By Carl Herberger
Throughout the history of mankind, whether in warfare or crime, the advantage has swung between offense and defense, with new technologies and innovative tactics displacing old doctrines and plans. For example, the defensive advantage of the Greek phalanx was eventually outmaneuvered by the Roman legion. Later, improvements in fortifications and armor led to castles and ironclad knights, until the invention of gunpowder made them obsolete. In the 20th century, fixed fortifications and trenches were rendered outdated by highly mobile armored forces. In all these examples, the common denominator is that one side’s tactical advantage spawned new ways of thinking among its opponents, eventually degrading that advantage or reversing it completely.
Enter the digital age, where lines of code and terabytes of information determine who has the tactical advantage. Of late, the pendulum has swung in favor of cyber-attacks. Rate-based technologies, once considered adequate to handle the most advanced distributed denial-of-service (DDoS) threats, have fallen obsolete as tech-savvy adversaries move beyond the static concepts of most conservative corporate budgets and know how to overcome name-brand mitigation technologies. These ultra-adaptive hackers have given rise to the top five nastiest attack techniques in 2017.
ATTACK TYPE #1: Advanced Persistent DoS (APDoS):
Wikipedia defines APDoS as:
“…a clear and emerging threat needing specialized monitoring and incident response services and the defensive capabilities of specialized DDoS mitigation service providers. This type of attack involves massive network layer DDoS attacks through to focused application layer (HTTP) floods, followed by repeated (at varying intervals) SQLI and XSS attacks. Typically, the perpetrators can simultaneously use between 2 to 5 attack vectors involving up to several tens of millions of requests per second, often accompanied by large SYN floods that can not only attack the victim but also any service provider implementing any sort of managed DDoS mitigation capability. These attacks can persist for several weeks.”
It becomes clear that APDoS requires an array of technologies to stop the network floods, HTTP application-level DDoS and encrypted threats. Moreover, Radware is witnessing these attack techniques manifest into SMTP attacks (a relatively new vector) and secure-SMTP such as TLS over SMTP.
APDoS attacks assume many forms, but typically attackers will switch tactically between several targets to create a diversion to fool mitigation tools, all the while eventually concentrating the main thrust of the attack onto a single victim. To successfully mitigate these threats, organizations must understand the threat and make certain it has certain protections in place (e.g. high caliber detection and mitigation). To start, characterize APDoS threats into the following classes:
“Advanced reconnaissance (pre-attack OSINT and extensive decoyed scanning crafted to evade detection over long periods)
Tactical execution (attack with a primary and secondary victims but focus is on primary)
Explicit motivation (a calculated end game/goal target)
Large computing capacity (access to substantial computer power and network bandwidth resources)
Simultaneous multi-threaded ISO layer attacks (sophisticated tools operating at layers 3 through 7)
Persistence over extended periods (utilizing all the above into a concerted, well managed attack across a range of targets)”
The task is daunting and real. As the next generation of DDoS threats emerge, organizations must be diligent and proactive. Companies must rise above the normal corporate culture of security controls and become obsessive about removing risks and compulsive about action. After all, these organizations may literally be holding life and death decisions in their hands – and this makes their actions rather profound and very unique.
ATTACK TYPE #2: DNS Water Torture Attack
A DNS NXDOMAIN flood attack, which is also known as a water torture attack, targets an organization’s DNS servers. This type of attack involves a flood of maliciously crafted, DNS lookup requests. Intermediate resolvers also experience delays and timeouts while waiting for the end target’s authoritative name server to respond to the requests. These requests consume network, bandwidth and storage resources. They can also tie up network connections, causing timeouts.
By understanding the threat, an organization can comprehend two of the largest problems in solving this attack vector:
First: The attacker is coming from a known legitimate source and can’t realistically be blocked while still maintain healthy DNS resolution operations over the long term
Second: The attacker source is actually also querying legitimate requests at the same time illegitimate requests are being sent.
To counter this resource-draining threat, organizations should monitor their recursive DNS servers, keeping a keen eye for anomalous behavior such as spikes in the number of unique sub-domains being queried or spikes in the number of timeouts or delayed responses from a given name server.
Any DNS attack mitigation tool must meet unique challenges. Beyond a limited set of vendors, there is no real automated solution to mitigate this threat, as the tool must contain the following attributes:
Mitigation tools must have deep knowledge of DNS traffic behavior – The tool must understand DNS traffic and “learn” or establish baseline behaviors continuously to immediately identify abnormal DNS traffic. Moreover, the tool or technique must analyze every field in DNS traffic to identify abnormal packets and to create real time signatures.
Mitigating high rate of DNS packets – The tool must be able to challenge large amounts of DNS queries per second and to process up to – often in larger circuits – 10- 35 million packets per second of attack traffic. The attack traffic does not affect legitimate traffic while under attack.
Mitigation accuracy – With unique DNS challenges and accurate analyzing of DNS traffic behavior, an organization must be able to accurately distinguish between legitimate DNS traffic and attack-based DNS traffic to minimize false positives. This enables the service provider to continue and serve its legitimate users even under severe attack.
Provide best quality of experience even under attack – Obviously the idea of operating a service is that you must have an architecture that can guarantee minimum latency to all processed traffic, and especially to the legitimate traffic. This guarantees a best quality of experience to legitimate internet users even under attack.
Source: radwareblog
No comments:
Post a Comment