Internet security is an increasing concern due to a rise in the number and sophistication of web attacks. Companies are turning to Internet-based options to bolster internal security capabilities and increasingly implementing multi-layered defence systems that are always ‘on’, proactive and using cloud based security in relevant places.
The rise in volume and complexity of cyber-attacks is facilitated by the fact that they are now easier than ever to launch. User-friendly tools, often developed for internal test purposes, are available to those with malicious intent, determined to benefit from the increased value of online assets and encouraged by the small investment required to fund online sabotage and economic espionage. In addition, the ability to launch larger attacks constantly grows as the adoption of fast broadband connectivity and more powerful computers and mobile devices rises. These resources can be hijacked by attackers with malicious code, or bots, and used to carry out distributed attacks. The capacity of available IT defences to mitigate the largest attacks and the insight and expertise to keep them current are now critical factors in determining the safety and availability of a company’s online assets.
Creative Use of Reflection Attacks
A key trend is the increasing use of reflection technologies to launch large Distributed Denial of Service (DDoS) attacks, in which the target system is not directly attacked, but instead involves the misuse of services such as the Domain Name System (DNS) or the Network Time Protocol (NTP). DNS and NTP are based on the User Datagram Protocol (UDP), which can be used to conceal identities by substituting a spoof address.
Akamai estimates that a large percentage of DDoS attacks use reflection technologies. It’s easy to command NTP and DNS servers to respond with significantly larger amounts of traffic (with over 500 times amplification) than they receive and attackers don’t need to establish control over a server or a device to launch a reflection attack. In addition, DDoS hire-out solutions together with creative reflection technology are being used more and more due to the low investment costs involved, which means even low-skilled individuals can launch large scale DDoS attacks.
DDoS Attacks Utilise Internet of Things
Attackers can also integrate their tools into a larger spectrum of potential botnets, which are then used to launch even wider spread DDoS attacks. The new botnet agents include smartphones; wearables; embedded devices and client-side splitters and cable modems— all encompassed under the umbrella term "Internet of Things".
These devices are used in connection with Simple Service Discovery Protocol (SSDP) reflection attacks. SSDP is part of the Universal-Plug-and-Play (UPnP) protocol, which allows devices such as printers, cable modems, webcams Smart TVs and smart meters to be controlled via an IP-based network — with or without a residential gateway. SSDP enables networked devices such as a PC, an Internet gateway or a WLAN router to detect the presence of other SSDP-enabled devices and to establish a communication link. The devices can be controlled via the Simple Object Access Protocol (SOAP).
Cyber attackers have found that SOAP requests for responses can be used to increase the size and quantity of data packets directed at their targets. These DDoS attacks, which are launched from IoT devices, use reflection technology as a key element. This is also a great example of how threats and methods evolve over time. Where SSDP attacks were unheard of two years ago, they are now the most commonly seen type of DDoS attack, comprising over 20% of the total seen across Akamai’s intelligent platform in the first 12 weeks of this year (Akamai State of the Internet Security Report Q1, 2015).
Greater Protection against Cyber Attacks
The number, volume and complexity of DDoS attacks have increased greatly over the last year. Estimates suggest that almost half of them involve multi-vector attacks, in which multiple attack processes are used and often in combination with reflection technology. As more companies use cloud services for their Web applications with access via fixed or mobile end devices, infrastructure and applications in data centres are put at risk.
If IT systems and applications are located exclusively on premise, IT security measures can only focus on that particular location. However, today's use of private and hybrid clouds has changed this approach to IT security. The defence lines deployed to secure infrastructure should, therefore, now be spread across several physical sites and data centres.
Companies can no longer rely on pure on-premise solutions, which have limited capabilities to deal with volumetric-based attacks. With the average size of a DDoS attack seen against Akamai customers ranging from 5 to 10 Gbps in 2014 (with the largest peaking at over 320Gbps), it’s easy to see how traditional methods of using firewalls in local data centres are inadequate in today’s threat landscape.
To effectively counter threats companies should take advantage of the diverse nature of the Internet and implement IT security systems that are multi and deep-layered, just like the attacks themselves.
This means several over-lapping security levels, which use various methods and processes for protection. Cloud-based services act as the cornerstone of a solution that provides the protection and availability of critical company applications and data. This kind of approach overcomes the weaknesses inherent in traditional perimeter and internal security systems.
A multi-faceted approach leverages the highly-distributed, scalable and flexible architecture of the Internet, to protect infrastructure, Web applications and databases and so prevent downtime and data losses. Cloud-based security and availability solutions offer an always-on and/or an on-demand security system; they are highly scalable with easy access and reduce the amount that companies need to spend on total cost of ownership for planning and maintaining their IT security measures. This solution requires a highly-distributed, network-overlapping cloud infrastructure, which stops attacks at the edge, from where they originate, and enables real-time responses to any changes. This approach keeps malicious requests as far away from the origin web servers as possible and limits their ability to take advantage of data centre resource bottlenecks, such as inbound bandwidth and server CPU and memory.
A cloud-based security solution must also be able to stop frequent DDoS attacks as soon as possible. Should the traffic for the network level not contain the information required to re-direct to the company websites, it will automatically be assumed that this traffic is malicious or erroneous.
In contrast to attacks on infrastructure, cyber-attacks on applications cannot automatically be stopped at the edge. To protect against application-layer DDoS attacks, a globally active cloud security platform with sufficient capacity is required to absorb high volumes of HTTP and DNS floods before they can reach an application. Alternatively, attack traffic can be redirected to special data centres for "cleaning up." The malicious data traffic is removed in these scrubbing centres, and legitimate data traffic is re-directed with only a minimal delay.
Web Application Firewall as Cloud Service
A web application firewall (WAF), used as a cloud service, can be employed as an additional layer of protection in order to combat potential DDoS attacks at application level.
Another important element of the overall defence layer is to have highly scalable protection against DNS attacks, which take advantage of DNS infrastructure, often one of the weak points in the web architecture. Companies often use too few DNS servers, which quickly become unable to cope in the event of a massive DDoS attack and can then no longer respond to legitimate DNS requests.
In the current threat landscape companies must proceed with great care when taking measures to protect their data centres and digital infrastructures. Efficient IT security requires multi-layered protection mechanisms, using a cloud-based outer protection wall to complement the traditional on-premise measures already in place, thus enabling the protection system to be flexible and scalable in response to high-volume attacks, and to limit these attacks.