Overview of Juniper Networks application-level protection against DDOS attacks
The diagram shows the DNS gain attack.
Over the past few years, distributed denial of service (DDoS) attacks have evolved from relatively simple (flood) attacks to fairly complex and multi-step attacks. Together with the traditional high-level attacks, which send massive amounts of traffic to overload the server, the business also faced directed attacks. They use a relatively small amount of traffic aimed at applications that process huge amounts of data. Moreover, these attacks are not detected by traditional DDoS protection solutions.
Juniper Networks DDoS Secure provides fully automated DDoS protection for Internet services, using a behavioral approach to detect and repel DDoS attacks. The solution provides protection against high-level attacks as well as advanced low-and-slow attacks at the application level. By correlating input risks and feedback, DDoS Secure is able to detect “invisible” attacks that are designed to bypass signature protection systems. Details about this decision under the cut
')
First about DDoS
The first distributed DDoS attack took place in 2000 and was aimed at Amazon, eBay and other e-commerce sites. As a tool they used a botnet from a variety of PCs that generated a huge number of requests and loaded servers that serve e-commerce portals, so much so that they could no longer process user requests. The total damage from the attacks is estimated at about $ 1.7 billion.
Since then, DDoS attacks have greatly evolved: from a primitive tool that uses attacks with a large amount of traffic to overload web servers, to complex complex attacks of the level of applications developed for targeting strategic business resources. In 2012, there was a series of such attacks against the banking industry, with the aim of financial fraud. The education and e-commerce sectors have also become targets for cybercriminals.
The Internet and social networks have made weapons out of information that can be used against users. This means that cybercriminals still have access to many cheap botnets and free software tools like Low Orbit Ion Cannon (LOIC), which are easy to use and can damage the application infrastructure of most companies.
The cost of one hour of DDoS attacks was approximately $ 5, a week of continuous DDoS attacks was about $ 260, and a month was only $ 900 (see Figure 1).
Fig. 1: The cost of a DDoS attack
The ways and motives of using DDoS have also evolved. This type of attack has become increasingly used by “hacktivist” groups such as Anonymous for social protests and organized criminal activity, causing financial damage to attacks on specific websites and web services. In addition, DDoS attacks play a large role in sophisticated hybrid attacks on organizations for which the Internet plays a critical role. Hybrid attacks involve the use of DDoS technology in order to confuse the team of IT and information security specialists and effectively divert their attention from more vulnerable security spots.
Not only tactics, but also the motives of DDoS attacks have become somewhat different over the past couple of years, starting with hacktivism and ending with financial exploits and fraud, as well as politically motivated attacks and social protest attacks. Some experts have even stated that DDoS attacks are “gathered under an umbrella of civil disobedience”.
2013 showed that DDoS attacks reached a new level and led to an even greater number of mentions in the media. While many companies continue to believe that their websites and application infrastructure are adequately protected against cyber attacks, others have already prepared for protection against the more complex structure of DDoS attacks. According to an independent study, 64% of IT professionals (with more than 10 years of experience) said that the power of cyber attacks is on the rise, while only 25% said they have the opportunity to take appropriate countermeasures. Only 22% of IT decision-makers have already implemented DDoS protection.
The ever changing landscape of DDoS threats
Escalation of application level DDoS attacks
DDoS attacks of the application level are today one of the most common and destructive forms of cyber threats. Simple traffic DDoS attacks still cause problems, but they are easy to detect. With proper defense organization, the risks of these attacks are reduced to zero. A new type of DDoS-level application, code-named "low-and-slow", however, is much more difficult to detect and reflect, which is a real threat to business.
2012 showed a sharp increase in Layer 7-type DDoS attacks. These attacks are unobtrusive, since they pass out their traffic as legitimate. Layer 7 or application-level attacks are more likely to target vulnerabilities in the application code itself, rather than using a “frontal” attack, to achieve the desired results. The goal of most application-level attacks is well-known software using HTTP, HTTPS, DNS, and VoIP (Session Initiation Protocol or SIP). Like the flood attacks, L7 attacks require very little cost from cybercriminals. It is quite possible to paralyze large websites from one laptop, sending from 40 to 60 identical requests per second (abbreviated PPS, or packets per second). At the same time, flood attacks send from several hundred or thousands of PPS to millions. External legality is what makes L7 attacks common and extremely difficult to detect and block.
Fig. 2. The evolution of DDoS attacks from simple to complex
Application-level attacks may not be detected by the security system, as they use the weak side of the detection technology, which uses the network flow principle and threshold values ​​methodology. RUDY (RU-Dead-Yet) and Slow Loris are two types of application-level attacks that target the HTTP protocol. The attackers are trying to launch many requests that are difficult to service, exhausting application resources and quickly paralyzing the website.
Some time ago, hackers began using a DNS-gain (reflection) attack. Its essence lies in the fact that the hacker sends a short request to a vulnerable DNS server, which responds to it with a much larger packet. If you use the address of the victim’s computer (ip spoofing) as the source IP address, then the vulnerable DNS server will send a large number of unnecessary packets to the victim computer until it is completely paralyzed.
DNS servers are attractive prey because they are usually very large, work on a broadband Internet channel, and cannot be so easily blacklisted.
Hackers use DNS by replacing the target address and sending small requests to the DNS server, which responds to these false requests by 10 ~ 1000 times more traffic, thereby bombarding the victim with a massive wave of traffic. Taken separately, these queries to the DNS are legitimate, as are the response data; however, by camouflaging, an attacker can remain anonymous and manage publicly accessible DNS to repel attacks and increase their power.
Using such methods of attacks in 2013, a small group of criminals was able to generate the largest DDoS attack in history, reaching a continuous flow of traffic at 300 Gbit / s. Hackers attacked spamhaus.com, an organization that publishes “black” lists of spammers on the Internet.
An alternative form of DNS attacks could result in a breakdown in defense, as recently occurred at the University of California at Sacramento, when about 1,800 records were stolen. Hackers were able to hack the university DNS server. But it is not only universities that are at risk. The gaming, financial, retail online industries are also vulnerable to such attacks. The anatomy of a DNS gain attack is shown in Figure 2. 3
Attack DNS-gain (from the site Nirlog.com)
Fig. 3. Anatomy of a DNS gain attack
The distracting DDoS attack, which is a much more insidious type of multi-vector attack, uses a massive DDoS tactic to distract the attention of IT staff, while cybercriminals steal data or funds. Banks and financial institutions are most often exposed to this type of attack. A public example is a cyber attack that occurred in Bank of the West4 in December 2012. Knowing that the IT team would be on vacation, the hackers chose the right time and context for the goal. First, the bank was subjected to DDoS attacks, and while bank employees and IT staff tried to stop the powerful traffic flow to their servers and keep the online services stable, cybercriminals successfully stole $ 900,000.
The recent distracting DDoS attack on online currency Bitcoin6 illustrates the constantly transforming essence of DDoS. In this case, cybercriminals used DDoS attacks as a “smoke screen” to attack Bitcoin's DNS records. Hackers were able to create another IP address in the actual DNS records for the online Bitcoin chat forum. By inserting these malicious machine addresses into the usual everyday DNS mechanism, hackers transparently redirected user traffic to a server belonging to the attackers. As soon as a user logged into his account on a hacked machine, hackers wrote down his account name and password, which could later be used to empty this user's wallet.
The attack to steal passwords against Bitcoin users could be detected, but this was prevented by a “smoke screen” created using a DDoS attack that disrupted accessibility while DNS address records changed.
Application-level attacks are increasingly directed against online banking of online stores. These attacks are often hidden in encrypted (HTTPS / SSL) traffic and they remain invisible to traditional solutions. As an example, such an attack can be triggered by the “add to cart” function on a web server, generating more traffic than it can process applications, overloading the site and generating error messages for end users who are trying to make online purchases. These attacks are not detected until it is too late, because they use legitimate traffic channels to penetrate web servers and applications.
“Zero-day attacks” are megatrends of DDoS, they are aimed at the latest detected vulnerabilities in web applications, and not at the avalanche data flow. A huge number of web applications today run on mobile devices (recall the BYOD trend), which puts companies at great risk of zero-day DDoS attacks.
Impact on business
Currently, the vast majority of IT and information security professionals are aware of the business risks of cyber attacks. At the same time, they are not prepared accordingly. According to a Ponemon Institute study conducted last February, 7 60% of IT professionals answered in a questionnaire that DDoS attacks are the most serious type of attack companies are experiencing. Damage caused by a DDoS attack can have a huge impact on a business, regardless of its size.
As companies increase their presence on the Internet and thus lengthen the “front line” on which an attack can be carried out, the downtime of web servers or applications due to DDoS attacks is a real threat. Businesses rely on the continuous availability of their web servers and applications, so a few hours of downtime can be disastrous. They should ensure the operation of web services without any interruption in the 24x7x365 mode. Application stability is a critical requirement for these businesses.
Downtime not only leads to losses and discouraging customers, they also negatively affect brand value and reputation. In the financial services industry, cybercriminals use theft of confidential data and financial fraud. In the education and health sector, the main interest is in accessing student information, electronic medical records and stealing sensitive confidential data, which can lead to major lawsuits and terrible consequences for people to whom information has been stolen. Failure of the sites for the sale of tickets and online stores leads to lower profits and loss of reputation. DDoS attacks can be followed by financial losses that are difficult to recover.
Statistics DDoS-attacks application level is alarming. Gartner estimates that 70% of all threats target the level of web applications. The Ponemon Institute study found that the average annual damage from a DDoS attack is estimated at $ 3.5 million. Another recent Forrester study estimates the average financial cost at $ 2.1 million for every 4 hours of downtime and $ 27 million for 24 hours of downtime caused by DDoS attacks. . Forrester indicates that the frequency of attacks in all industries is approximately 1 time per month, while in the financial sector this happens 1 time per week. If we proceed from publicly available assessments of damage provided by organizations that have been attacked, financial companies suffered an average damage of about $ 17 million per incident in 2012. And, although financial organizations most often attack, the Forrester study found that, on average, government agencies subject to longer attacks. This is due to the fact that financial organizations, as a rule, use better protection against cyber attacks.
Despite this alarming statistics, less than 25% of companies have implemented DDoS protection solutions ...
The need for a dedicated local DDoS solution
Reflection of avalanche attacks at levels 3 and 4 is traditionally performed in the cloud using a solution that inspects reverse traffic. These attacks, which require a wide channel, are quite easily detected and reflected by the service provider. In fact, customers may not even notice any problems. There are, however, many environments where, mainly for security reasons, data simply cannot leave private networks. In addition, attacks of the “low and slow” level of applications cannot be reflected in the cloud, since these attacks usually do not consume much traffic and are hidden in legitimate traffic.
Reflection of these attacks requires a separate local solution in the corporate data center. A dedicated DDoS solution is required for a variety of reasons:
• Perimeter protection, including firewall, NG firewall and individual intrusion prevention systems, are not well suited to protect against DDoS attacks, since well-trained attacks can quickly overflow the connection status table and paralyze a firewall or IPS, putting the whole network at risk.
• Firewalls and IPS systems can by themselves become targets for a “reject” attack, demanding protection.
• Firewalls and IPS systems cannot withstand more sophisticated application-level attacks, since these solutions are designed to skip exactly the protocols that are used during these attacks; Each hacker knows that the firewall usually passes HTTP and HTTPS traffic, because most systems require such access to communicate with the web service.
Limitations of traditional solutions to repel DDoS attacks
Traditional solutions for detecting DDoS attacks are limited in their capabilities, they are able to control only network telemetry, such as a network flow (netflow), which does not carry application-level attributes and leaves a big gap when it detects modern application-level attacks. In addition, all of these solutions provide signature-based detection and reflection of attacks on an “on premises” mode, which is not effective against unknown zero-day attacks. Further, such solutions evaluate only incoming traffic based on the threat signature database, leaving security vulnerabilities to pass through malicious traffic. One example is the DNS gain attack.
In addition, traditional solutions are not able to distinguish between legitimate and generated machine (malicious) traffic. Thus, the system must be manually configured to determine the high / medium / low thresholds at which traffic should be blocked. Such an approach leads to a compromise between the low threshold of false positive response and aggressive protection.
If the threshold is set too high, this creates the problem of false positive triggering, which leads to blocking large volumes of legitimate traffic. If the threshold is lowered, then potentially malicious traffic will be allowed, leading to hacking. The lack of protection tools at the Layer 7 level and the inability to implement monitoring of protected resources make traditional DDoS solutions ineffective against modern attacks that are carried out outside the signature perimeter boundary. Static threshold does not meet security requirements. There is also an administrative problem associated with supporting signature set and manual threshold setting.
In short, providing a full range of protection against modern DDoS attacks requires a separate solution with low latency, located locally on the perimeter of the data center. , layer 7 , , . , , . , , , . .
Juniper DDoS Secure — DDoS -
Juniper Networks DDoS Secure, « » DDoS-. $60 , , -, -, , .
, DDoS Secure . , . , DDoS Secure , CHARM, , . , . , CHARM, , . , DDoS Secure , DDoS.
The innovative DDoS Secure architecture uses a “feedback” process to analyze the complete cycle of incoming packets and the response that was sent back to the requester.
DDoS Secure . , . , . , DDoS Secure , DDoS, . DNS-, DDoS Secure DNS- , DNS-. DDoS Secure DNS- , DNS- , .
, , . , . , , , , . DDoS- «» ; , DDoS Secure .
DDoS Secure 1U, . , , , . , BGP «» .
Fig. 4: -DDoS
Juniper DDoS Secure Arbor Networks Pravail APS
| Juniper DDoS Secure | Arbor Networks Pravail APS 1 | |
| Yes | Not | |
| : | Yes | Not |
| « », | Yes | Not |
| : | Yes | Not |
| Yes | Not | |
| : ( ) | Yes | Not |
| DNS | Yes | Not |
| HTTPS (SSL v3 TLS v1 & v2) | Yes | Yes |
| HTTP, VoIP/SIP | Yes | Yes |
| : | Yes | ( ) |
| , 160 / | Yes | Not |
| , DDoS, | Yes | Not |
| , | ||
| Yes | Yes | |
| SIEM- | Yes | Not |
| , | ||
| DDoS Secure | Yes | Not |
| , (« ») | Yes | Not |
| , | Yes | Not |
| 10- | Yes | Not |
| 80% 10 ; 99,999% 6 | Yes | Not |
Distribution of Juniper Networks solutions in Ukraine , Belarus , Moldova , Armenia , Georgia , Tajikistan , Kazakhstan and other CIS countries .
Juniper Networks Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Source: https://habr.com/ru/post/261657/
All Articles