The idea of an Internet of Things (IoT) botnet is nothing new in our industry. In fact, the threat has been discussed for many years by security researchers. It has only now gained public attention due to the release and rampage of the Mirai botnet. Since Mirai broke the 1Tbps mark in late 2016 the IoT threat has become a popular topic of conversation for many industries that utilize connected devices. Not only are companies worried about if their devices are vulnerable but they are also worried if those devices can be used to launch a DDoS attack, one possibly aimed at their own network.
Distributed Denial of Service attacks, commonly called DDoS, have been around since the 1990s. Over the last few years they became increasingly commonplace and intense. Much of this change can be attributed to three factors:
1. The evolution and commercialization of the dark web
2. The explosion of connected (IoT) devices
3. The spread of cryptocurrency
This blog discusses how each of these three factors affects the availability and economics of spawning a DDoS attack and why they mean that things are going to get worse before they get better.
Evolution and Commercialization of the Dark Web
Though dark web/deep web services are not served up in Google for the casual Internet surfer, they exist and are thriving. The dark web is no longer a place created by Internet Relay Chat or other text-only forums. It is a full-fledged part of the Internet where anyone can purchase any sort of illicit substance and services. There are vendor ratings such as those for “normal” vendors, like YELP. There are support forums and staff, customer satisfaction guarantees and surveys, and service catalogues. It is a vibrant marketplace where competition abounds, vendors offer training, and reputation counts.
Those looking to attack someone with a DDoS can choose a vendor, indicate how many bots they want to purchase for an attack, specify how long they want access to them, and what country or countries they want them to reside in. The more options and the larger the pool, the more the service costs. Overall, the costs are now reasonable. If the attacker wants to own the bots used in the DDoS onslaught, according to SecureWorks, a centrally-controlled network could be purchased in 2014 for $4-12/thousand unique hosts in Asia, $100-$120 in the UK, or $140 to $190 in the USA.
Also according to SecureWorks, in late 2014 anyone could purchase a DDoS training manual for $30 USD. Users could utilize single tutorials for as low as $1 each. After training, users can rent attacks for between $3 to $5 by the hour, $60 to $90 per day, or $350 to $600 per week.
Since 2014, the prices declined by about 5% per year due to bot availability and competing firms’ pricing pressures.
The Explosion of Connected (IoT) Devices
Botnets were traditionally composed of endpoint systems (PCs, laptops, and servers) but the rush for connected homes, security systems, and other non-commercial devices created a new landing platform for attackers wishing to increase their bot volumes. These connected devices generally have low security in the first place and are habitually misconfigured by users, leaving the default access credentials open through firewalls for remote communications by smart device apps. To make it worse, once created and deployed, manufactures rarely produce any patches for the embedded OS and applications, making them ripe for compromise. A recent report distributed by Forescout Technologies identified how easy it was to compromise home IoT devices, especially security cameras. These devices contributed to the creation and proliferation of the Mirai botnet. It was wholly comprised of IoT devices across the globe. Attackers can now rent access to 100,000 IoT-based Mirai nodes for about $7,500.
With over 6.4 billion IoT devices currently connected and an expected 20 billion devices to be online by 2020, this IoT botnet business is booming.
The Spread of Cryptocurrency
To buy a service, there must be a means of payment. In the underground no one trusts credit cards. PayPal was an okay option, but it left a significant audit trail for authorities. The rise of cryptocurrency such as Bitcoin provides an accessible means of payment without a centralized documentation authority that law enforcement could use to track the sellers and buyers. This is perfect for the underground market. So long as cryptocurrency holds its value, the dark web economy has a transactional basis to thrive.
DDoS is very disruptive and relatively inexpensive. The attack on security journalist Brian Krebs’s blog site in September of 2016 severely impacted his anti-DDoS service providers’ resources. The attack lasted for about 24 hours, reaching a record bandwidth of 620Gbps. This was delivered entirely by a Mirai IoT botnet. In this particular case, it is believed that the original botnet was created and controlled by a single individual so the only cost to deliver it was time. The cost to Krebs was just a day of being offline.
Krebs is not the only one to suffer from DDoS. In attacks against Internet reliant companies like Dyn, which caused the unavailability of Twitter, the Guardian, Netflix, Reddit, CNN, Etsy, Github, Spotify, and many others, the cost is much higher. Losses can reach multi- millions of dollars. This means a site that costs several thousands of dollars to set up and maintain and generates millions of dollars in revenue can be taken offline for a few hundred dollars, making it a highly cost-effective attack. With low cost, high availability, and a resilient control infrastructure, it is sure that DDoS is not going to fade away, and some groups like Deloitte believe that attacks in excess of 1Tbps will emerge in 2017. They also believe the volume of attacks will reach as high as 10 million in the course of the year. Companies relying on their web presence for revenue need to strongly consider their DDoS strategy to understand how they are going to defend themselves to stay afloat.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Today, many organizations are now realizing that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because nothing diminishes load times or impacts the end users’ experience more than a cyber-attack, which is the silent killer of application performance.
As high-availability and high performance distributors of content to end-users, CDNs can serve as a lynchpin in the customer experience. Yet new vulnerabilities in CDN networks have left many wondering if the CDNs themselves are vulnerable to a wide variety of cyber-attacks, such as forward loop assaults.
So what types of attacks are CDNs vulnerable too? Here are top 5 cyber threats that threaten CDNs so you can safeguard against them.
Blind Spot #1: Dynamic Content Attacks
Attackers have learned that a significant blind spot in CDN services are the treatment of dynamic content requests. Since the dynamic content is not stored on CDN servers, all the requests for dynamic content are sent to the origin’s servers. Attackers are taking advantage of this behavior and they generate attack traffic that contains random parameters in the HTTP GET requests. CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests and they fail to provide online services to legitimate users, creating a denial-of-service situation.
Many CDNs have the ability to limit the number of dynamic requests to the server under attack. This means that they cannot distinguish attackers from legitimate users and the rate limit will result in legitimate users being blocked.
Blind Spot #2: SSL-based attacks
SSL-based DDoS attacks target the secured online services of the victim. These attacks are easy to launch and difficult to mitigate, making them attackers’ favorites. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using the customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin can easily take down the secured online service.
During DDoS attacks when WAF technologies are involved, CDN networks also have a significant weakness in terms of the number of SSL connections per second from a scalability capability, and serious latency issues can arise.
PCI and other security compliance issues are also a problem as sometimes this limits the data centers that are able to be used to service the customer, as not all CDN providers are PCI compliant across all datacenters. This can again increase latency and cause audit issues.
Blind Spot #3: Attacks on non-CDN services
CDN services are often offered only for HTTP/S and DNS applications. Other online services and applications in the customer’s data center such as VoIP, mail, FTP and proprietary protocols are not served by the CDN and therefore traffic to those applications is not routed through the CDN. In addition, many web-based applications are also not served by CDNs. Attackers are taking advantage of this blind spot and launch attacks on applications that are not routed through the CDN, hitting the customer origin with largescale attacks that threaten to saturate the Internet pipe of the customer. Once the Internet pipe is saturated, all the applications at the customer’s origin become unavailable to legitimate users, including the ones that are served by the CDN.
Blind Spot #4: Direct IP Attacks
Even applications that are serviced by a CDN can be attacked once the attackers launch a direct attack on the IP address of the web servers at the customer origin. These can be network based floods such as UDP floods or ICMP floods that will not be routed through CDN services, and will directly hit the servers of the customer at the origin. Such volumetric network attacks can saturate the internet pipe, resulting in taking down all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” the data center can leave the applications directly vulnerable to attack.
Blind Spot #5: Web Application Attacks
CDN protection for web applications threats is limited and exposes the web applications of the customer to data leakage, data thefts and other threats that are common with web applications. Most CDN-based web application firewall capabilities are minimal, covering only a basic set of predefined signatures and rules. Many of the CDN-based WAFs do not learn HTTP parameters, do not create positive security rules and therefore it cannot protect from zero day attacks and known threats. For the companies that DO provide tuning for the web applications in their WAF, the cost is extremely high to get this level of protection.
In addition to the significant blind spots identified earlier, most CDN security services are not responsive enough, resulting in security configurations that take hours to manually deploy and to spread across all its network servers. The security services are using outdated technology such as rate limit that was proven to be inefficient during the last attack campaigns, and it lacks capabilities such as network behavioral analysis, challenge – response mechanisms and more.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
The Ring of Fire map from Radware tracks vertical markets based on the likelihood that organizations in these sectors will experience an attack.
Among the reasons to marry DDoS & WAF together, beyond a single pane of glass, beyond single vendor and quick technical response, and higher quality detection and mitigation – it makes sound business sense. Today, a good number of companies have developed the understanding that DDoS defense is critical to maintaining an exceptional customer experience (CX). Because of the extremely competitive nature of business these days, we are seeing more companies make the investments into digital transformation and customer experience. According to Gartner, customer experience is the new king.
The Australian Prime Minister, Malcolm Turnbull, recently warned that all Australians should be concerned about the threat of a cyber-attack. Mr Turnbull described cyber warfare as the new frontier, with families, governments and businesses equally at risk.
From a public perspective, there is a greater expectation placed on the government to ensure that the networks used by their citizens (to provide sensitive information) are secure and protected from cyber-attacks. Similarly, national security remains a critical requirement for governments.
The Prime Minister is right to declare cyber warfare as the new frontier; especially for governments.
Key Takeaways from Cisco Live Berlin 2017
Digital Transformation is the Core of Every Business
2016-2017 introduced the era of Digital Transformation. Digital transformation is the change associated with the application of digital technology in all aspects of human society. Digital transformation inherently enables new types of innovation and creativity to increase business competency rather than simply going paperless.
Ruba Borno PhD, Vice President Cisco Growth Initiatives, shared Cisco’s vision that the only future-proofed solution for digital transformation is a next-generation secure network. Security is no longer static, and securing all the organization’s access points is no simple task. IoT, mobile work force, cloud applications and increased sophistication of attackers and attack methods require better preparation. Organizations need to fundamentally change how they build, manage and secure networks.
Digital transformation was the apparent theme across this year’s Cisco Live Berlin. With security becoming the key enabler for any organization IT investment, this paper covers the key trends in securing the digital transformation, along with new solutions announcements covered at Cisco Live Berlin 2017.
Attackers Are Relentless; Defenders Are Tired
Attackers have infinite time to plan their next attack: choose a victim, gather intelligence, select the right attack tools, test them, coordinate an attack and then launch the attack at their convenience. There are plenty of attack tools available at the Clearnet and the Darknet, and there are plenty of opportunities to strike again and again – till success.
Defenders, on the other hand, have to overcome every attack attempt. They do not have a second chance. They have limited budget, their job is at stake, and they need to keep up with education, training, selecting the right solutions and maintaining an effective security posture.
This is where the difference between detection and protection becomes critical. To protect against attacks you need first to detect that you are under attack. Security solutions often focus on shortening the time to detect. Yet, they also need to shorten the time to protect – this is where automation becomes important. Solutions that automate more stages of the attack lifecycle will be more successful in dealing with the more dynamic, automated attacks organizations experience today.
Ransomware Becomes a Major Threat
I urge you to watch ransomware – an anatomy of an attack. This video, played at multiple Cisco Live sessions, provides an insight to an attacker’s daily work. It is about the details. The attacker does not need to develop any tool or software. They only need to select the right tools from an endless variety and use them smartly.
DDoS attacks have also joined the mix of ransom attacks by slowing down organization operations and even completely shutting down their online presence.
What can you do against ransomware? Although widely discussed during multiple sessions at Cisco Live Berlin 2017, I have not seen a solution that is truly designed to address this threat. Cisco speakers discussed a multi-layered security approach where they highlighted some capabilities in their solutions that can help improve a business security posture against the ransom threat.
What can you do to fight this threat? As always, prevention is the key. And prevention is about education, education and again – education. Attackers lure employees to open unsolicited mails, download software updates and harness multiple social engineering techniques. You need to be more suspicious and ask yourself if this is a safe operation beforehand.
DDoS Attacks Are On the Rise
We know how to protect endpoints – desktops, laptops and other mobile devices. We know how to protect our enterprise network. We use firewalls, intrusion prevention systems, anti-virus, anti-malware and other perimeter network security solutions.
What we do not know is how to protect infrastructure against DDoS attacks. Data centers, service providers and cloud providers are all vulnerable to network flood attacks. The recent Dyn attack and the celebrity Mirai botnet are clear reminders that we need to get ready.
IoT is a real threat. We are adding 1 million devices per hour to the internet and the majority of them are directly accessible with no or limited security measures. A 1 terabit-per-second DDoS attack is expected this year 2017.
We need to think differently. DDoS attacks are not a problem of specific organizations. It is a problem of the community. Attack mitigation should start at the service providers’ network and leverage to the enterprise data center. It should be more simple and manageable.
Effective Security: Keep It Simple
Digitization has created unprecedented growth opportunities. With more than 50 billion connected devices estimated by 2020 (According to Cisco), business leaders are questioning how new digital trends will impact their business — but so are the active adversaries seeking to profit from well-organized cybercrime operations. As the attack surface continues to expand, so has the need for a more effective approach to security.
According to Cisco, a typical organization deploys some 50 different security devices and solutions in their network and data centers. Every new solution contributes an incremental level of security; however, it increases network complexity exponentially. The challenge of effective security is not what to secure, but how to manage it?
The answer is keeping it simple. Security that is integrated, automated and simple to manage will be foundational to the success of digital businesses as they work to deliver protection from the network to the mobile user and the cloud — wherever employees work and data resides.
Did I mention automation? David Ulevitch, VP Cisco Security Business Group, discussed automation. His view is that the only way to win the cyber war is through automation: let the machines run the machines.
This is the path to effective security. It’s a continuous process, not a one-time effort.
Cloud Is the Secret Weapon
The secret weapon in our security toolbox is the cloud. Why? Here are few arguments:
a) Cloud offers elastic and unlimited resources. You can use compute and storage for data collection and analytics to look at user behavior. This helps you make the right security decision per user, per transaction or per location.
b) Cloud offers the ideal management and control for all enterprise applications – on premises and in the cloud.
Look for cloud as an integrated solution. If the vendor offers you APIs – move on. You do not have the time or the resources to use APIs.
ACI at New Heights
I recall John Chamber’s keynote from Cisco Live 2015, where he admitted that Cisco was late in identifying the SDN (Software-Defined Network) market. John promised that Cisco was going to fix that. Indeed Cisco introduced its flavor for software-defined networking called Application Centric Infrastructure (ACI). ACI is Cisco’s foundation for the Software Defined Data Center (SDDC) initiative.
At the event, Cisco announced that it further expands ACI – turning it from a pure data center solution to a multi-site solution. Cisco introduced multiple data-center automation tools, further empowered its ACI ecosystem with more than 65 technology partners and launched a new ACI marketplace so users can share their ACI applications and blueprints.
Why Cisco leaders believe that ACI will win the SDDC market? Because it is application-centric and introduces operational simplicity. Did I mention automation?
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
Radware’s Pascal Geenens walks us through 10 questions regarding the cyber security threat landscape, trends in the Darknet, motivations for attacks, and much more.
Top Attack Trends in 2016
1. First and foremost, we’ve seen our network—and the networks we monitor and protect—experience a tenfold increase in the volume of DDoS attacks. In August 2015, we had a little over 5,000 attacks. In July 2016, it was 55,000 attacks that we could identify. Last year, 70% to 80% of attacks were less than a minute—mostly “white noise” events (a.k.a. “hit-and-run DDoS” or “burst attacks”). This year, we’ve seen attacks falling into the one- to five-minute duration, causing random business disruptions.
DDoS attacks can be costly and risky. TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. Call this new breed of attack the “DDDoS”—deceptive distributed denial-of-service. For two recent examples, look to attacks on Carphone Warehouse and Linode. By bombarding Carphone Warehouse with online traffic, hackers were able to steal the personal and banking details of 2.4 million people. Similarly, cloud provider Linode suffered more than 30 DDoS attacks which appeared to be a ruse to divert attention away from a breach of user accounts.