With advances in technology, more and more organizations rely on their online presence for their day-to-day business activity. This can incentivize hackers to paralyze organizations’ infrastructures by conducting a DDoS (distributed denial of service) attack. Indeed, would you choose an online shopping website that is unavailable every once in a while, or would you just switch to one of their competitors?
Previously, the simplest SYN flood, NTP flood or CHARGEN attack was sufficient to bring down a company’s website. Today, most organizations understand the risk of DDoS attacks and thus use scrubbing centers and on-premise DDoS mitigation appliances (Akamai, Arbor, Radware, Encapsula, Verisign and more) that, if properly configured, are very effective in blocking these simple attacks. However, with more sophisticated next-generation DDoS attacks, relying on the aforementioned solutions is insufficient to protect an organization.
The pattern of an infrastructure-level DDoS attack is usually similar between one organization and another. Hence, DDoS mitigation appliances use generic patterns for attack recognition – if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck (DDoS attack) that should be blocked.
In comparison to infrastructure-level DDoS attacks, application-layer DDoS attacks are significantly harder to detect and mitigate: some applications use unique and proprietary protocols; others require a certain pattern as part of their business logic, while the same pattern may be considered as dangerous for another company. This poses a concern for DDoS mitigation appliances: how can they protect an organization if they don’t know to differentiate between legitimate and illegitimate traffic?
While currently only accountable for less than 2% of the DDoS attacks in Q3 2016 (according to Akamai), these attacks are bound to be successful. Whether it is a login page flood attack or a search flood, flooding an application may exhaust numerous server resources (such as the server’s CPU or memory usage, or the number of concurrent connections between the server and its DB). Based on my experience from hundreds of application-layer DDoS simulations, such an attack is nearly always successful if the attacker is skilled and target-driven.
The Rise of the Botnet Treat
In addition to the rise of application-layer DDoS attacks, another change in the DDoS industry in the past twelve months is the rise in usage of IoT devices as bots. The notorious Miari malware, which had its code disclosed to the public, attempts to connect to IoT devices using known (default) credentials. Since many vendors still use default credentials (and some even don’t allow users to change them), the Mirai botnet contains tens of thousands of compromised IoT devices. This tool was used in an attack against OVH, a French ISP, in a record-high DDoS reaching 1 TBps of volumetric attack. Another attack, which reached a peak of 623 Gbps, was later launched against krebsonsecurity.com.
To date, the Mirai botnet, as well as the recently discovered Leet botnet, have failed to disrupt service to a CDN-protected website. However, that doesn’t mean that they will continue to fail in 2017, albeit with a different approach: indeed, while such DDoS attacks have failed, they are very costly to mitigate. For example, Akamai, which had offered free protection to krebsonsecurity.com, decided to stop protecting the website for free as it was too expensive for them. Even if the client pays for such protection, a continuous attack would financially damage the client. Thus, it is not unrealistic to believe that in the future we will see a different attack vector: instead of a “regular” DDoS, hackers will consider a financial DDoS attack. The hackers will keep flooding the network from compromised IoT devices, not to cause it to become unavailable, but rather to cause the victim into paying a significant sum to their CDN provider in order to keep their website up and running. Such an attack may effectively require the organization to stop the CDN protection, or they will go bankrupt.
Another trend in next generation DDoS attacks is the indirect attacks on critical 3rd-party services in order to affect companies’ websites. In a 3rd-party service attack, hackers flood a service that the company relies on (for example, DNS or external mail provider) in order to disrupt its service. For example, in October 2016 a DDoS attack against Dyn, a popular DNS provider, caused major websites (such as Amazon, Airbnb, BBC, CNN, and Netflix) to become unavailable. Hence, by targeting a 3rd-party provider, the attacker can choose to target a less-protected environment in order to affect your organization.
Given the above, you would be right to ask how one can be protected. Next generation DDoS attacks are complex and require organizations to secure their websites and servers properly. The configuration of existing DDoS mitigation appliances must be optimized to the organization’s needs. The thresholds for each website, IP and/or URL must be manually configured according to the website’s role. Moreover, each website’s code should undergo DDoS-oriented threat modeling, code review, and dynamic testing in order to ensure its protection level is sufficient. Furthermore, CDN-protected websites do not provide adequate protection if they contain a dynamic resource, and thus also require the proper adjustments.
Finally, the old adage “practice makes perfect” is absolutely right. It is always better to check whether your websites can withstand an attack by conducting a scheduled DDoS simulation than understanding that it cannot when hurt by a real attack. Such a simulation can also provide your SOC team with opportunities to practice without causing any damage to the organization.
In conclusion, during 2017 we will see three different variants of major attacks: (1) massive volumetric DDoS attacks originating from IoT devices targeting companies that did not properly protect their websites against such attacks; (2) financial DDoS attacks against organizations that are CDN protected; and finally (3) application layer attacks, exhausting the server’s resources rather than the network’s resources. Only the extensive (and manual) optimization of scrubbing centers and on-premise DDoS mitigation appliances, as well as secure code writing by developers, will ensure your online services are protected.
Dan Gurfinkel is the Head of Offensive Security & Response Unit at Comsec Global.