Cybercrime Archive

Network layer and application layer DDoS attacks are significant threats. Learn about the differences between them and what you can do to reduce their effects.

A distributed denial of service, or DDoS, attack is a method to bring down a service by sending a flood of legitimate or illegitimate requests from multiple source devices. The goal is to overwhelm the target device so that it can no longer operate normally. Let’s examine two: network layer and application layer DDoS attacks.

Network DDoS attacks attempt to overwhelm the target by overtaxing available bandwidth. Network DDoS protections formerly were implemented at the network edge — typically, using next-gen firewalls and intrusion prevention systems. But, even with DDoS protections in place, a large-scale bot network can quickly overwhelm the edge.

Today, it’s more common for enterprises to tap into the resources of a cloud security service engineered with a high-capacity network expansive enough to handle massive amounts of data in the event a DDoS attack occurs. Because the service can handle the bandwidth capacity without the threat of its resources succumbing to overutilization, it can successfully identify and scrub DDoS traffic while passing on legitimate traffic to your servers. This architecture moves the threat of a bottleneck closer to the source of the attack where it can be better handled without interruption.

How application layer attacks work

Application layer DDoS attacks, on the other hand, don’t target network bandwidth. Instead, they strike the application (Layer 7 of the OSI model) running the service end users are trying to access. To that end, the server, server application and back-end resources are the main target. The goal of these attacks is to consume the resources of a specific service, thus slowing it or stopping it altogether.

Application layer DDoS attacks are trickier to identify and mitigate compared to a network layer DDoS attack. Common methods include the use of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) tests to validate bots from humans. Additionally, the use of a web application firewall (WAF) is a great way to protect against more sophisticated application DDoS attacks. The purpose of a WAF is to use various signatures to discern between normal human requests and those sent from bots. A WAF can be deployed either on premises or through a third-party cloud security service provider.

Source: https://searchsecurity.techtarget.com/answer/Do-network-layer-and-application-layer-DDoS-attacks-differ

More than 70% of websites now use SSL encryption. The Google Transparency Report statistics below show a very rapid rise in adoptions of HTTPS for Chrome browser users worldwide.

Unfortunately, the security provided by SSL/TLS is also misused to attack applications by injecting malicious content and hide malware. SSL is also being used to facilitate data leakage from within an organization. HTTPS floods are now frequently used in many DDoS attack campaigns.

A Double Edged Sword

As more and more
applications and websites use end-to-end encryption and adopt HTTP/S and TLS
1.3, the ability to inspect traffic has become an important element of the
security posture. However, the encryption of traffic has made visibility
challenging.

Most DDoS mitigation services do not actually inspect SSL traffic, as doing so would require decrypting the traffic. Gaining visibility to SSL/TLS traffic also requires extensive server resources. Mitigating SSL attacks thus poses several challenges, including the burden of implementing encryption and decryption mechanisms at every point where traffic needs to be inspected.

Encryption and decryption at many different points in the traffic data path not only adds latency to the traffic, but is also expensive and problematic to scale.

However, despite all the
challenges, SSL/TLS remain the standards for ensuring secure communications and
commerce on the web.

In order to detect any application security issues before your customers experience them, it is essential to have an end-to-end monitoring capability that provides actionable insights and alerts through visualization.

As application delivery controllers are deployed at the intersection of the network and applications, ADCs can act in conjunction with your edge protection solutions to detect and mitigate an encrypted security attack or prevent leakage of proprietary information.

Conclusion

Even though you may be protected by the most
advanced firewall technology, your existing security mechanisms may still fail
to see into encrypted SSL/TLS traffic. You should deploy enterprise security
solutions that enhances your existing security posture to gain visibility into
the encrypted traffic and prevent encrypted attacks on your organization.

Source: https://securityboulevard.com/2019/09/visibility-do-you-know-whats-in-your-network/

By abusing a little-known multicast protocol, attackers can launch DDoS attacks of immense power, but there may be an easy fix.

Content delivery provider Akamai reports that a new method of launching distributed denial of service (DDoS) attacks ranks as one of the most dangerous of all time.

This new method has already been seen in the wild, which is how Akamai gained an additional level of insight: A gaming industry Akamai client was recently hit with this new kind of attack.

The biggest concern that comes with this new attack is its ability to eat up immense amounts of bandwidth. The client Akamai mentioned saw peaks as high as 35 GB/s during their recent attack.

There’s a key multicast protocol that makes this new kind of DDoS possible: WS-Discovery (WSD).

WSD isn’t a well known protocol, but it is a widely used one, and can be found in thousands of internet-connected devices. WSD is a discovery protocol designed to make IoT devices communicate with a standard language, but it has a problem: It can be spoofed.

TechRepublic sister site ZDNet reported on WSD DDoS attacks at the end of August, giving a concise description of why this attack is so serious: “An attacker can send a UDP packet to a device’s WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.”

The danger from WS-Discovery

ZDNet continued that WSD attacks aren’t common because of the obscurity of the protocol used to launch it, but this is changing. There has been an uptick in WSD attacks recently and with news about the protocol becoming public it’s likely the risk will only grow.

Akamai notes that WSD was never meant to be an internet-facing technology. Instead, it was meant for use on local area networks so devices could discover each other. Instead, Akamai said, manufacturers of internet-connected devices pushed them out with a misused protocol on them.

ZDNet said that more than 630,000 devices vulnerable to WSD attacks are discoverable on the internet, which give potential attackers a lot of amplification points.

How to stop a WS-Discovery attack

This attack is serious, but if Akamai is correct mitigating it may be simple. That said, if you think devices on your network are vulnerable be sure to follow these instructions: Eliminating attack vectors is only possible if everyone takes the right steps.

Here’s how simple the first part is: Just block UDP source port 3702.

That only covers your servers, though: There will still be traffic slamming your routers, which means you need to put an access control list (ACL) to your routers.

If you have a Cisco-style ACL:

ipv4 access-list [ACCESS-LIST NAME] 1 deny udp any eq 3702 host [TARGET IP] 
ipv4 access-list [ACCESS-LIST NAME] 2 deny udp any host [TARGET IP] fragments 

If you have a Linux iptables APL:

iptables -A INPUT -i [interface] -p udp -m udp —sport 3702 -j DROP 

Akamai paints a grim picture of the future of WSD attacks: “The only thing we can do now is wait for devices that are meant to have a 10 to 15-year life to die out, and hope that they are replaced with more secured version.”

That doesn’t mean you can’t do anything: Take the proper precautions by blocking ports, adding ACLs, and installing critical updates that could mitigate future risks.

Source: https://www.techrepublic.com/article/a-new-type-of-ddos-attack-can-amplify-attack-strength-by-more-than-15300/

Network-based attacks are rising in popularity, a new report says, claiming that botnets, DNS as DDoS are key attack vectors.

CenturyLink’s new whitepaper argues that organisations struggle to identify, block and mitigate threats on time, and even though visibility and monitoring is important – acting is paramount.

Necurs, Emotet and TheMoon are considered the biggest, and most dangerous botnets. Their strength lies in the fact that they’re easy to use, can be accessed remotely and anonymously.

Domain Name Server (DNS) is often overlooked as a potential attack vector, CenturyLink claims, adding that DNS tunnelling, as an attack type, is on the rise. When it comes to DDoS attacks, the company has spotted an increase in burst attacks which less up to a minute.

“As companies focus on digital innovation, they are entering a world of unprecedented threat and risk,” said Mike Benjamin, head of CenturyLink’s threat research and operations division, Black Lotus Labs.

“Threats continue to evolve, as do bad actors. Well-financed nation-states and focused criminal groups have replaced the lone-wolf troublemaker and less sophisticated attackers motivated by chatroom fame. Thankfully, through our actionable insights, we can defend our network and those of our customers against these evolving threats.”

Companies in the United States, China, India, Russia and Vietnam were most frequently under attack in the first half of the year.

Source: https://www.itproportal.com/news/risk-of-network-based-attacks-continues-to-grow/

IoT networks can both amplify and be the targets of distributed denial of service (DDoS) or botnet attacks. Architect resilient solutions to properly secure your devices.

Cybercriminals have many different ways of exploiting network vulnerabilities and weak spots in our cyber defenses. Considering that the number of devices we use on a daily basis is growing, more avenues of exploitation will be open to cybercriminals — unless we close those pathways.

Distributed Denial of Service, or “DDoS,” attacks on IoT networks via botnets have been especially alarming and difficult to counter. Let’s have a closer look at DDoS attacks, botnets and ways of protecting against them.

The Anatomy of a DDoS Attack

A simple principle governs a “denial-of-service” attack: attackers attempt to deny service to legitimate users. Some typical examples might include attackers overwhelming a server or cluster with requests, disrupting everyone’s access to the site or focusing the attack on a particular target who will be denied access.

With DDoS, the attacker usually has one of three goals:

  1. To cause destruction or destructive change to network components
  2. To destroy configuration information
  3. To consume non-renewable or limited resources

DDoS attacks can be performed on their own or as part of a more massive attack on an organization. It usually targets bandwidth or processing resources like memory and CPU cycles. However, the type of DDoS attacks where we often see IoT devices used is a botnet attack.

What Makes a Botnet Attack So Destructive?

A botnet is a group of connected computers that work together on performing repetitive tasks, and it doesn’t necessarily have a malicious purpose. Unfortunately, it’s possible for an attacker to take control of a botnet by infecting a vulnerable device with malware. Then they can use the network as a group of devices to perform DDoS attacks that can be much more dangerous, depending on the number of mechanisms involved. What’s more, since IoT devices often interact in the physical world in ways that other IT devices don’t, it’s difficult to monitor and safeguard them.

If we strive to protect IoT devices the same way we protect our conventional IT devices, there will invariably be faults in the system that cybercriminals might exploit. To eliminate vulnerabilities, we must think of IoT protection in its own terms and take into account the various types of IoT use when we do.

Defending Against an IoT Botnet Attack

Even though the threat of botnets can’t wholly be eradicated, there are still ways to limit the impact and the scope of these attacks by taking preventative actions. One of them is placing IoT devices on a segmented network protected from external traffic. It’s also crucial to start monitoring the systems and invest in developing intrusion detection processes which would go a long way in warning a user that the system is being compromised.

How can each layer of your IoT solution stack be architected not to trust any other part naively? Think about that as you design your solution. Find ways to make your network more resilient. Model botnet attacks and test disaster scenario responses.

In addition to network segmentation and testing, we also shouldn’t forget fundamental security measures, such as timely firmware and software patching and the ability to control who can access a particular device, which every IoT solution should take care of.

The Search for a One-Size-Fits-All Security Solution

IoT is a developing technology that we must make as secure as possible, tempering its frenetic evolution with necessary security protocols and standards. Considering how quickly it’s being woven into our everyday lives, businesses and homes, IoT developers, manufacturers, distributors and consumers must work together to eliminate common IoT vulnerabilities and ensure that each device is as secure as it can be from emerging threats.

Source: https://www.iotforall.com/iot-botnets-ddos-attack-architecture/