Bank Attacks Round Four: "Good Guys Wield Wooden Shields in Era of Armor Piercing Ammunition"
Immutable Rule #1: All Defenses Decay as a Function of Time"We've made the investments in our shields, they must work" - this statement must have been decried by legions of ancient soldiers as this age-old defense decayed before their eyes and they were crushed on the battlefield. In fact, the graveyard is littered with 'proven' defense strategies which, given time, have decayed to pointlessness. These 'trustworthy' and 'proven' methods finally gave way to newer tactics, technology and/or awareness to the innate problems of the defense strategy itself.
See Also: How to Take the Complexity Out of Cybersecurity
Nowhere is this more self-evident than in numerous IT departments around the world trying to fight the onslaught of cyber attacks. These cyber attacks were launched for a myriad of reasons and leveraged an even greater array of tactics and techniques. In the public's eye they are mostly known as DDoS attacks, however, the truth is that these attacks have taken all forms (volume, non-volume, directed attack, intrusion, malware, etc.) and have been hurled at the near defenseless 'wooden shields' representing today's corporate IT security defenses.The irony of today's environment is that more and more organizations realize that DDoS threats should receive higher priority in their security planning. However, many still believe that the traditional security tools such as firewalls and Intrusion Prevention Systems (IPS) can help them deal with the DDoS threat - like the belief that the wooden shield would protect an army as it always had done. I would like to explain why organizations should not count on their firewall and IPS, or any 'stateful device,' when it comes to mitigating DDoS attacks.
Earlier this year, our Emergency Response Team (ERT) released its annual security report based on dozens of DoS and DDoS attacks that occurred in 2012. The report found that in 33% of cases, the firewall and IPS devices were the main bottlenecks during the attack. In fact, the humbling truth was that, taken collectively, failure of security hardware devices represented the largest origin of business outages in 2012.
Why are Firewalls and IPS's in particular so horrible at stopping DDoS attacks? The simple answer is that they were not designed to do so. Firewalls and IPS focus on examining and preventing the intrusion of one entity at a time, but were not designed to detect the combined behavior of legitimate packets sent millions of times. Of course, this is a bit simplified. What follows, however, is a more detailed explanation of firewall and IPS shortcomings when it comes to effectively blocking DDoS attacks.
Firewalls and IPS's track all connections for inspection and store them in a connection table -- this makes them 'stateful.' Stateful is a desirable treat when dealing with integrity-based security inspection or review for known threats such as malware and intrusions. In stateful inspection, every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection.
The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a DDoS attack may include thousands, or tens of thousands of packets per second. As the first device in the organizational network to handle the traffic, the firewall or IPS will open a new connection in its connection table for each malicious packet, resulting in the quick exhaustion of the connection table. Once the connection table reaches its maximum capacity, it will not allow additional connections to be opened, ultimately blocking legitimate users from establishing connections.
Cyber attack mitigation devices, on the other hand, include a stateless protection mechanism that can handle millions of connection attempts without requiring connection table entries or exhausting other system resources.
There are many attack vectors such as HTTP floods (both encrypted and non-encrypted versions) that are composed of millions of legitimate sessions. Each session on its own is legitimate, and therefore cannot be marked as a threat by firewalls and IPS. The problem of course is that firewalls and IPS were not designed to look at the behavior of millions of concurrent sessions as a whole, but only to examine individual sessions. This eliminates the ability to identify an attack composed of millions of valid requests.
DDoS attacks have another attribute that really isn't fundamentally covered by Firewalls and IPS solutions, which is that DDoS attacks can affect the operation of the very first devices they come in contact with in an environment if they are left unprotected. IPS's and Firewalls are all too often deployed too close to the protected servers and are not deployed as the first line of defense. The result is that DDoS attacks go through the protected data center without being detected by the traditional network security solutions.
There is little doubt that the increasing incidence of cyber attacks and the quick use and sophistication of DDoS techniques have fundamentally changed the security landscape. As organizations adjust their security architecture to effectively mitigate the rise in availability-based attacks, there is no question that the tools they deploy must continue to evolve as well. While firewalls and IPS continue to play an important role in protecting the network, today's threats require new shields that contain more than just a design by fortitude to protect against the surliest of today's attack types. Moreover, in today's fast-moving technological landscape, these shields must be evaluated by both the user and designer for adequacy and soundness. Today's shields must secure both the network and application's layers of an enterprise, as well as effectively distinguish between legitimate and illegitimate traffic to keep organizations up and running.
Carl Herberger is the Vice President of Security Solutions at Radware, a leader in application delivery and security solutions that assures the availability, performance, and resilience of business-critical applications for over 10,000 enterprises and carriers worldwide.
Carl, a recognized information security expert, draws on his extensive information security background in both the private and public sectors. He began his career in the U.S. Air Force as a computer warfare specialist at the Pentagon and managed critical operational intelligence programs aiding both the National Security Council and Secretary of the Air Force. Carl founded Allied InfoSecurity and held executive security positions at BarclayCard US, SunGard and Campbell Soup Co.