Post on 20-Aug-2015
3
Information Resources
• Industry Security Survey– External survey – 179 participants– 95.5% are not using
Radware DoS mitigation solutions
• ERT Cases – Internal survey– Unique visibility into attack
behavior– 95 selected cases
• Customer identity remains undisclosed
ERT gets to see attacks in
real-time on daily basis
5
Organizations Bring a Knife to a Gunfight
• “Someone who brings a knife to a gun fight” – Organizations who do prepare for the fight, but do not
understand its true nature
• Organizations today are like that– They do invest in security before the attack starts, and conduct
excellent forensics after it is over– However, there is one critical blind-spot – they don't have the
capabilities or resources to sustain a long, complicated attack campaign.
• Attackers target this blind spot!
22
HTTPS Based Attacks
• HTTPS based attacks are on the rise• SSL traffic is not terminated by DDoS Cloud scrubbers or DDoS solutions • SSL traffic is terminated by ADC or by the web server• SSL attacks hit their target and bypass security solutions
Attacks Evade CDN Service
Internet
Legitimate users
CDN service
Botnet
GET www.example.com
Backend Webserver
GET www.example.com/?[Random]
Legitimate requests are refused
• In recent cyber attacks, the CDN was easily bypassed
by changing the page request in every Web transaction
• These random request techniques forced CDNs to “raise the curtain”– All the attack traffic is disembarked directly to the
customer premise– More difficult to mitigate attacks masked by CDN
24
25
Servers Enlisted to the Botnets Army
• In 2012 a dramatic change occurred in the DDoS landscape
• Attackers build and activate Botnets of powerful servers to achieve:– Greater firepower - x100 higher bandwidth capacity vs. home PC– Greater reliability - servers are always online– Greater control – fewer machine to control vs. botnet of PCs
28
Attackers Are Well Prepared
• Attackers plan and run attacks on a regular basis• Turning DDoS attacks into their profession• Organizations face attacks a few times per year• Too limited experience to build the required “know how”
29
Conclusions
• Today’s attacks are different:– Carefully planned– Last days or weeks– Switching between attack vectors
• Organizations are ready to fight yesterdays’ attacks:– Deploy security solutions that can absorb the first strike– But when attacks prolong - they have very limited gunfire– By the time they succeed blocking the first two attack vectors,
attackers switch to a third, more powerful one
30
Recommendations
• Acquire capabilities to sustain long attacks• Train a team that is ready to respond to persistent attacks • Deploy the most up-to-date methodologies and tools• 24 x 7 availability to respond to attacks• Deploy counterattack techniques to cripple an attack