What kinds of weaknesses do attackers search for when studying and selecting denial-of-service (DoS) targets?
Ron Meyran: Attackers are looking for standard weaknesses in the form of open ports, inspector rules, remote maintenance, etc. The main thing they're really interested in is the application: how it's designed and whether or not there are any software bugs that can be exploited.
With denial-of-service attacks, it's not necessarily the standard vulnerabilities that intrusion prevention systems [IPS] or firewalls would cover, but if the center for mobility is reached it enables an attacker to launch a smart attack with relatively low traffic -- and it can cause a lot of damage.
For example, attack tools like Slowloris can consume all of the services of a Web server in less than a minute and make it unavailable to other users. If a website provides information like large image files or enables you to perform a search on the database, it simply places a standard search or a download of the same large file over and over to kill the availability of the servers. So we're seeing a shift from bandwidth attacks, which involve sending irrelevant traffic to a target, to today's central processing unit [CPU] attacks on targets. CPU attacks target the CPUs behind the servers, where you can increase the CPU utilization quite easily with application attacks.
How are DoS attacks being used?
Meyran: Within the past four years we've seen a major shift in attackers' motivation. Hacktivism has become a major trend -- with Anonymous, Lulzsec, the Nightmare Group and others launching attacks based on ideals. If Turkey, for example, is trying to filter content on the Internet, they'll attack the Turkish government's website; it's a form of protesting.
Another technique is 'camouflage attacks,' in which attack tools are distributed and a group simply coordinates the data or start of the attack. The attack on Sony PlayStation was originally thought to be a DoS attack, but it was eventually revealed to be a camouflage attack. Why? The attackers were running a high-coverage attack on Sony's network. They knew that once the security equipment reached a 100 CPU utilization rate, it would either let the traffic in or bypass all traffic. Then they could use a secret injection and other low-and-slow attacks to break into Sony accounts. The real attack was the penetration into their databases, which they couldn't see, of course, because they thought they were fighting a DoS attack, and also because the volume of the attack traffic behind the DoS effectively 'camouflaged' it.
How much of a time investment goes into reconnaissance prior to DoS attacks?
Meyran: The reconnaissance lasts days or weeks, and eventually an attack will last several hours or days. Generally, attackers will invest the time. But it's cumulative time, since it's a set of security experts or hackers who study the victims for several weeks and then share their findings and combine strategies to knock down the website. It's a significant amount of time investment. And the victim who has no idea they're about to be attacked isn't investing any time at all.
Are DoS attack tools evolving?
Meyran: Attackers usually use the same sets of tools -- Slowloris, Sockstress, LOIC [Low Orbit Ion Cannon] and HOIC [High Orbit Ion cannon]. All of these tools include network attacks, server attacks and application-level attacks. The point here is the mix or the blend of the attack vectors and the definition of the attack vectors. We're seeing them getting smarter. Once they start launching the attack, they've already learned which tools the target is using to protect their assets. If they've discovered a signature-detection engine, they'll simply change the attack vector pattern.
For example, they may be using an HTTP flood, but they'll ask for different pages or include different parameters in the HTTP GET request, so each time the target manages to define the signature to protect, the attackers immediately change the pattern and the signature becomes obsolete.
So the attackers are quite smart. It isn't rocket science to protect against it, but the point is that most organizations aren't preparing for attacks. It's the equivalent of bringing a knife to a gunfight. Organizations think they should get ready for an attack by deploying security equipment, defining security policies, updating signature files on their equipment … and that's it.
Once an attack is carried out, organizations will study the logs to see where the breaches occurred and find their weaknesses, and then they'll make improvements.
To date, most DoS attack tools are available on the Internet. Organizations can download them and test their infrastructure in about an hour. This is one of the first things I recommend to people. If you test your own infrastructure, you'll know how it'll respond to an attack.
Is malware involved in DoS attacks?
Meyran: With regard to DoS, malware isn't a key tool. But we sometimes see attackers infect servers of a cloud provider or hosting provider so they can remotely control the servers to launch their attack. The motivation to use servers rather than end-user PCs is because servers have higher CPU capacity, better networking connections and they're available 24-7.
The typical damage done due to denial-of-services attacks on a medium-sized organization is $3 million per year. If organizations invest maybe 5% of that amount, they could get ready and prevent that damage and cost of downtime.
Can organizations do anything differently, knowing how hackers prepare for DoS attacks?
Meyran: More than half of all organizations think their firewall and IPS can protect them against DoS. This shows they don't really understand that firewalls and IPS are stateful devices, while DoS is about creating new sessions and turning firewalls and IPS into bottlenecks. Once you fill the firewall or IPS session table, no new sessions are available and the firewall will block any new sessions and the IPS will fall into bypass -- and this equipment is the core of network security.
What do you expect to be the most important tool to prevent DoS attacks in the next few years?
Meyran: Organizations will need equipment on their premises to detect application attacks, but it looks like service providers will be responsible for providing a level of protection against the volumetric or network attacks that can saturate the Internet link connection. The service provider should be the one removing the excessive traffic -- which can cause the Internet links to prevent legitimate traffic flow into the infrastructure.
But on the other hand, organizations need equipment on site to analyze what's going on. They need the visibility, since most of the traffic today is carried or moved on the secure sockets layer [SSL] and no one discloses their SSL certificates to their service provider. So you need the equipment on site to look into traffic and decide whether a new session is a legitimate user or attack traffic that should be terminated immediately.
Are DoS attacks increasing significantly in 2013?
Meyran: We're definitely seeing a significant increase in DoS attacks. They've at least doubled from last year. But I suspect that a significant portion of this increase is because organizations are just now becoming aware that the slowdowns they suffered are actually attacks. In many cases, organizations don't have the tools to identify why the infrastructure is slowing down and they think it's a technical problem, then it stops and they think they've fixed the problem.
More people need to be aware of these attacks and report them when they occur.