The Three Myths of the Availability Threat
Availability – aka the big “A” – is often the overlooked leg of the CIA triad (the others being Confidentiality and Integrity). Perhaps one contributing factor is the common belief among security professionals that if data is not available it is secure. Corporate executives, on the other hand, have a different opinion as downtime carries with it a hefty price tag.
While today’s Corporate Risk Assessment certainly involves the aspect of Availability, it is focused on redundancy, not on security. Penetration tests, a result of the corporate risk assessment, also fail to test on availability security. In fact, pen testing and vulnerability scanning contracts specifically avoid any tests which might cause degradation of service often leaving these vulnerabilities unknown until it’s too late. Availability is commonly handed off to Network Engineering when building resilient networks. Common risk mitigation in this arena include redundant power, Internet links, routers, firewalls, Web farms, storage, and even geographic diversity with use of hot, warm and cold data centers. As you can see, there is a ton of money invested in building network infrastructure to meet corporate availability requirements.
While these investments in infrastructure are meaningful they are not impervious to attack. In fact, attacks are often complicated and even exacerbated by the inherent, resilient design of the network. For example, let’s consider a few common myths:
Myth1: DDOS attacks consume lots of bandwidth and are noisy. We will add additional bandwidth if we come under DDOS attack or we already have enough bandwidth to absorb any attack.
A recent study by Radware’s Emergency Response Team (ERT) reports a significant change in the threat landscape from noisy volumetric floods (ex., TCP SYN or UDP Floods) to the application layer (ex., http get and DNS query floods) and slow and low attacks. A volumetric attack can consume any amount of bandwidth you can afford. Admittedly, additional bandwidth may delay the outcome, and if significant, (100 Gbps.+) it might even deter an attacker. However a targeted attack is one in which the attacker is after your business, not your competitor or the guy down the street. He will shift gears to find weakness in your defense, likely in the application layer.
Myth 2: Route traffic through secondary data center or split the load across data centers.
Let’s take a DNS flood targeting a DNS server as an example. Some folks I’ve chatted with might consider shifting over to a redundant data center in the event they are flooded at the primary or even operating off a different IP address range for the secondary. Don’t underestimate our enemies because an attack would follow in either event. You might ask why or how the attack would migrate? One possibility would be if you reroute your traffic, the attack would simply follow the target. While changing or using different IP address ranges might buy you some time, security by obscurity is proven not to prevail. In addition, many attacks today target domain names so you would find the attack simply following the DNS change.
Myth 3: We are safe from this threat because we use a CDN or cloud DDoS scrubbing solution
While CDN and cloud scrubbing centers serve their purposes and can be used as mitigation techniques, they are also not conclusive of an attack mitigation system. By nature of the CDN it can be bypassed by several tools (HULK, LOIC, HOIC, and more), which were purposely built to bypass such protections and utilize dynamically changing URL’s. In fact the CDN will not only leave one wanting for anti-DoS, it’s known to amplify the attack as explained in recent blogs by my colleague, David Hobbs, CDN as a Weapon and You Cant Hide Behind the Clouds. In addition, neither the CDN nor cloud scrubbers can protect against encrypted attacks, unless of course you are willing to share your encryption keys with outsiders.
Another disadvantage of the cloud-scrubbing center is that it is usually an on-demand service, which requires rerouting traffic once under attack. Cloud scrubbing typically consists of the several steps upon an attack. It begins with detection, alerting, route change, attack mitigation, verification of legitimate traffic, and finally back to detecting once the attack is over to put traffic back in its normal state. This detection is not a simple feat, even in the case of a network flood in which an administrator may be alerted via email of bandwidth usage on a circuit.
What if they don’t get the email because the email server is being DoS’d? What if the attack is over the weekend and no one notices, except your customers who are trying to purchase equipment from your eCommerce site?
Humans are the driving force behind targeted attacks that rely on sophisticated tools, C&C and botnets. Stopping these requires attack mitigation tools that can adapt to the changing threat and mitigate based upon suspicious behavior patterns. In conjunction with tactical tools, a sound perimeter counter defense strategy will also include a human factor.
As with all layers of security, Availability Security is like a game of chess that requires the right mix of strategy and tactics to defeat the enemy.