How To Defend Against Infrastructure Attacks
Gartner security experts offer defense strategies for four big attack threats
GARTNER SECURITY & RISK MANAGEMENT SUMMIT -- National Harbor, Md. -- Cracks in the foundation of the Internet infrastructure are leaving organizations prone to potentially dangerous attacks, a pair of Gartner security analysts said here yesterday.
"The basic underpinnings of the Internet -- BGP, DNS, and SSL -- we take for granted they were built in much friendlier times when friendly people wanted to communicate with friendly people. The Internet was built to be survivable, not trustable," said John Pescatore, vice president and research fellow for Gartner Research. "There are still major fractures we are seeing that need to be addressed."
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
Pescatore and Lawrence Orans, research director for Gartner, called out four main attacks that exploit the aging Internet infrastructure and offered strategies for defending against these infrastructure attacks: denial-of-service and distributed denial-of-service attacks, certificate authority breaches and scams, Domain Name Services (DNS) attacks, and 4G LTE.
[ New DDoS reports highlight evolving M.O. of DDoS and DoS attacks and increased firepower. See Mas DDoS: More Powerful, Complex, And Widespread . ]
"The Internet as a whole is stable. But if you look at the component level, there are problems and instability and reliability issues," Orans said.
Here is Gartner's list of the four main infrastructure attacks, plus how to defend against them:
1. Distributed denial-of-service (DDoS) and denial-of-service The annoying and painfully effective DDoS attack just won't go away: About half of all ISPs get hit with anywhere from one to 10 of these attacks per month, according to Arbor Networks, and it's getting easier to launch one with free tools, such as Low Orbit Ion Cannon (LOIC), a favorite DDoS weapon of Anonymous. "The overall picture is it's really ugly out there" with these attacks, Orans said. "Hacktivism is a problem: If someone doesn't like your organization, they can launch attacks against it. Criminal attacks are a problem, [as well]," he said.
On the criminal side of the equation, these attacks are used as a cover for more nefarious targeted attacks, said Rodney Joffe, vice president and senior technologist at Neustar, in a video message presented during the Gartner session. "The bad guys are getting better at hiding what they are doing, and the better they get at doing it, the more difficult it is for us to filter against them."
Joffe said attacks will become more camouflaged, and organizations should deploy BCP 38 to counter source-address spoofing. "That will make a significant difference against DDoS attacks," he said.
Gartner's advice for stemming a DDoS attack: First, assess the financial impact of losing your organization's Web presence and come up with an incident response plan in case you get hit. "Talk in terms of business continuity and disaster-recovery strategy" for justification purposes, Oran said.
Consider DDoS mitigation services. The cheapest approach is a clean-pipes service, which can cost anywhere from 10 to 15 percent above your bandwidth service pricing. "The ISP detects and mitigates a DDoS so the bad guys don't fill up your pipe," Oran said. "This is a very good, cost-effective approach."
A more premium version is a scrubbing-type service, where once you're under attack, you send your traffic over to a provider, such as Akamai, Neustar, or VeriSign, he said. "They act as a middleman and scrub the traffic clean so they take out the DDoS traffic and only send the good traffic," Orans said. That can cost $10,000 per site, however, or you pay on a bandwidth basis.
Another option is a DDoS appliance that sits in the DMZ and detects and deflects DDoSes. Arbor, Correro, Radware and RioRey are among the vendors here.
2. Certificate authority (CA) Comodo. DigiNotar. Flame. The litany of certificate authority (CA)-type breaches and attacks has led to many experts calling for a new approach to certifying the authenticity of a website or software.
"The real issue is this registration process," Pescatore said. "Digital certificates are only as strong as their registration process: A key exchange doesn't automatically equal authentication."
Taher Elgamal, inventor of SSL, said it's not a technical issue. "This is purely a process issue, not a tech problem," Elgamal said in a video message presented during the Gartner session. "There have been incidents in the past couple of years when a CA went broke, when people had CAs with names they did not own. Trust doesn't work on it anymore."
How can you mitigate the CA threat? Gartner suggests certificate management tools and hardened browsers. "The first problem is finding where you're using them, and do you have any that need to be revoked? There can be tens of thousands of SSL certs in a typical company," Pescatore said. A cert management tool can help root those out.
Another option is to harden browsers for sensitive operations, such as online banking or business-to-business transactions, he said. And be sure to educate users on the limitations of SSL and how an SSL session doesn't guarantee the authenticity of the site itself, for instance.
"What happens if a CA is compromised? Have an incident response [plan]," Pescatore said. Defending against these threats will entail a lot of DIY for now, he said, until industry efforts like the Sovereign Keys directory and DNS Authenticated Naming of Entities (DANE) -- where DNS validates certs or users -- are deployed.
"I think the incidents we saw were just the start, and it's time to put some mitigation processes in place," Pescatore said. "When you're enrolling mobile devices, talk to MDM [mobile device management] vendors about mitigation approaches for SSL weaknesses."
3. Domain Name Services (DNS) Speaking of DNS, the vulnerability of Internet name servers also has been in the bull's eye, with the well-publicized cache poisoning threat that was discovered and patched a few years ago, to DDoS attempts against the Internet's DNS root servers.
While these types of attacks remain relatively rare, organizations need to take steps to ensure their DNS servers are protected because of the potentially devastating fallout, security experts say.
Paul Mockapetris, the inventor of DNS and chief scientist at Nominum, said most DNS attacks occur against older versions of software. "Updating software is the first line of defense," Mockapetris said in a video message shown in the Gartner session. "Check your configuration and make sure it's not compromised."
DNSSEC, which digitally signs domains to ensure their legitimacy, should also be deployed by service providers, he said.
Gartner's Orans said DNSSEC has a way to go in enterprise adoption. Organizations can employ some of the same DDoS mitigations as for protecting their Web servers. There also is AnyCast, which distributes DNS traffic among name servers, for example, he said. It routes DNS requests to the topologically nearest node or name server. "AnyCast is a core component of a managed DNS service," Orans said. "It can mitigate the impact of a DNS DDoS attack."
Cache poisoning, or DNS spoofing, isn't so simple to mitigate, however, he said. "Nothing will change until we have a high-profile cache [poisoning] attack," Orans said.
Next Page: 4G LTE