Pandora’s Box: Auditing for DDoS Vulnerabilities, Part I
THE BUSINESS PROBLEM:
Your company has reason to believe that it may be attacked in the near future or recently has come under attack. The main questions that come to mind:
– How do I know if the attackers will be successful?
– How can I test my environment myself for expected attacks?
THE TECHNICAL PROBLEM:
Shouldn’t I already have a good answer for this question? After all, many organizations pay good money to deploy high performance security and risk teams and expect them to stay on top of questions like these.
However, please understand that I have over 15 years in providing and conducting penetration testing and vulnerability assessments, and today’s STANDARD SECURITY TESTING DOES NOT TEST FOR AVAILABILITY ISSUES!
Given that, how does one assess the likelihood of falling prey to an attacker or being victorious in repelling the attack?
First, the Answer:
Next, the Question:
What will it take for most security professionals to recognize that the problem all companies are having fighting hacktivists is THEIR problem too?!?
24 Months is ANCIENT:
Yes, if you’re doing the same thing today with your security program that you were doing 24 months ago – this “old way” of doing things just isn’t working in protecting environments from ideological-based or “hacktivist” attacks. That model DOES NOT WORK!
Acknowledge that risks HAVE changed – – Have You?
For the last eighteen months, security professionals around the globe have watched as a group of cyber hacktivists dismantled the web defenses of some of the most respected financial and ecommerce sites and “walked right into” their secure databases and holdings to make a statement.
These DDoS attacks were not the work of the numerous and very prolific organized crime syndicates whose botnets are constantly prowling and seeking network vulnerabilities to exploit for criminal financial gain, but stem from a group of hacktivists who happened to disagree with these particular companies’ adherence to a governmental request.
Ideological Threats require Big “A” Thinking
Availability security is different than securing confidential data and making transactions with high integrity.
This is the threat landscape all network service providers face today, not just on a day-to-day basis but even minute-by-minute. Many forms of attacks on your network are known and more easily defeated, but the most daunting attacks are those whose form is not known, not yet seen or perhaps not yet recognized. There are also the attacks that are known, but the modes in which the attacks are leveraged are not known. That is why perimeters are successfully being compromised. In the case of most of the recent attacks, the customary way of deploying security technology is not able to defend against these new attackers.
So – – What is the new model?
To be effective, a DDoS protection solution must first be able to identify the attack as it is forming or in process of attacking the network. Second, it must determine which incoming traffic has a malicious intent and which is traffic is legitimate. The legitimate traffic must be allowed to pass so that commerce can still be conducted and the illegitimate traffic must be quarantined from the rest of the network and dispensed. In addition, a network defense system must cope with various and multiple attacks in real time.
Standard network-security solutions depend on static signature protection against known application-vulnerability exploits and rate-based protection against high-volume attacks and unknown attacks. Static signature-protection technology, deployed by Network-IPS, firewalls, and anti-viruses, can only identify predefined attacks. This type of traditional perimeter security relies on periodic signature updates, leaving the business vulnerable to zero-minute attacks, and offers no solution against non-vulnerability–based attacks. Rate-based DDoS mitigationtechnology is designed to suppress abnormal traffic patterns. This technology is deployed as means of mitigating high-volume attacks or zero-minute attacks. However, a rate-based solution does not differentiate between attack traffic and legitimate traffic. Packets and sessions, good and bad, above predefined thresholds are dropped. Rate-based technology offers no protection against lower-rate attacks (for example, brute-force attacks, low rate malware propagation, slow network and application probes). Furthermore, rate-based technology cannot prevent improper-use scenarios where attack traffic such as an HTTP page flood appears identical to legitimate application requests as in a flash crowd.
Coming Soon: Part II: The Rise of the “Availability Vulnerabilities”
In my next post I will address the specific vulnerabilities required to be tested in order to develop some reasonableness to the efficacy of an internal control infrastructure.