Understanding Denial of Service DoS AttacksApril 25, 2017Categories: News. Tags: DoS and network security.
The past couple of years have seen a marked resurgence of denial of service (DoS) attacks. Not only is this availability-threatening class of attack firmly back on the radar screens of today’s network and security operations teams, but the nature of the threat has changed as well. The largest Internet companies are no longer the primary targets. Now every business, regardless of size or industry segment, is at risk. Detecting these attacks is also much harder than in the past, as stealthy, low-bandwidth application layer variants focused on exhausting backend resources join the ever-familiar, high-volume attacks intended to flood network pipes or knock over critical network devices/services.
Understanding the DoS landscape
Once a staple of hackers intent on disrupting the largest properties on the Internet, DoS attacks later faded into the background in favor of financially motivated attacks. In general, these profit-oriented attacks required stealthier, non-disruptive techniques to accomplish their goal of stealing valuable data. During this period, DoS attacks were used primarily for extortion. In this scenario, the bad guy threatens to execute a DoS attack unless a nominal payment is received by a certain deadline. Pay, and you get a nice “thank you” email; don’t, and your business suffers the consequences.
The return of DoS attacks
Over the past few years, however, DoS attacks have returned with a vengeance. This development can be attributed foremost to their becoming a favored technique for socially and politically motivated attacks. Objectively speaking, they’re a good fit in these cases. It’s not valuable data that matters to the attackers, but getting the attention of the target and, even more important, the public at large.
A notable by-product of this “hacktivism” was the release of free or inexpensive toolkits for creating DoS attacks. Combined with easy access to botnets, these toolkits cemented the return of DoS attacks to the mainstream. They also contributed to a handful of characteristics of the current DoS landscape that are particularly important to acknowledge.
To begin with, low technical and financial barriers to entry mean that practically anyone can execute a DoS attack these days. Secondly, and for the same basic reasons, it is now easy to leverage DoS techniques for financially motivated attacks as well. Such attacks can be accomplished either by directly disrupting a competitor or by using DoS techniques as a smoke screen for a multi-vector attack ultimately designed to steal valuable data. The key take-away here is that every organization is now a potential DoS target, regardless of size, vertical industry or agenda.
The evolution of DoS attacks
While ease of execution has facilitated the return of DoS attacks, another major change is having an equally profound effect when it comes to defending against them. Consistent with what’s happened across the threat landscape in general, DoS attacks are migrating up the computing stack. Because “migrating” suggests a departure from the area of origin, however, it’s more accurate to say that they’re adding new tricks to their arsenal.
Noisy, high-volume, network-focused DoS attacks aren’t necessarily going away. But they are being joined by a new breed of DoS attacks that operate at higher layers of the computing stack. A major challenge with these new attacks is that they often mirror legitimate sessions/transactions, a characteristic that allows them to pass unthwarted through a wide array of defenses, including firewalls and intrusion prevention systems.
A second issue is their increasingly asymmetric nature [shown in Figure 1]. From a technical perspective, this refers to requiring only a relatively small number of application requests and/or small amount of bandwidth to trigger disproportionate consumption of backend resources. From a practical perspective, it again means that they are harder to detect, as unexpected spikes in transaction counts or network traffic are no longer indicators of their presence.
For all that’s changed, however, DoS attacks remain focused on causing resource exhaustion at some point in the end-to-end computing chain—be it the network “pipes,” the state tables of network devices and servers or the processing capacity of application hosts. Staying focused on this fact is the key to formulating a successful DoS mitigation strategy.
High-level strategies for DoS mitigation
DoS mitigation solutions break down into two general classes: customer premise- based devices and cloud-based service offerings. Within each of these classes tare multiple options, each with its own pros and cons.
Customer premise-based devices
The first DoS mitigation option in this class, and one that quickly needs to be dismissed as a poor choice, is the enterprise firewall or intrusion prevention system. To be fair, these devices often do incorporate a number of DoS protection mechanisms (some more than others). However, these mechanisms are generally limited to counteracting network DoS attacks, and provide no protection against higher-layer variants. Moreover, these devices are inherently stateful. The need to closely track the state of packets and flows passing through them makes the devices themselves susceptible to DoS attacks.
Dedicated DoS mitigation devices are a second option. Although they generally offer a robust set of multi-layer DoS protection mechanisms, they too have some shortcomings. To begin with, they suffer from the same limitation as every other customer premise-based solution: they’re irrelevant if the attack floods your Internet connection(s) and prevents traffic from getting to them in the first place. They’re also likely to be susceptible to SSL-based attacks, which carry a heavy processing penalty, especially in the absence of dedicated hardware for SSL termination and inspection. One other tradeoff to consider is the degree to which any unique DoS prevention capability outweighs the need to purchase, deploy and maintain “yet another device” at each Internet connection of significance.
Already a strategic point of control in most networks, the modern ADC represents a third, often ideal option to pursue. Market-leading ADCs—such as NetScaler— combine a wealth of DoS mitigation capabilities that account for all layers of the computing stack. They even include support for compute-intensive SSL-based DoS attacks. The result is a solution that provides substantial coverage for DoS threats without the need to implement another set of dedicated devices.
Cloud-based service offerings
The primary advantage of cloud-based DoS mitigation options is that, unlike customer premise-based solutions, they can account for DoS attacks focused on swamping your Internet bandwidth. Generally speaking, the two offerings in this class—content delivery network service providers and anti-DoS service providers—involve datacenters provisioned with massive amounts of bandwidth. This approach inherently enables these options to better cope with volumetric- style attacks. In addition, both types of solution providers have typically made substantial investments in a wide variety of DoS mitigation technologies, since their businesses fundamentally depend on it.
However, there are some significant differences to be aware of, not to mention potential shortcomings. These include:
- Significant variability in coverage provided for higher-layer DoS attacks. To some extent this is unavoidable, because no external provider will ever understand the “features” of your applications better than you do yourself.
- Although CDNs are an always-on solution, they’re generally used only for a subset of an organization’s most important, customer-facing sites and applications. Even then, there are ways attackers might get “around” or “through” the CDN—for example, by blasting away at the controlling IPs or submitting a flood of requests that result in cache misses and have to be served by your source infrastructure.
- In comparison, while anti-DoS scrubbing centers provide coverage for all of an enterprise’s traffic, they’re not always on (because that would be cost prohibitive). Instead, they’re selectively engaged by the customer whenever an attack is detected. This inherently makes them a poor option for higher-layer DoS attacks, which do not always involve brute force and, therefore, not as easy to identify when they occur.
The answer: Defense-in-depth strategy
Not surprisingly, the ideal approach is to pursue a defense-in-depth strategy that combines a cloud-based service and a customer premise device operating in a complementary manner. Given the rising prevalence of application-layer attacks, a customer premise solution—in particular an ADC—stands to provide the biggest impact for your investment. It is, therefore, a great place for most organizations to start. That said, making an investment in a DoS scrubbing service capable of thwarting volumetric network attacks probably shouldn’t be too far behind, especially if you’re a high-profile target. – [IRS]