14 DAY TRIAL // Distributed denial of service (DDOS) attacks are a major concern these days for both companies and major websites, especially if they know they may be targeted by hacktivists. Security solutions provider Radware published a great report on the subject of DDOS attacks, busting some interesting myths and clarifying some important issues.
We’ve contacted Radware after the report was made available to find out more details on the DDOS attacks launched by Anonymous, but also on the security measures companies can implement to mitigate attacks.
Ron Meyran, the director of security products at Radware, was kind enough to offer us an interview and share his insight on the latest events.
Softpedia: Recently, after Megaupload was closed down, Anonymous hackers have urged people to launch DDOS attacks against organizations such as the FBI, DOJ, RIAA, MPAA and many others, all the sites being taken offline as a result. Reports say that some 27,000 computers were used to launch the attacks.
What technical details can you provide related to these attacks? What is the extent of the damages these attacks can cause? (The hackers mostly used HOIC, LOIC and SLOWRIS to launch the attacks)
Ron Meyran: Operation Megaupload is another cycle of Anonymous Group attacks held by Anonymous fans worldwide against companies and agencies affiliated with the copyright industry. Few points i would like to comments:
- The above mentioned organizations were not prepared for DDoS attacks. This is clear from the attack impact – most of them suffered from service disruption. Also they did not assume they will be target of DDoS attacks, as they are not necessarily online businesses or drive business from the internet access;
- One of the main attackers’ cyber weapon Low Orbit Ion Cannon (LOIC), a simple open-source application that requires very little technical know-how to use. Once the application is downloaded — either voluntarily or via a malicious link — the LOIC recruits computers into a “botnet,” or a network of computers that floods a designated Web site with traffic until it crashes;
- The attackers have been luring computers into the attack with malicious links on Twitter. The links direct unsuspecting users to a site on PasteHTML.com, a free and anonymous code-hosting site,that sets off Javascript code instructing users’ computers to direct the Anonymous LOIC at a pre-designated target;
- Many of the attacking users did not know they’re attacking. It’s very dynamic and the only way to stop the attack is to absorb it, or find its origin. But in this case anyone can become an attacker and unless you can find the user, you can’t stop the attack;
- The attacks, while not technically sophisticated, are nearly impossible to thwart. The reason is that the attacks included a mix of attack vectors: network flood attacks, application flood attacks and directed DoS attack;
- I believe that some of the sites under attack had DDoS protection measures from their service provider, or believed that their firewall could fend off DDoS attacks. They all found out that either the attacks overloaded their firewalls (which became the bottleneck) or that the service provider could stop the network flood attacks – but not the rest. Softpedia: If you were to advise one of these companies on how to protect their sites against such attacks, what would you tell them?
Ron Meyran: The only way to protect against emerging DDoS attack campaigns requires both in-the-cloud DDoS Protection and on-premises:
- In-the-cloud protection removes the volumetric bandwidth attacks (the network flood attack) – to avoid the risk of link saturation. This is the first line of defense against DDoS attacks;
- On-premises protection requires todeploy a DDoS protection solution that can detect and fend-off all type of DDoS attacks: the low & slow attacks facilitated by tools such as Slowloris; application flood attacks; and – leakage of network flood attacks that managed to go undetected or unprotected in-the-cloud.
Only end-to-end mitigation deployment (in-the cloud AND on-premises protection) enables businesses to fully protect their IT infrastructure against evolving DDoS attacks.
Softpedia: You busted some interesting myths with your latest report regarding firewalls, CDNs and bandwidth size. Do these myths exist only among common users, or do network administrators have the same beliefs?
Ron Meyran: Network and security administrators have the same beliefs – that is why we have decided to highlight some of the key report findings to bust these myths.
I have been personally in many meetings with CSOs/CIOs that are misled to believe that their existing security tools or providers can resolve or absorb DDoS attacks effectively. The combination of lack of knowledge, limited budgets and insufficient risk assessment lead to such conclusions.
Softpedia: The report mentions that companies should adopt an offensive mitigation strategy when it comes to DOS attacks. How can a company use to its own advantage the fact that it knows the tools attackers utilize?
Ron Meyran: Attackers exploit application vulnerability and service weaknesses. Companies should follow that rule: look for design flaws of attack tools and use them to slow down that attack tools or even sometimes shut the tools completely.
The attackers find out that their attack is less effective and may select another target.
Softpedia: Many people don’t know that DDOS attacks can be of different types. Can you explain the difference between application level and network level attacks for everyone to understand?
Ron Meyran: Yes. DDoS attacks can be partitioned into four dimensions:
- Volumetric bandwidth flood attack – attackers flood the victim with high volume of packets consuming networking equipment resources or bandwidth resources. These are network DDoS flood attacks such as SYN flood attacks (high packet-per-second attacks), large UDP packet floods (bandwidth attacks), ICMP floods and more;
- Application DDoS flood attacks – these attacks generate complete sessions and target the application resources. Examples are HTTP Get or Post flood attacks or DNS flood attacks;
- SSL based attacks – encrypted SSL DoS & DDoS attacks consumes more CPU resources during the encryption and decryption of the content than processing of a clear text. Thus, encrypted application DoS & DDoS attacks amplify the impact even at relatively low rates of requests per second;
- Low & Slow DoS attacks – low and slow application DDoS attacks that exploit application implementation weaknesses and design flaw. Examples are Slowloris, a tool that allows a single machine to take down another machine's web server with minimal bandwidth, and Circle cache-control (Circle-CC), which floods a web site by scanning the site across multiple pages systematically.
Softpedia: I suppose Radware can offer all these solutions to help a company protect itself against attacks. How considerable was the difference between before and after you started handling a company’s security?
Ron Meyran: Radware offers a unique approach to fight emerging attack campaigns with its Attack Mitigation System (AMS).
The AMS is a real-time network and application attack mitigation solution that protects the application infrastructure against network & application downtime, application vulnerability exploitation, malware spread, information theft, web service attacks and web defacement.
Radware’s Attack Mitigation System contains three layers:
- Protections layer – a set of security modules including: Denial-of-service (DoS) protection, Network Behavioral Analysis (NBA), Intrusion Prevention System (IPS), Reputation Engine and Web Application Firewall (WAF) - to fully safeguard networks, servers and applications against known and emerging network security threats;
- Security risk management - built-in Security Event Information Management (SEIM) collecting and analyzing events from all modules to provide enterprise-view situational awareness;
- Emergency Response Team (ERT) consisting of knowledgeable and specialized security experts who provide 24x7 instantaneous services for customers facing a denial-of-service (DoS) attack in order to restore network and service operational status.
Any company under attack, once contacted Radware, has been immediately installed with our AMS, and the ERT has been invoked to perform analysis of the attacks and provide immediate resolution as of how to defend against the attacks.
We are not allowed to expose our customers by name, however I can state that in the recent wave of cyber hacktivism attacks most of the cases where the companies managed to fend off the attacks – Radware security solution was involved.