Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

DDoS

2/19/2018
08:00 AM
Naim Falandino
Naim Falandino
Naim Falandino
50%
50%

DDoS Today: No Safety Inside the Perimeter

For years, protecting the perimeter was believed to be the safest way to guard against DDoS. However, the cloud, IoT and new botnets have changed that thinking. Here's how CISOs and security pros should respond.

In the last 18 months, we have seen numerous DDoS attacks on Internet providers, hospitals, national transport links, communication companies and political movements. In addition, recent reports have also revealed new, more powerful botnets are being assembled that pose an even greater threat.

With millions of networks now compromised, we need to review our decades-old approach to DDoS security where we only monitor the network for threats from outside the security perimeter.

This is no longer effective as threats from inside the network are just as serious.

Over the last year, we have seen a number of DDoS attacks from a new botnet program called Mirai. In the much-reported 2016 Dyn attack, the Internet DNS provider was brought down and services were disrupted for millions of users for multiple hours. Since then, Mirai has been used as the basis for a number of other attacks -- all of them notable for their use of Internet of things (IoT) devices such as baby monitors, routers, cameras and digital video recorders.

In October, Check Point Research and Qihoo 360 both announced a new threat which may be an outgrowth of Mirai, but is more sophisticated in its ability to hack devices. At that time, this new botnet -- referred to as IoTroop or Reaper -- had reportedly spread to over 1 million networks. Though updated reports confirmed the number is closer to 28,000, the potential magnitude of the new threat remains high. Again, household IoT devices have been targeted.

However, this botnet has made "improvements" upon Mirai's malware so the compromised IoT devices are capable of spreading the infection themselves.

So far, no known attack has been carried out using the Reaper botnet. But it is growing quickly and poses a serious potential threat. As Checkpoint noted: "Research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."

Defending against Reaper-style attacks
This calm before the storm is a good time to review our defense strategies to see if we are truly ready for Reaper, or even more sophisticated botnets of the future.

The traditional thinking around DDoS attacks can be characterized as the "Maginot Line" approach -- stemming from the famous WWII failed defensive perimeter set up by France, which the German army simply drove around. In following this approach, a strong defensive perimeter is built that is designed to guard against attacks from outside the network.

However, this strategy assumes threats come from outside, not inside, where they can be equally damaging.

The design of the Mirai malware and Reaper botnets reveals the weakness of the Maginot Line approach.

Reaper is currently infecting IoT devices, but its controller has yet to activate them. Those devices are also busy propagating the infection to other devices on their own networks. With so many networks already compromised, there is no "outside" or "inside" to the next attack. IoT devices throughout an internal network may now be compromised by Reaper, and can be turned against the network at any time.

Antiquated perimeter defense strategies are only the tip of the iceberg when it comes to the shortcomings of legacy DDoS approaches. Designed decades ago, DDoS solutions were primarily intended to pick up traffic from one, or in some cases, a few attack vectors.

These defenses would then redirect all traffic from those vectors to scrubbers -- or purpose-built mitigation machines that would clean all the traffic.

Today's attacks come from millions of vectors at once.

Each IoT device alone is not capable of sending large amounts of traffic, but millions of them can cause significant damage.

For instance, the Mirai botnet is known to be creating massive sleeper armies by infecting potentially millions of subscriber IoT devices and personal computers with 2G uplinks. These "zombie" devices can then be called to action at any time resulting in subscribers attacking their own network. Such an internal attack, combined with traffic from hijacked multi-gigabit cloud servers, creates a one-two punch that can quickly bring a network to its knees.

Finally, sending large volumes of infected traffic to scrubbers is a kind of brute force approach that is prone to false negatives which can result in uninfected traffic being unnecessarily processed. Additionally, the legacy dedicated hardware used to identify attacks isn't capable of keeping up with today's multi-vector outbreaks, even when they are strictly external.

A more intelligent approach
Software-based, multi-dimensional analytics are a new approach to DDoS defense that use a more elegant and faster method to attack detection. Combining real-time network telemetry with advanced network analytics and other data, such as DNS and BGP -- among others -- provides the ability to see down to the source of attack traffic in real time.

Multi-dimensional analytics provide visibility into everything from IoT devices to cloud applications and services -- determining which is friend or foe. Analytics can also be paired with big data approaches to traffic modeling that compare a potential event to past attack profiles, which enables them to avoid false negatives by being more precise about what degree of variability from "normal" is acceptable.

To block the zombie personal computers, IoT devices or cloud servers that are carrying out the attack, the network operator can use simple, effective filters at the peering edge of the network.

Every vector of the attack can be identified, pinpointing the endpoints and allowing for surgically precise mitigation. The offending traffic doesn't have to be sent to scrubbers as it is simply blocked at the edge. The ability to identify the endpoints of the attack in real time also means that as the attackers attempt to play cat and mouse with network security operations, the rapidly changing attack vectors can be identified and counteracted.

Sophisticated DDoS attacks such as Reaper will continue to test the limits of today's defense strategies by preying upon the mass proliferation of inexpensive IoT devices and insecure cloud services, especially those less than 10GB.

What remains is an increasingly complex environment where distinctions, such as outside and inside the network, have little relevance. The best defense are new approaches to detection and mitigation that work for attacks from any vector. As the world waits for the next "cyber hurricane" to erupt, network operators have the opportunity to adopt a software-based, multi-dimensional analytics approach to protect themselves from this new generation of DDoS attacks.

Related posts:

— Naim Falandino is the chief scientist for Nokia Deepfield.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...