Is your Security Game Strong Enough?

Samrah Khan, Instart Logic and Kameerath Kareem, Catchpoint
5/30/17

DDoS Attack

Global internet usage has reached nearly 50% of the world's population. Network connectivity is no longer limited by geographic or economic boundaries. Users connect from desktops, laptops, and mobile devices over wired and wireless networks. Service providers invest in data centers to expand their geographical reach and to maintain high availability. This has resulted in highly complex systems due to increased infrastructure, labor, and cost, making them an easy target for cyber-attacks that aim to compromise servers and expose sensitive data.

The frequency of DDoS  (Distributed Denial of Service) attacks has increased alarmingly over the last few years. 2016 witnessed several high-profile data breaches and DDoS attacks that crippled major websites, including the 620 Gps Brian Krebs attack and the DYN IoT attack that took down Etsy, Github, Spotify and Twitter for several hours. Verisign’s Q4 2016 DDoS trends report states that more than 50% of their customers who had experienced DDoS attacks had been targeted multiple times in the same quarter. Such attacks overwhelm server resources and impact website availability, and servers are rendered incapable of handling traffic due to  the huge influx of requests.

What is a DDoS Attack?

A Distributed Denial of Service, commonly called a DDoS attack, is usually carried out by bombarding a server with large amounts of traffic from various locations. Web servers are overwhelmed trying to manage the incoming requests, the server slows down and performance degrades, blocking legitimate users from accessing the service. DDoS attacks have grown in complexity and size, making them difficult to predict and prevent.

We can group DDoS attacks into three categories:

  • Volumetric attacks: In this type of attack, a large amount of bandwidth is directed at the targeted server. The amount of traffic the target receives is enough to overwhelm the server and completely saturate its bandwidth, rendering its applications and websites inaccessible. Volumetric attacks include TCP floods, UDP floods, and NTP/DNS amplification.
  • Protocol attacks: This type of attack focuses on web servers, firewalls or load balancers and aims to consume maximum server resources and exhaust the server’s capacity to establish new connections. This leaves the targeted server inaccessible. Examples of such attacks include Ping of Death and SYN floods.
  • Application attacks: This type of attack targets the application layer – Layer 7 of the OSI protocol. The attack is initiated by establishing a connection with the targeted server and latching on to all its resources and processes. Such attacks are sophisticated and are difficult to isolate. Examples include injection vulnerabilities, buffer overflows and bot scraping attacks.

DDoS attackers may use a combination of these attack types to inflict maximum damage. Such attacks are termed multi-vector attacks. Examples include DNS server attacks and HTTP floods.

The figure below illustrates how the size of DDoS attacks has grown over the years.

The size of DDoS attacks - DDoS Trends Report

Evolution of DDoS attacks

DDoS attacks are one of the oldest internet security threats, and they have evolved with technology and grown more sophisticated. It is essential that security measures adapt to provide a higher level of protection. The following points illustrate how DDoS attacks have grown into a major threat to internet security:

  • DDoS attackers have adapted to the changing technology landscape. The use of botnets, which are computer networks infected with malware and controlled without the owners' knowledge, have evolved from desktop botnets, progressing to server botnets and, recently, IoT (Internet of Things) The widespread use of IoT devices has given attackers the perfect environment to deploy malicious bots which can easily compromise vulnerable devices.
  • DDoS attacks that target the application layer are a relatively new phenomenon. Such attacks can go undetected, as the targeted server doesn’t generate a suspicious amount of traffic. These types of attacks are among the most complex and damaging as they target the application and server with the goal of exhausting it by monopolizing processes and transactions.
  • Attackers are also using DDoS as a smokescreen for other more serious cyber-attacks, diverting the focus of website administrators from other threats being carried out simultaneously. This strategy can be even more damaging — for example, sensitive data could be stolen and databases hacked while the crisis management team is busy trying to mitigate a DDOS attack.

The new wave — Mirai Botnet

The Internet of Things is taking interconnected devices to the next level — everything from household appliances like refrigerators to cars are now online, building a modern, well-connected and automated home environment. The barrage of DDoS attacks carried out last year originating from such devices was unprecedented.

The October 2016 attack on a major DNS provider took advantage of the limited security on IoT devices to compromise hundreds of applications. The Mirai botnet, which was behind the attack, is composed of vulnerable IP-enabled devices, including DVRs and cameras. Popular websites like Twitter, Quora, Walgreens, Pinterest etc. were rendered inaccessible for several hours.

As the attack progressed, Catchpoint was able to help their customers analyze performance failures on their websites. Here is a snapshot of the outages experienced during the attack:

Outages experienced during attack

Mitigating DDoS attacks

Because it is very difficult to predict or prevent a DDoS attack, securing your website to reduce the risk of such attacks must be a top priority. Once compromised, mitigating the impact of the attack is the only way to get your web applications back online. Even though such incidents may be  inevitable, with the current state of internet security and its vulnerabilities, being proactive will help keep your online business running without a hitch. Here are some of the preemptive steps you can take:

  • Monitor proactively:
    Monitoring every aspect of your website is crucial, as this provides an in-depth view of the site, including any points of failure. Services like Catchpoint provide synthetic monitoring that helps identify unusual spikes in traffic or unusual user behavior that could signal an attack. They also help keep track of the performance of your internal or external DNS and CDN services.
  • Have a contingency plan:
    Implementing redundancy in your critical infrastructure such as DNS can help minimize the impact of a potential security threat. It acts as a fail-safe solution in case the site is under DDoS attack — the website will remain accessible and user experience will not be negatively impacted.
  • Deploy advanced DDoS security solutions:
    There are several security solutions available to protect servers from DDoS attacks. These solutions employ strategies specifically targeting potential threats at various levels:
    • Application layer protection: This acts like a firewall at the application level (web application firewall or WAF) and filters out traffic based on the originating IP and geolocation. A WAF can also be configured to throttle the incoming requests or redirect those that are suspicious. For example, one e-Commerce company experienced a scraper utilizing the Tor anonymity network which targeted search functionality and led to a slowdown of the website. Instart Logic, the application delivery platform that delivered and secured the customer’s website, blocked the Tor exit node IP addresses. Instart Logic was also able to analyze the traffic patterns to detect attack signatures and create new WAF rules to mitigate such attacks in the future.
    • Network layer protection: Protection at the network level will automatically stop ICMP/UDP packets or SYN packets from flooding the system. It monitors the HTTP traffic to determine what is legitimate and excludes non-application traffic.
  • Leverage a CDN:
    A content delivery network or CDN acts as a proxy between your application and the incoming traffic. A robust CDN architecture can not only greatly improve the performance of your application but can also mitigate attacks in the following ways:
    • Owing to their distributed architecture, CDNs have the capacity to absorb spikes in traffic. Volumetric attacks that aim to overwhelm customers’ servers can be automatically mitigated by CDNs.
    • Some CDNs have DDoS monitoring and scrubbing capabilities that continuously monitor the traffic and detect malicious attacks and mitigate them in real-time, while clean traffic is returned back to the customer's site.
    • Some CDNs can shield your origin servers from the Internet, reducing the security load on your organization.

Catchpoint partner Instart Logic is a leading application delivery provider whose platform is built on an intelligent CDN which leverages a unique client/cloud architecture and machine learning capabilities to dramatically improve performance and security of web, mobile web and native applications. Instart Logic has the ability to protect customers’ online assets end-to-end from malware and malicious bots, and provides advanced DDoS monitoring and scrubbing for its customers. Several enterprises leverage Instart Logic and Catchpoint to monitor and protect their infrastructure and integrity of their applications.

Summary

The ever-growing complexity and sophistication of DDoS attacks make them difficult to prevent. Proactively preparing your network to handle such attacks is an absolute necessity. It is equally important to use monitoring tools and advanced DDoS mitigation solutions  so that you can successfully mitigate the attack, prevent future attacks, and finally conduct thorough root-cause analysis to determine exactly where the vulnerability is in the system and how it was exploited. These measures will build your defenses and strengthen internet security as well as maintain trust with your users that their online experiences are secure.

Learn more about Instart Logic:

Leave a Reply

Your email address will not be published. Required fields are marked *