Skip to main contentdfsdf

    • Internet Service Provider (ISP). Some enterprises use their ISP to provide DDoS mitigation.  These ISP’s have more bandwidth than an enterprise would, which  can help with the large volumetric attacks, but there are three key problems with these services as well: 

       

          • Lack of core competency: ISP’s are in the business of selling bandwidth and don’t always invest in the required capital  and resources to stay ahead of the latest DDoS threats.  It can become a cost center to them - something they have to provide,  so they do it as cheaply as possible.   

       

          • Single provider protection:  Most enterprises today are multi-homed across two or more network providers to remove the  single point of failure of a provider.  Having two providers is a best practice to maximize uptime.  ISP DDoS mitigation solutions  only protect their network links, not the other links you might have, so now you need DDoS mitigation services from different  providers, doubling your cost.    

       

          • No cloud protection:  Similar to the above, a lot of Web applications these days are split between enterprise-owned  data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc.  ISP’s can’t protect traffic on these cloud services. 

    • Cloud Mitigation Provider.  Cloud mitigation providers are experts at providing DDoS mitigation from the cloud.  This means they have built out massive  amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type  of network traffic, whether you use multiple ISP’s, your own data center or any number of cloud providers. They can scrub  the traffic for you and only send “clean” traffic to your data center.   

       

      Cloud mitigation providers have the following benefits:

       

          • Expertise:  Generally, these providers have network and security engineers and researchers who are monitoring for the  latest DDoS tactics to better protect their customers. 

       

          • Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on its own to stop the  biggest volumetric attacks. 

       

          • Multiple types of DDoS mitigation hardware:  DDoS attacks are extremely complex. There is a need for multiple layers  of filtering to be able to keep up with the latest threats.  Cloud providers should take advantage of multiple technologies,  both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks   

    • Cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs.  They are the most cost  effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.
    • Zscaler is a comprehensive suite of security services delivered from the cloud. It covers email, web and mobile computing. Some services the product provides are anti-malware, browser and application vulnerability management, policy enforcement for mobile computing, bandwidth and QoS management, web filtering, intellectual property protection and regulatory compliance.

       

      Zscaler boasts the world's largest security cloud and it is, indeed, accessible from just about anywhere on the planet. Zscaler works on the basis of distributed data centers. The localized data center is where the customer's policies reside, but in seconds that data center can push the policies out to the other data centers around the world. This helps ensure that users in remote locations stay as current as the users accessing through the nearby data center. This provides what Zscaler calls shadow policy. This follows the user, and because it is relatively local, no matter where the user is in the world there is little latency in receiving the policy and applying it.

       

      The nearness of the data center to the user globally also reduces latency that the user would experience if they had to access the cloud and then, over the cloud, access the data center back home. For road warriors, this can provide a big benefit.

       

      One thing that particularly impressed us was the simplicity of the user interface. It is all in a single console, but that is not as impressive as the simple visualization scheme the product uses to convey information that can otherwise become somewhat confusing. Administration is clean and the information the administrator needs to create, modify and push out policies is easily at hand.

       

      Reporting is comprehensive and can be delivered in near real time, meaning that it is completely up to date with users' activities. We liked that the Zscaler services move with the user, no matter where in the world the user happens to be. This by itself is a big benefit. Finally, we liked that Zscaler is constantly gathering global threat data that it uses in protecting customers' data.

      • Cloud Web Security Features

         

        Zscaler’s Cloud Web Security enables organizations to embrace new cloud applications and social media technologies, while gaining the industry’s most advanced protection from accidental data loss, malicious attacks and emerging threats. With Zscaler Cloud Web Security, you get the key capabilities you need to securely enable business beyond the corporate network, including:

         
           
        • Advanced Threat Protection: With Zscaler’s Cloud Web Security solution, you get advanced protection against today’s sophisticated, emerging threats including botnets, malicious active content, phishing, cross site scripting (XSS) attacks and more guaranteeing safe browsing for all users and all devices. Read more about our Advanced Persistent Threats Solution.
        •  
        • Anti-Virus and Anti-Spyware: With no software or agents to install, Zscaler Cloud Web Security provides the industry’s most complete, inline protection from viruses and spyware. Because Zscaler’s patented inline protection sits between the user and the Internet, your policy and protection is consistent across devices and locations.
        •  
        • Dynamic URL Filtering: Zscaler provides flexible and granular URL categories, organized in a hierarchy that enables better analysis and control. Further, organizations can also create their own categories and manage access based on keywords in URLs or page content. With its dynamic content classification, Zscaler’s Cloud Web Security solution can detect liable content and enforce policy on individual pages versus entire domains.
        •          
        • Browser Control: To secure browsers, Zscaler enforces policy in four areas:
        •   
        • Browser Versions: Companies can enforce policy based on which browsers and versions of that browser are permissible.
        •  
        • Browser Patches: Zscaler can help your IT organization enforce a policy that all employees install these patches.
        •  
        • Plug-ins/Extensions: Companies can determine which plug-ins are allowed to be installed.
        •  
        • Applications: Companies can enforce which applications can run in the browser.
    • But DDoS attacks and mitigation strategies continually evolve, said Joffe. When one side jigs, the other responds. That showed up as many financial institutions signed up with third-party mitigation companies to provide emergency “pipe” – Internet bandwidth – to be able to deflect volume-based attacks.

       

      So the attackers switched to hitting victims with an avalanche of requests for services that had the effect of using the target computers to in effect tire themselves, noted Stephen Gates, chief security evangelist of Corero Network Security. A classic, for instance, is hitting a financial institution website with many requests for a password reset, probably for non-existent members, but the institution’s computer still is forced to go through so many motions it may become unavailable to genuine users.

    • Pierluigi Stella, chief technology officer at security company Network Box USA, elaborated: “The (DDoS criminal’s) query is usually less than 100 bytes; the reply can be tens of thousands; so the hacker gets an amplification factor of 100. For each packet of 100 bytes the hacker sends out, you get hit by 10,000 bytes.” Multiply that by maybe several hundred queries per second and it is easy to see why this attack has proven so successful in 2013, suggested Stella.

       

      The cure, said experts, is to deploy tools that in effect scrub all data as it comes into the system. Bad data is sidelined, authentic data is passed through, and while that is easier to prescribe than it is to implement in practice, experts agreed that DDoS mitigation companies took large strides in 2013 towards building tools that in fact scrubbed incoming data with high success rates.

       

      The bad news: Nobody thinks today’s DDoS format will be tomorrow’s, and no one knows what criminals will unleash in the months ahead. Maybe the jackpot question is, how well protected are credit unions when it comes to fending off DDoS, especially as it morphs into different formats? Have they invested in state-of-the-art protections?

    • Not very many have made those investments, said multiple experts contacted by Credit Union Times. Few credit unions will discuss their DDoS defenses on the record but off the record some have indicated that their defenses are thin. Many hope that their vendors – for Internet banking or their Internet service provider – have adequate protections in place to keep the credit union itself also protected.
    • Low & Slow attacks use slow traffic that appears legitimate in terms of the protocol rules and rates. By not violating any network standard or security policy they pass undetected, flying below the radar of traditional mitigation strategies.

       

      The traffic, however, is designed to exhaust the victim’s resources until its services halt and become unavailable. For example, a popular Low & Slow attack tool is R.U.D.Y (R U Dead Yet?), which can bring down a web server by creating long form field submissions. This is done by iteratively injecting one byte into a web application post field followed by a sleep period. The result is that application threads become stuck because they are occupied with these one-byte POST fragments.

       

      Slowloris is another popular Low & Slow attack tool that holds HTTP connections open by sending partial HTTP requests. Slowloris continues to send subsequent headers at regular intervals to occupy the application stack and keep the connections from closing. The web server quickly reaches its maximum application stack capacity and becomes unavailable for new connections by legitimate users.

       

      Limited resources

       

      Unlike other denial of service attacks, Low & Slow techniques require very little resources from attackers.  While performing a network flood requires several hundreds of Bot machines that simultaneously send traffic to overload network resources, Low & Slow attacks can be activated from a single attacking computer with no additional bots.

       

      Detecting Low & Slow application attacks requires real-time awareness of the resources consumed by the protected servers, such as CPU, memory, connection tables, application states (virtual or real ones), application threads and more.

       

      A resource aware detection solution will constantly monitor the status of resource allocation, as well as trends of the protected servers, and will be able to identify misuse of those resources. For example, long and relativity “idle” open network connections might imply that the server is under a connection table misuse attack. Additionally, an application stuck in a process that is supposed to be completed quickly may be under a R.U.D.Y attack.

       

      Detecting such attacks requires a tight integration between the protected server and the mitigation solution. Another approach is for the mitigation solution to analyze the behavior of open server connections and to simulate the application stack resources without a direct connection to the server itself.  With the proper behavior analysis technologies, the misuse of the network and application resources can be identified with high accuracy. Once the activity is detected, it can be traced back to its origin and mitigated as necessary.

       

      It’s clear that the Low & Slow method upends some of our preconceived notions when it comes to DDoS attacks. From its relative simplicity to its usage of minimal resources, defending against this increasingly popular tactic requires the right security infrastructure along with a dedicated team of security personnel that possesses the expertise to break down the latest attack tools in real time.

1 - 7 of 7
20 items/page
List Comments (0)