. In attacks against Internet reliant companies like Dyn, which caused the unavailability of Twitter, the Guardian, Netflix, Reddit, CNN, Etsy, Github, Spotify, and many others, the cost is much higher. Losses can reach multi- millions of dollars. This means a site that costs several thousands of dollars to set up and maintain and generates millions of dollars in revenue can be taken offline for a few hundred dollars, making it a highly cost-effective attack. With low cost, high availability, and a resilient control infrastructure, it is sure that DDoS is not going to fade away, and some groups like Deloitte believe that attacks in excess of 1Tbps will emerge in 2017. They also believe the volume of attacks will reach as high as 10 million in the course of the year. Companies relying on their web presence for revenue need to strongly consider their DDoS strategy to understand how they are going to defend themselves to stay afloat.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Today, many organizations are now realizing that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because nothing diminishes load times or impacts the end users’ experience more than a cyber-attack, which is the silent killer of application performance.
As high-availability and high performance distributors of content to end-users, CDNs can serve as a lynchpin in the customer experience. Yet new vulnerabilities in CDN networks have left many wondering if the CDNs themselves are vulnerable to a wide variety of cyber-attacks, such as forward loop assaults.
So what types of attacks are CDNs vulnerable too? Here are top 5 cyber threats that threaten CDNs so you can safeguard against them.
Blind Spot #1: Dynamic Content Attacks
Attackers have learned that a significant blind spot in CDN services are the treatment of dynamic content requests. Since the dynamic content is not stored on CDN servers, all the requests for dynamic content are sent to the origin’s servers. Attackers are taking advantage of this behavior and they generate attack traffic that contains random parameters in the HTTP GET requests. CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests and they fail to provide online services to legitimate users, creating a denial-of-service situation.
Many CDNs have the ability to limit the number of dynamic requests to the server under attack. This means that they cannot distinguish attackers from legitimate users and the rate limit will result in legitimate users being blocked.
Blind Spot #2: SSL-based attacks
SSL-based DDoS attacks target the secured online services of the victim. These attacks are easy to launch and difficult to mitigate, making them attackers’ favorites. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using the customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin can easily take down the secured online service.
During DDoS attacks when WAF technologies are involved, CDN networks also have a significant weakness in terms of the number of SSL connections per second from a scalability capability, and serious latency issues can arise.
PCI and other security compliance issues are also a problem as sometimes this limits the data centers that are able to be used to service the customer, as not all CDN providers are PCI compliant across all datacenters. This can again increase latency and cause audit issues.
Blind Spot #3: Attacks on non-CDN services
CDN services are often offered only for HTTP/S and DNS applications. Other online services and applications in the customer’s data center such as VoIP, mail, FTP and proprietary protocols are not served by the CDN and therefore traffic to those applications is not routed through the CDN. In addition, many web-based applications are also not served by CDNs. Attackers are taking advantage of this blind spot and launch attacks on applications that are not routed through the CDN, hitting the customer origin with largescale attacks that threaten to saturate the Internet pipe of the customer. Once the Internet pipe is saturated, all the applications at the customer’s origin become unavailable to legitimate users, including the ones that are served by the CDN.
Blind Spot #4: Direct IP Attacks
Even applications that are serviced by a CDN can be attacked once the attackers launch a direct attack on the IP address of the web servers at the customer origin. These can be network based floods such as UDP floods or ICMP floods that will not be routed through CDN services, and will directly hit the servers of the customer at the origin. Such volumetric network attacks can saturate the internet pipe, resulting in taking down all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” the data center can leave the applications directly vulnerable to attack.
Blind Spot #5: Web Application Attacks
CDN protection for web applications threats is limited and exposes the web applications of the customer to data leakage, data thefts and other threats that are common with web applications. Most CDN-based web application firewall capabilities are minimal, covering only a basic set of predefined signatures and rules. Many of the CDN-based WAFs do not learn HTTP parameters, do not create positive security rules and therefore it cannot protect from zero day attacks and known threats. For the companies that DO provide tuning for the web applications in their WAF, the cost is extremely high to get this level of protection.
In addition to the significant blind spots identified earlier, most CDN security services are not responsive enough, resulting in security configurations that take hours to manually deploy and to spread across all its network servers. The security services are using outdated technology such as rate limit that was proven to be inefficient during the last attack campaigns, and it lacks capabilities such as network behavioral analysis, challenge – response mechanisms and more.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Among the reasons to marry DDoS & WAF together, beyond a single pane of glass, beyond single vendor and quick technical response, and higher quality detection and mitigation – it makes sound business sense. Today, a good number of companies have developed the understanding that DDoS defense is critical to maintaining an exceptional customer experience (CX). Because of the extremely competitive nature of business these days, we are seeing more companies make the investments into digital transformation and customer experience. According to Gartner, customer experience is the new king.
Radware’s Pascal Geenens walks us through 10 questions regarding the cyber security threat landscape, trends in the Darknet, motivations for attacks, and much more.
DDoS attacks can be costly and risky. TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. Call this new breed of attack the “DDDoS”—deceptive distributed denial-of-service. For two recent examples, look to attacks on Carphone Warehouse and Linode. By bombarding Carphone Warehouse with online traffic, hackers were able to steal the personal and banking details of 2.4 million people. Similarly, cloud provider Linode suffered more than 30 DDoS attacks which appeared to be a ruse to divert attention away from a breach of user accounts.
Data is the currency of today’s digital economy, the oil of the 21st century. Personal data is considered our economical asset generated by our identities and our behavior and we trade it for higher quality services and products. Online platforms act as intermediaries in a two-sided market collecting data from consumers and selling advertising slots to companies. In exchange for our data being collected, we get what appears to be a free service.
The growth and the market capitalization of social platform providers like Facebook and search engines such as Google demonstrate the value of personal data. Personal data also provides new ways to monetize services as news organizations are finding it difficult to charge ‘real’ money for digital news, but leverage our willingness to pay for a selection of ‘free’ news with our personal data. Every 3 out of 4 persons prefer free registration with selective access over a paid registration with full access.
As evidenced by the massive DDoS (distributed denial of service) attack in October that affected Netflix, Twitter and others, even large Internet-based companies are vulnerable to cyber-crime on a large scale. The Mirai botnet, whose source code is now available online, is credited with powering what’s been called the largest volumetric DDoS attack of its kind in history.
Mirai is the open-source DDoS toolkit that spread self-propagating malware responsible for overwhelming large servers across at least two continents. The malware simply exploited known vulnerabilities in the aging DNS (domain name server) technology that underpins the Internet’s equivalent of a phone book.
2016: What a year! Internet of Things (IoT) threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this annual report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.
Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.
Mirai has been popping on and off the news and is becoming a commodity resource for large scale DDoS attacks. Although most of the security community have been debating and warning about the IoT threat, there is only evidence for a very specific class of devices being involved in the Mirai attacks. As we came to know the source code and security researchers started to investigate the victimized devices, it was clear that a common class of devices stood out in the list compiled by Krebs: IP cameras, DVRs and a handful of routers. What made them better candidates than your smart toaster or your cloud connected thermostat? The fact that routers are in the list should not be surprising, those devices are per definition connected to the internet and are clearly #1 on the pwning list, which was proven again recently when 900,000 routers from DT where taken offline for service as a result of what is supposed to be an adapted version of Mirai using a remote code execution (RCE) vulnerability through the TR-069 CPE WAN management protocol.