Guest blog post by Carl Herberger, Vice President, Security Solutions at Radware
Since the first Denial-of-Service (DoS) attack was launched in 1974, Distributed Denial-of-Service (DDoS) attacks have remained among the most persistent and damaging cyber-attacks. Rate-based technologies, once considered adequate to handle the most advanced threats, have fallen obsolete as tech-savvy adversaries learn how to overcome name-brand mitigation technologies. These ultra-adaptive hackers have given rise to these five attack techniques in 2017:
DDoS Attack Type #1: Advanced Persistent DoS (APDoS):
APDoS attacks involve massive network-layer DDoS attacks and focused application layer (HTTP) floods, followed by repeated SQLI and XSS attacks occurring at varying intervals. Typically, perpetrators simultaneously use five to eight attacks vectors involving up to tens of millions of requests per second, often accompanied by large SYN floods. These attacks can persist for several weeks.
It becomes clear that APDoS requires an array of technologies to stop these threats, including those that manifest into SMTP attacks (a relatively new vector) and secure-SMTP such as TLS over SMTP.
To successfully mitigate these threats, organizations must understand what they are dealing with and take certain precautions. As the next generation of DDoS threats emerge, organizations must become obsessive about removing risks and compulsive about action.
DDoS Attack Type #2: DNS Water Torture Attack
A DNS NXDOMAIN flood attack, which is also known as a water torture attack, targets an organization's DNS servers. This type of attack involves a flood of maliciously crafted, DNS lookup requests. Intermediate resolvers also experience delays and timeouts while waiting for the end target's authoritative name server to respond to the requests. These requests consume network, bandwidth and storage resources. They can also tie up network connections, causing timeouts.
By understanding the threat, an organization can comprehend two of the largest problems in solving this attack vector:
- The attacker is coming from a known legitimate source and can’t realistically be blocked while still maintaining healthy DNS resolution operations over the long term
- The attacker source is actually also querying legitimate requests at the same time illegitimate requests are being sent.
To counter this resource-draining threat, organizations should monitor their recursive DNS servers, keeping a keen eye out for anomalous behavior such as spikes in the number of unique sub-domains being queried or spikes in the number of timeouts or delayed responses from a given name server.
Any DNS attack mitigation tool must meet unique challenges. Beyond a limited set of vendors, there is no real automated solution to mitigate this threat, as the tool must contain the following attributes:
- A deep knowledge of DNS traffic behavior
- Ability to alleviate a high rate of DNS packets
- Mitigation accuracy
- Deliver the best quality of experience even under attack
DDoS Attack Type #3: SSL-Based Cyber Attacks
There is a new set of challenges facing organizations leveraging encryption technologies. Cyber-attacks leveraging encrypted traffic as an attack vector are on the rise. Most mitigation technologies do not actually inspect SSL traffic, as it requires decrypting/encrypting traffic. Recent surveys show that between 25% - 35% of enterprise communication sent via an LAN and WAN is SSL-encrypted traffic. 
SSL-based attacks take many forms, including encrypted SYN floods, SSL renegotiation, HTTPS floods and encrypted web application attacks.
In the same way SSL and encryption protect the integrity of legitimate communications, they effectively obfuscate many of the attributes used to determine if traffic is malicious or legitimate. Most cyber-attack solutions struggle mightily to identify potentially malicious traffic and isolate it for further analysis.
The other major advantage that SSL attacks offer to attackers is the ability to put significant computing stress on network and application infrastructures they target.
Even the most advanced mitigation technologies have gaps in their encryption-based protections. Few of these solutions can be deployed out-of-path, which is a necessity for providing protection while limiting the impact on legitimate users. Many solutions that can do some level of decryption tend to rely on rate-limiting requests, thereby resulting in dropped legitimate traffic. Finally, many solutions require the customer to share actual server certificates, which complicates implementation and certificate management, and forces customers to share private keys for protection in the cloud.
To provide effective protection, solutions need to deliver full attack vector coverage, high scalability and innovative ways to handle management of encryption technologies in a manner that can be operationalized effectively and efficiently.
DDoS Attack Type #4: PDoS – Permanent Denial of Service
A permanent denial-of-service (PDoS) attack, also known as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of a system.
One method PDoS uses to accomplish its damage is via remote or physical administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device's basic software with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore "bricks" the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.
Why Bother With Temporary Outages When You Can Achieve Permanent?
Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself to the public from time to time only.
The most recent example was BrickerBot, which Radware discovered in April, 2017. Over a four-day period, BrickerBot launched thousands of PDoS attempts from various locations leveraging Telnet vulnerabilities to breach a victim’s devices.
Assessing Risks & Taking Action
The following behaviors and trends may increase the risk of a PDoS attack targeting your organization:
- Running a highly virtualized environment that leverages a few hardware devices, but powerfully overloads software functions.
- Organizations highly dependent on IoT
- Organizations with centralized security gateways
- Organizations that are considered critical infrastructure
The clear action to take is to conduct an audit of the type of technology you are running at or below the operating system level. Develop a clear understanding of the different firmware versions, binaries, chip-level software (like ASICs and FPGA) and technology that is in use in your environment. Also consider batteries, power systems and fan system vulnerabilities.
DDoS Attack Type #5: IoT Botnets and the Economics of DDoS Protection
2016 brought a long-feared DDoS threat to fruition: Botnets, one of the fastest growing and fluid threats today, as we enter the 1Tbps DDoS era.
The Appeal of Internet of Things (IoT) Devices
For hackers, IoT devices are attractive targets for several reasons:
- IoT devices usually fall short when it gets to endpoint protection implementation
- Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices
- IoT devices operate 24x7 and can be in use at any moment
Botnets: Making Use of Different Attack Vectors
The Mirai botnet provides a perfect example of the various attack vectors one IoT botnet can unleash on its victims. We can all thank a user named “Anna-senpai” for publishing the Mirai source code to an easily accessible, public forum. The code spread to numerous locations, including several GitHub repositories, where hackers began inspecting it. Since then, the Mirai botnet has been infecting hundreds of thousands of IoT devices—turning them into a “zombie army” capable of launching powerful volumetric DDoS attacks. Security researchers estimate that there are millions of vulnerable IoT devices actively taking part in these coordinated attacks.
The Economics of Botnets
While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we believe one of the most disruptive changes is the new economics model of IoT botnets.
Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable servers, build their zombie army and then safeguard it against other hackers. All the while, hackers would keep continual watch for new infection targets.
Now with IoT botnets, instead of spending months of effort and hundreds of dollars, bot masters can take control of millions of IoT devices with near zero cost.
Knowledge is Power
To stay ahead of the threat landscape, knowledge is power. While hackers will continue to evolve these five threats, rest assured, 2018 will bring about a new array of attack vectors that seek to undermine cyber defenses and take advantage of application and network vulnerabilities. Leveraging both the in-house expertise of your organization's cyber security team in addition to the know-how of your DDoS vendor will be key to staying ahead of the threat.
Mr. Herberger is considered a foremost expert on the problems and solutions surrounding cyber attacks. In his role as Vice President, Security Solutions at Radware, he is responsible for developing, managing, and increasing the company's security practice, and serves as the primary corporate spokesperson in the Americas for security-related topics.