Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



// // //
08:00 AM
Naim Falandino
Naim Falandino
Naim Falandino

DDoS Today: No Safety Inside the Perimeter

For years, protecting the perimeter was believed to be the safest way to guard against DDoS. However, the cloud, IoT and new botnets have changed that thinking. Here's how CISOs and security pros should respond.

In the last 18 months, we have seen numerous DDoS attacks on Internet providers, hospitals, national transport links, communication companies and political movements. In addition, recent reports have also revealed new, more powerful botnets are being assembled that pose an even greater threat.

With millions of networks now compromised, we need to review our decades-old approach to DDoS security where we only monitor the network for threats from outside the security perimeter.

This is no longer effective as threats from inside the network are just as serious.

Over the last year, we have seen a number of DDoS attacks from a new botnet program called Mirai. In the much-reported 2016 Dyn attack, the Internet DNS provider was brought down and services were disrupted for millions of users for multiple hours. Since then, Mirai has been used as the basis for a number of other attacks -- all of them notable for their use of Internet of things (IoT) devices such as baby monitors, routers, cameras and digital video recorders.

(Source: Akela999 via Pixabay)\r\n
(Source: Akela999 via Pixabay)\r\n

In October, Check Point Research and Qihoo 360 both announced a new threat which may be an outgrowth of Mirai, but is more sophisticated in its ability to hack devices. At that time, this new botnet -- referred to as IoTroop or Reaper -- had reportedly spread to over 1 million networks. Though updated reports confirmed the number is closer to 28,000, the potential magnitude of the new threat remains high. Again, household IoT devices have been targeted.

However, this botnet has made "improvements" upon Mirai's malware so the compromised IoT devices are capable of spreading the infection themselves.

So far, no known attack has been carried out using the Reaper botnet. But it is growing quickly and poses a serious potential threat. As Checkpoint noted: "Research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."

Defending against Reaper-style attacks
This calm before the storm is a good time to review our defense strategies to see if we are truly ready for Reaper, or even more sophisticated botnets of the future.

The traditional thinking around DDoS attacks can be characterized as the "Maginot Line" approach -- stemming from the famous WWII failed defensive perimeter set up by France, which the German army simply drove around. In following this approach, a strong defensive perimeter is built that is designed to guard against attacks from outside the network.

However, this strategy assumes threats come from outside, not inside, where they can be equally damaging.

The design of the Mirai malware and Reaper botnets reveals the weakness of the Maginot Line approach.

Reaper is currently infecting IoT devices, but its controller has yet to activate them. Those devices are also busy propagating the infection to other devices on their own networks. With so many networks already compromised, there is no "outside" or "inside" to the next attack. IoT devices throughout an internal network may now be compromised by Reaper, and can be turned against the network at any time.

Antiquated perimeter defense strategies are only the tip of the iceberg when it comes to the shortcomings of legacy DDoS approaches. Designed decades ago, DDoS solutions were primarily intended to pick up traffic from one, or in some cases, a few attack vectors.

These defenses would then redirect all traffic from those vectors to scrubbers -- or purpose-built mitigation machines that would clean all the traffic.

Today's attacks come from millions of vectors at once.

Each IoT device alone is not capable of sending large amounts of traffic, but millions of them can cause significant damage.

For instance, the Mirai botnet is known to be creating massive sleeper armies by infecting potentially millions of subscriber IoT devices and personal computers with 2G uplinks. These "zombie" devices can then be called to action at any time resulting in subscribers attacking their own network. Such an internal attack, combined with traffic from hijacked multi-gigabit cloud servers, creates a one-two punch that can quickly bring a network to its knees.

Finally, sending large volumes of infected traffic to scrubbers is a kind of brute force approach that is prone to false negatives which can result in uninfected traffic being unnecessarily processed. Additionally, the legacy dedicated hardware used to identify attacks isn't capable of keeping up with today's multi-vector outbreaks, even when they are strictly external.

A more intelligent approach
Software-based, multi-dimensional analytics are a new approach to DDoS defense that use a more elegant and faster method to attack detection. Combining real-time network telemetry with advanced network analytics and other data, such as DNS and BGP -- among others -- provides the ability to see down to the source of attack traffic in real time.

Multi-dimensional analytics provide visibility into everything from IoT devices to cloud applications and services -- determining which is friend or foe. Analytics can also be paired with big data approaches to traffic modeling that compare a potential event to past attack profiles, which enables them to avoid false negatives by being more precise about what degree of variability from "normal" is acceptable.

To block the zombie personal computers, IoT devices or cloud servers that are carrying out the attack, the network operator can use simple, effective filters at the peering edge of the network.

Every vector of the attack can be identified, pinpointing the endpoints and allowing for surgically precise mitigation. The offending traffic doesn't have to be sent to scrubbers as it is simply blocked at the edge. The ability to identify the endpoints of the attack in real time also means that as the attackers attempt to play cat and mouse with network security operations, the rapidly changing attack vectors can be identified and counteracted.

Sophisticated DDoS attacks such as Reaper will continue to test the limits of today's defense strategies by preying upon the mass proliferation of inexpensive IoT devices and insecure cloud services, especially those less than 10GB.

What remains is an increasingly complex environment where distinctions, such as outside and inside the network, have little relevance. The best defense are new approaches to detection and mitigation that work for attacks from any vector. As the world waits for the next "cyber hurricane" to erupt, network operators have the opportunity to adopt a software-based, multi-dimensional analytics approach to protect themselves from this new generation of DDoS attacks.

Related posts:

— Naim Falandino is the chief scientist for Nokia Deepfield.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 software version lacks CSRF protections in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.
PUBLISHED: 2022-08-16
An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out of bounds writes,...
PUBLISHED: 2022-08-16
An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version, were still presen...
PUBLISHED: 2022-08-16
The AirVelocity 1500 prints SNMP credentials on its physically accessible serial port during boot. This was fixed in AirVelocity 1500 software version and may affect other AirVelocity and AirSpeed models.
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credentials to manipulate the eNodeB over SNMP. This issue may affec...