This is a 7 part introduction to Cybersecurity. The third and following parts of the guide introduces the reader to a case study:
Which Technologies, Products/Providers Can Be Used To Counter 2 threats (DDOS attack and SQL Injection)?
The arrow of possible defense techniques include the following, but the final mix of solutions depends on the actual circumstances that yet need to be examined:
Firewalls: In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy, with routers being adversely affected before the traffic gets to the firewall.
Switches: Most switches have some rate-limiting and ACL (Access Control List) capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.
Routers: Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS (Internetwork Operating System) has optional features that can reduce the impact of flooding.
Application front-end hardware: Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors.
IPS based prevention: Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.
Clean pipes: All traffic is passed through a “cleaning center” or a “scrubbing center” via various methods such as proxies, tunnels or even direct circuits, which separates “bad” traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the “cleaning center” or “scrubbing center”.
For example, in a typical DDoS attack:
The attacker begins by exploiting a vulnerability in one computer system and making it the DDoS master (a device that controls one or more other devices – in networking, a master/slave configuration is a communications model in which one device or process (known as the master) controls one or more other devices or processes (known as slaves)).
The attack master, also known as the BOTMASTER, identifies and infects other vulnerable systems with malware. Eventually, the assailant instructs the controlled machines to launch an attack against a specific target.
If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker’s knowledge or intent by incorrectly configured network infrastructure equipment.
The most serious attacks are distributed and in many or most cases involve forging of IP sender addresses so that the location of the attacking machines cannot easily be identified, nor can filtering be done based on the source address. It is now known that one of the suspects is based in Northern Ireland. Hopefully he will share the information about the techniques he used.
Examples of attack techniques:
SYN Flood: A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends
HTTP POST DDOS attack: First discovered in 2009, the HTTP POST attack sends a complete, legitimate HTTP POST header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/110 seconds). Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down. Further combined with the fact that Apache will, by default, accept requests up to 2GB in size, this attack can be particularly powerful. HTTP POST attacks are difficult to differentiate from legitimate connections, and are therefore able to bypass some protection systems. OWASP, an open source web application security project, has released a testing tool to test the security of servers against this type of attack.
1) Technology providers (Source: Forrester Research & IP Expo Europe):
The DDoS services space is growing in importance because distributed denial of service attacks now represent a considerable percentage of the total number of threats against organizations of all sizes. DDoS has historically focused on disruption, but today it is more frequently an opening salvo for more complex attacks that result in theft of sensitive data or valuable intellectual property.
There is no need for a Company to implement its own DDoS solution on-premises as there are a significant number of effective outsourcing partners that can offer better DDoS protection compared with what security and risk pros can do themselves
There are two primary modes of delivering DDoS services:
1) On-demand and
For both modes, vendors offer a hybrid option, so customers can use their own scrubbing facility for attacks that fall below a certain threshold of velocity and volume but can then fail over to the vendor during larger attacks. All of the vendors below provide all models of deployment; their preferred approach depends on their infrastructure, their provisioning process, the geographic location of the customer’s data center and their scrubbing center, and their available bandwidth. Security professionals should consider the pros and cons of each option:
On-demand solutions provide defensive services only when needed. On-demand solutions are manually or automatically started when either the customer or the vendor detects a DDoS attack. Vendors sell this mode when attack volume is low and the primary concern is application latency. The customer (or vendor acting on the customer’s behalf) uses either BGP (Border Gateway Protocol) route changes or DnS redirection to send their network traffic through the vendor’s infrastructure.
Always-on solutions don’t require routing or DNS changes. Always-on service models have the advantage of not needing to change BGP routing or DnS records. These solutions are best when there is a high frequency of attacks. Many of the providers that offer always-on solutions indicate they have little impact on application latency. They also have an advantage in that they work well with content delivery applications, as the vendor can bundle DDoS services with content delivery services.
Hybrid solutions offer the best of both worlds. Hybrid solutions allow security pros to use their own on-premises DDoS scrubbing and web application firewalls as a first line of defense. When these facilities become overwhelmed, the customer can redirect traffic to the vendor’s scrubbing center for additional remediation capacity.
DDoS service providers help organizations of all sizes to protect against threats to online resources without having to incur extensive capital expenses or expanded headcount. All vendors in this market share core similarities; however, the best ones have clearly advanced features. They:
Offer application and network protection as their centerpiece. DDoS attacks take on different forms; they may attempt to overwhelm web and application servers with a large amount of bogus network traffic, or they may launch attacks that attempt to confuse web applications with malformed server requests. The best DDoS service vendors can automatically detect both types of attacks and either provide an alert or automatically switch on to protect vulnerable websites.
Support a broad set of protocols.TCP-IP is the set of network communication protocols that allow the internet to function, which means it can also bring applications and infrastructure to their knees when used as a weapon. The best DDoS service providers support a broad portfolio of device and protocol protection. More-narrowly focused providers only focus on a small set of protocols and devices. this could be problematic as hackers become more creative in their attack methods.
Defend networks and applications. DDoS attacks are not just about the network anymore.Even though the frequency of application layer 7 attacks is significantly less than that of their amplification layer 3 and 4 attack cousins, these attacks do present big challenges to security pros now and will continue to do so in the future.
Employ talented sales, professional services, and technical staff.One of the primary reasons for turning to a service provider for security staff is the quality of the people they bring to solving critical challenges.
Maintain good networks of technology partners, resellers, and system integrators. Security is a team sport, and because of the need for various types of skills, DDoS vendors also have a good network of technology and service partners to benefit their customers.
Jean Lehmann is an independent consultant, cyber security expert and editor and business ambassador to Hedge Think. He was recently a guest lecturer at INSEEC on Banking Management and the Hedge Fund industry, and is a member of Keiretsu forum, a global investment community of accredited private equity angel investors, venture capitalists and corporate/institutional investors. Jean has extensive consulting experience for leading such projects as the market entry strategies in the Brazilian market of several mid-size to large European financial institutions. Jean has considerable knowledge of the Hedge Fund and Asset Management industry, for having developed as a quantitative analyst some of the most sophisticated financial models in the structured finance product market for a leading US Hedge Fund and a German investment bank. He also has particular expertise in the field of Network Security and Cryptography. As a research staff member at IBM Zurich, he developed innovative algorithms for anonymous communication systems. He was also in charge of Brazilian security consulting services for Gemalto and recently completed a CyberSecurity consulting study for a European airline company. Jean holds a MSc. in computer science and telecommunication engineering with an emphasis on network security and cryptography from Eurecom/EPFL, a DEA in financial mathematics from HEC School of Management, and an MBA from INSEAD/Wharton alliance.