Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

DDoS

2/19/2018
08:00 AM
Naim Falandino
Naim Falandino
Naim Falandino
50%
50%

DDoS Today: No Safety Inside the Perimeter

For years, protecting the perimeter was believed to be the safest way to guard against DDoS. However, the cloud, IoT and new botnets have changed that thinking. Here's how CISOs and security pros should respond.

In the last 18 months, we have seen numerous DDoS attacks on Internet providers, hospitals, national transport links, communication companies and political movements. In addition, recent reports have also revealed new, more powerful botnets are being assembled that pose an even greater threat.

With millions of networks now compromised, we need to review our decades-old approach to DDoS security where we only monitor the network for threats from outside the security perimeter.

This is no longer effective as threats from inside the network are just as serious.

Over the last year, we have seen a number of DDoS attacks from a new botnet program called Mirai. In the much-reported 2016 Dyn attack, the Internet DNS provider was brought down and services were disrupted for millions of users for multiple hours. Since then, Mirai has been used as the basis for a number of other attacks -- all of them notable for their use of Internet of things (IoT) devices such as baby monitors, routers, cameras and digital video recorders.

In October, Check Point Research and Qihoo 360 both announced a new threat which may be an outgrowth of Mirai, but is more sophisticated in its ability to hack devices. At that time, this new botnet -- referred to as IoTroop or Reaper -- had reportedly spread to over 1 million networks. Though updated reports confirmed the number is closer to 28,000, the potential magnitude of the new threat remains high. Again, household IoT devices have been targeted.

However, this botnet has made "improvements" upon Mirai's malware so the compromised IoT devices are capable of spreading the infection themselves.

So far, no known attack has been carried out using the Reaper botnet. But it is growing quickly and poses a serious potential threat. As Checkpoint noted: "Research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."

Defending against Reaper-style attacks
This calm before the storm is a good time to review our defense strategies to see if we are truly ready for Reaper, or even more sophisticated botnets of the future.

The traditional thinking around DDoS attacks can be characterized as the "Maginot Line" approach -- stemming from the famous WWII failed defensive perimeter set up by France, which the German army simply drove around. In following this approach, a strong defensive perimeter is built that is designed to guard against attacks from outside the network.

However, this strategy assumes threats come from outside, not inside, where they can be equally damaging.

The design of the Mirai malware and Reaper botnets reveals the weakness of the Maginot Line approach.

Reaper is currently infecting IoT devices, but its controller has yet to activate them. Those devices are also busy propagating the infection to other devices on their own networks. With so many networks already compromised, there is no "outside" or "inside" to the next attack. IoT devices throughout an internal network may now be compromised by Reaper, and can be turned against the network at any time.

Antiquated perimeter defense strategies are only the tip of the iceberg when it comes to the shortcomings of legacy DDoS approaches. Designed decades ago, DDoS solutions were primarily intended to pick up traffic from one, or in some cases, a few attack vectors.

These defenses would then redirect all traffic from those vectors to scrubbers -- or purpose-built mitigation machines that would clean all the traffic.

Today's attacks come from millions of vectors at once.

Each IoT device alone is not capable of sending large amounts of traffic, but millions of them can cause significant damage.

For instance, the Mirai botnet is known to be creating massive sleeper armies by infecting potentially millions of subscriber IoT devices and personal computers with 2G uplinks. These "zombie" devices can then be called to action at any time resulting in subscribers attacking their own network. Such an internal attack, combined with traffic from hijacked multi-gigabit cloud servers, creates a one-two punch that can quickly bring a network to its knees.

Finally, sending large volumes of infected traffic to scrubbers is a kind of brute force approach that is prone to false negatives which can result in uninfected traffic being unnecessarily processed. Additionally, the legacy dedicated hardware used to identify attacks isn't capable of keeping up with today's multi-vector outbreaks, even when they are strictly external.

A more intelligent approach
Software-based, multi-dimensional analytics are a new approach to DDoS defense that use a more elegant and faster method to attack detection. Combining real-time network telemetry with advanced network analytics and other data, such as DNS and BGP -- among others -- provides the ability to see down to the source of attack traffic in real time.

Multi-dimensional analytics provide visibility into everything from IoT devices to cloud applications and services -- determining which is friend or foe. Analytics can also be paired with big data approaches to traffic modeling that compare a potential event to past attack profiles, which enables them to avoid false negatives by being more precise about what degree of variability from "normal" is acceptable.

To block the zombie personal computers, IoT devices or cloud servers that are carrying out the attack, the network operator can use simple, effective filters at the peering edge of the network.

Every vector of the attack can be identified, pinpointing the endpoints and allowing for surgically precise mitigation. The offending traffic doesn't have to be sent to scrubbers as it is simply blocked at the edge. The ability to identify the endpoints of the attack in real time also means that as the attackers attempt to play cat and mouse with network security operations, the rapidly changing attack vectors can be identified and counteracted.

Sophisticated DDoS attacks such as Reaper will continue to test the limits of today's defense strategies by preying upon the mass proliferation of inexpensive IoT devices and insecure cloud services, especially those less than 10GB.

What remains is an increasingly complex environment where distinctions, such as outside and inside the network, have little relevance. The best defense are new approaches to detection and mitigation that work for attacks from any vector. As the world waits for the next "cyber hurricane" to erupt, network operators have the opportunity to adopt a software-based, multi-dimensional analytics approach to protect themselves from this new generation of DDoS attacks.

Related posts:

— Naim Falandino is the chief scientist for Nokia Deepfield.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.