Why Is DDoS Prevention a Challenge?

Transcription

1 ANALYST BRIEF Why Is DDoS Prevention a Challenge? PROTECTING AGAINST DISTRIBUTED DENIAL-OF-SERVICE ATTACKS Authors Andrew Braunberg, Mike Spanbauer Overview Over the past decade, the threat landscape has changed as more and more enterprises and large organizations have moved their mission-critical services online. Competing in global markets driven by just-in-time demand, these enterprises rely on continuous uptime to perform business transactions on a 24/7/365 model. This shift in the business model has, however, engendered a new breed of cyberattacks designed to limit access to these resources. Although distributed denial-of-service (DDoS) attacks technically are not new, they are more effective today than ever before. The relative ease with which DDoS attacks can be launched, the diverse methods by which such attacks can be executed, and the amount of damage that can be caused by a single attack make DDoS attacks a challenge to defend against. Such attacks have proved an effective way to wreak havoc, causing high-profile outages and interruptions to transaction processing. They can be motivated by a wide range of factors, and the acts of taking down websites or blocking financial transactions are effective ways to make statements or cause visible, potentially far-reaching business disruptions. As enterprises look to defend against DDoS attacks, they are turning to DDoS prevention solutions, which offer protection against the different categories of DDoS attacks, and which can take the form of on-premises devices or managed services. Many vendors have entered the DDoS prevention market in recent years, and their solutions should be evaluated carefully.

2 NSS Labs Findings DDoS attacks continue to be one of the most difficult attack vectors to counter. The range of attack methods is growing and diversifying as prebuilt toolkits, and even DDoS attack services, are made more readily available. The widespread availability of attack resources gives the general public the ability to participate in digital riots. Firewalls and other security devices are mistakenly viewed as adequate protection against DDoS attacks. Mitigation against DDoS attacks requires a multifaceted approach that involves network design, traditional security products (for example, intrusion prevention devices [IPS] and firewalls), contingency planning, and dedicated DDoS prevention solutions. NSS Labs Recommendations Evaluate the current network design and security posture within an organization in order to identify applications that could easily be overwhelmed by malicious attacks or spikes in traffic. Establish traffic baselines in order to better determine the extent of abnormal traffic patterns. Test network infrastructures, applications, and servers against the diverse DDoS attack methods used today (volumetric attacks, protocol attacks, application attacks, or a combination of the three) in order to understand the limits and weaknesses of the network. Consider multiple mitigation techniques and products when creating a strategy to address DDoS attacks. Evaluate DDoS prevention solutions in the same manner as other critical security infrastructure components to ensure that the solution itself does not become a vulnerability to the network. 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 The Need for Increased DDoS Protection... 4 Ease of Initiating an Attack... 4 Why DDoS Protection Is a Challenge... 5 Difficulty in Managing Legitimate Spikes Versus Attack Traffic... 5 Requires Increased Architecture, Infrastructure, and Expertise... 5 Wide Range of Attack Types and Techniques... 5 DDoS Attack Types and Evasion Techniques... 6 Evasion Techniques... 7 DDoS Prevention Solutions... 7 Inline Protection... 8 Out-of-Path Protection... 8 Performance Metrics for DDoS Prevention Solutions... 8 Performance Under Attack... 8 Other Security Requirements... 9 Management and Configuration... 9 Reading List Contact Information

4 Analysis As network bandwidth has increased and as critical assets have moved online, prevention of DDoS has become increasingly important for the enterprise. The January 2016 attack against the BBC clearly illustrates the damage that can be done with widely available DDoS tools and services. 1 The BBC turned to DDoS protection vendor Akamai to help mitigate the attack when its infrastructure was overwhelmed. Whether turning to service providers or purchasing devices in-house, organizations are considering their options for DDoS prevention. From evaluating a product s effectiveness in mitigating attacks to ensuring that traditional enterprise-class infrastructure features are in place, organizations must carefully assess different solutions to ensure that DDoS prevention is transparent. The Need for Increased DDoS Protection The sheer volume of business that occurs online requires that enterprises, websites, and partner connections remain operational with as close to 100 percent uptime as possible. In 2015, US retailers reported sales of US$27.9 billion in online merchandise throughout the holiday season, 2 illustrating the importance of online transactions to the national economy. The migration of government services online adds convenience but also creates targets for politically motivated attacks, as recently illustrated during the rollout of Healthcare.gov where a DDoS attack 3 compromised the site and prevented citizens from accessing the enrollment for new healthcare services. Why does DDoS present such a threat? There is no simple answer. Diverse attack drivers; the increased availability of network bandwidth; the pervasiveness of botnets; poor implementation of Internet protocols and applications/services; reliance on Internet-based services; and the high visibility and relative ease of conducting DDoS attacks combine to create an environment where attackers can use DDoS attacks to great effect and where victim organizations struggle to protect against these attacks. Ease of Initiating an Attack Another factor driving the prevalence of DDoS attacks is the relative ease with which these attacks can be initiated. Botnet services are available (prebuilt botnets that an attacker can rent), and recent reports claim botnet pricing to be in the range of US$2 to US$5 per hour for an attack that lasts from several hours to up to three days. 4 The attacker has only to specify the IP address to attack, and the attack will commence. Other attackers might build their own botnets, making use of the many malware kits that are available. Security researchers are partly to blame for the ease with which attack methods can be accessed: DDoS code is often posted on the Internet for the purpose of educating, and thus arming, others against these attacks; however, US-Online-Spending-Day-in-History

5 this information also arms attackers. The cost and complexity of a DDoS attack is low in comparison to most other attacks, and this low barrier to entry allows even non-technical individuals and groups within the general public to launch large-scale attacks with relative ease. This puts all organizations at risk of attack, since any organization may have detractors to its ideology, political affiliation, or business model. Why DDoS Protection Is a Challenge DDoS attacks have a long history, and yet the security industry has had limited success in preventing them. Why do DDoS attacks remain so effective? As previously discussed, they are simple to launch and cost considerably less than targeted persistent attacks (TPAs), which typically require zero-day vulnerabilities and sophisticated programming techniques. Other reasons for their prevailing success include: Difficulty in Managing Legitimate Spikes Versus Attack Traffic No organization wants to block legitimate traffic. Accidentally turning away a customer can have significant financial consequences for an organization. In the case of many DDoS attacks, the traffic that is used to generate the attack often appears legitimate. How does an organization determine whether a spike in traffic is legitimate (for example, a sale or breaking news) or an attack? This dilemma is the reason why organizations are cautious when making decisions on throttling traffic. Without a solid understanding of baselines and historic traffic trends, organizations are unlikely to detect an attack until it is too late. Requires Increased Architecture, Infrastructure, and Expertise The additional architecture, infrastructure, and expertise that an organization requires to prepare for, detect, and mitigate a DDoS attack present another challenge. To manage the sudden influx of traffic that occurs during a DDoS attack, organizations must have the ability to route traffic across various resources. Additional servers, routers, and network resources (such as load balancers) must be in place to manage the additional traffic. Depending on the size of the attack, however, having more resources may not in itself be sufficient. Organizations may require re-routing of all traffic to block offending IP addresses and then permit non-offending IP addresses to pass through to the protected resources. These options for mitigation require extra equipment and specific expertise to configure the infrastructure during an attack. Many organizations do not have this level of sophistication. Wide Range of Attack Types and Techniques The range of DDoS attack techniques available presents yet another challenge. Historically, the concept of a DDoS attack was simply to overwhelm the target with traffic. While many effective attacks rely on this method (the Spamhaus 5 attack used this type of attack to reach rates over 300 Gbps), attackers have also found applicationlevel attacks to be highly effective

6 DDoS Attack Types and Evasion Techniques Volumetric On occasion, the easiest way to prevent access to a target is to consume all of the network bandwidth available. This is the goal behind a volumetric DDoS attack. The attacker, through various means, launches an attack designed to cause network congestion between the target and the rest of the Internet. This volume of traffic can be generated through multiple hosts, for example, a botnet, and leaves no available bandwidth for legitimate users of the resource (whether it is an ecommerce website or a financial services group). Volumetric DDoS attacks generally target protocols that are stateless and do not have built-in congestion avoidance. Examples of volumetric DDoS attacks include (but are not limited to): Internet Control Message Protocol (ICMP) packet floods (including all ICMP message types) Malformed ICMP packet floods User Datagram Protocol (UDP) packet floods (usually containing no application layer data) Malformed UDP packet floods Spoofed IP packet floods Malformed IP packet floods Ping of Death Smurf attack Protocol Attackers can also prevent access to a target by consuming other types of resources. Protocol DDoS attacks are designed to exhaust resources available on the target or on a specific device between the target and the Internet. The devices can include routers, load balancers, and even some security devices. When the DDoS attack consumes a resource such as a device s TCP state table, no new connections can be opened because the device is waiting for connections to close or expire. Protocol DDoS attacks need not consume all of a target s available bandwidth to make it inaccessible. Examples of protocol DDoS attacks include (but are not limited to): SYN floods ACK floods RST attacks TCP connection floods Land attacks TCP state exhaustion attacks Fragmentation attacks TCP window size attacks 6

7 Application Attackers also attempt to prevent access by exploiting vulnerabilities in the application layer. These vulnerabilities can be within an application layer protocol as well as within the application itself. Attacks on unpatched, vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks in order to be successful. This style of DDoS attack may require, in some instances, as little as one or two packets to render the target unresponsive. Application DDoS attacks can also consume application layer or application resources by slowly opening up connections and then leaving them open until no new connections can be made. Examples of application DDoS attacks include (but are not limited to): HTTP GET floods HTTP POST floods HTTP partial connection floods HTTP overlapping range header attacks DNS amplification attacks Secure Sockets Layer (SSL) exhaustion attacks Session Initiation Protocol (SIP) invite floods Layered Attacks As the name implies, layered attacks use diverse DDoS attacks in an attempt to overwhelm the network and any defenses that may be in place. While some networks may be able to sustain DDoS attack, their resources may soon be exhausted, which would allow an application DDoS attack to successfully bypass protection mechanisms and thus render the target inoperable. Evasion Techniques Attackers can modify basic DDoS attacks to evade detection in a number of ways. If a single evasion is successful and an attack passes through, then all of the defenses in place at that point are nullified. Therefore, it is critical that any defense put up by an organization is capable of detecting and defending against the many evasion techniques available to attackers. Some common evasion techniques use IP fragmentation and stream segmentation. Evasion of defenses may not be critical for attackers if the goal is to overwhelm resources (whether bandwidth or state exhaustion), but as more organizations install better defense evasion techniques, it could become a critical component of future DDoS attacks. DDoS Prevention Solutions Given the scale and complexity of many modern DDoS attacks, and given that firewall and intrusion prevention systems (IPS) cannot always mitigate these attacks, many organizations are selecting DDoS prevention solutions as a critical architectural component in their networks. These solutions provide protection by identifying a specific DDoS attack and then working to minimize its effect on the network and legitimate traffic. The solutions are deployed inline or out-of-path and should have performance and reliability requirements similar to other critical infrastructure components, since they may be required to process potentially large amounts of traffic. 7

8 Inline Protection Inline DDoS prevention solutions adopt the traditional network security device posture of mitigating, or dropping, malicious traffic inline, and as such, typically consist of a single appliance (or multiple appliances for high availability scenarios) and are often deployed in front of or behind the perimeter security device. The appliances can be dedicated stand-alone appliances, or they can be integrated into other traditional security products, such as IPS and next generation firewalls (NGFW). This type of solution is generally deployed in enterprises and small-to-medium data centers, but it is not, however, limited to these environments since it can be designed to handle high throughput scenarios. Out-of-Path Protection The out-of-path posture is one where the DDoS prevention solution actively monitors traffic at an ingress point for malicious activity. Once malicious activity is detected, the DDoS prevention solution uses routing protocols such as border gateway protocol (BGP) to redirect traffic to a dedicated appliance for inspection and to reintroduce the legitimate (i.e., non-malicious) traffic into the network. This type of DDoS prevention solution commonly consists of more than one appliance and is designed to work in higher throughput environments such as large data centers and ISPs. Performance Metrics for DDoS Prevention Solutions Since DDoS protection solutions are intended to run at line rate (even if out-of-path), performance is critical. While DDoS prevention solutions should be held to the same standards as other pieces of network infrastructure, they have the additional challenge of being required to process application traffic. The following are examples of performance metrics that require evaluation when considering DDoS prevention solutions: Raw packet processing performance Latency Maximum throughput capacity HTTP capacity (with and without transaction delays) Application average response time Performance Under Attack In addition to performing at line speeds during normal traffic loads, DDoS prevention solutions must also continue passing traffic under attack. This is especially critical for latency-sensitive environments or environments that serve multitudes of customers such as data centers, Internet service providers (ISPs), or financial institutions. DDoS prevention solutions should be able to still pass legitimate, real-world traffic to the intended destinations, regardless of the size or complexity of the attack. 8

9 Other Security Requirements Like other security infrastructure devices, DDoS prevention solutions must continue to operate in spite of multiple attacks or disruptions in traffic. Beyond processing legitimate traffic throughout an attack, the devices themselves must be hardened and must offer the same levels of stability and reliability, as well as support the same highavailability options, which are common in devices such as firewalls and other IPS devices. In addition to performance, the following factors should be evaluated on a device: What happens to the device when power fails? Does the device include redundant components (for example, fans, power supplies, hard drive)? Does the device data remain persistent during a power failure? Is a high-availability option available, and how does the device perform during failover? o What happens to legitimate traffic? o How long does the device take to failover? o Is stateful operation maintained? Management and Configuration Management and configuration capabilities should be critical components in the evaluation of a DDoS prevention solution. Preventing DDoS attacks requires delicate tuning to avoid blocking legitimate traffic. DDoS prevention solutions are complicated to deploy, and options such as centralized management console options, log aggregation, and event correlation/management systems further complicate the purchasing decision. Understanding key comparison points will allow customers to model the overall impact on network service level agreements (SLAs); estimate operational resource requirements to maintain and manage the systems; and better evaluate the required skill/competencies of staff. The following considerations should be made for any DDoS prevention solution. How easy is it to install and configure devices and to deploy multiple devices throughout a large enterprise network? How easy is it to create, edit and deploy complicated security policies across an enterprise? How accurate and timely is the alerting, and how easy is it to drill down to locate the critical information that is required to remediate a security problem? How effective is the reporting capability, and to what extent can it be customized? 9

10 Reading List Distributed Denial-of-Service (DDoS) Prevention Test Methodology v2.0. NSS Labs 10

11 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 11