Defending Against Denial of Service (DoS) Attacks—New Series

For years security folks have grumbled about the role compliance has assumed in driving investment and resource allocation in security. It has all been about mandates and regulatory oversight, which drive a focus on protection, ostensibly to prevent data breaches. We have spent years in the proverbial wilderness focused entirely on the “C” (Confidentiality) and “I” (Integrity) aspects of the CIA triad, mostly neglecting the “A” (Availability). But that hasn’t worked out too well. Regulators pretty much only care whether data leaks out. They don’t care about the availability of systems – data can’t leak if the system is down, right? Without a clear compliance-driven mandate to address availability (due to security exposure), many customers haven’t and won’t do anything. Of course attackers know this. So they have adapted their tactics to fill the vacuum created by compliance spending. They increasingly leverage availability-impacting attacks to both cause downtime (costing site owners money), and use availability issues to mask other kinds of attacks. Yes, these availability-impacting attacks are better known as Denial of Service (DoS) attacks. To be clear, most security professionals are very familiar with DoS attacks. It may be hard to remember back over a decade ago, but in the heyday of the Internet bubble we saw many old-fashioned Distributed DoS (DDoS) attacks targeting high profile web properties (think Yahoo and E*Trade, back in the day), with attackers like Mafiaboy doing the damage more for notoriety than to cause real economic damage. Over the past decade attackers have reoriented toward financially motivated attacks, which has meant increasingly application-centric attacks designed to evade detection and exfiltrate lucrative data. Obviously knocking down a target interferes with efforts to rob it electronically. But DDoS never really went away – it became a supplementary extortion tactic. In this scenario, attackers would communicate with a company and promise to knock down their site unless they received a ransom. It’s a simple shakedown move, and many targets were simply unable to survive a significant outage. They paid up rather than fight. We didn’t hear about many of these attacks – nobody wants to publicize that they are vulnerable to shakedowns. But that is all changing now. It’s like Back to the Future a bit – the rise of hacktivism has brought the Denial of Service back into a prominent position in the nightmares of security folks. Facilitated by the availability of open source tools such as LOIC and the availability of bot networks to launch attacks, a DoS renaissance is underway – which means availability has once again become a major factor in security architecture and control design. We try to do forward-looking research at Securosis. So we have started poking around, talking to practitioners about their plans, but we still see a knowledge gap around the kinds of Denial of Service attacks in use today and the defenses needed to maintain availability. So today we launch a new series: Defending Against Denial of Service Attacks, which will (unsurprisingly) provide guidance on the DoS attacks in use today, defensive tactics, and the basic process required for any chance to defend your organization. Let’s start by understanding the major kinds of DoS attacks. Flooding the Pipes versus Filling the Servers We’ll dig into specific attack tactics in much more depth in the next post, but to understand Denial of Service we need to draw a clear distinction between network-based attacks and application-based attacks. Both have the same objective: to impair availability – but they go about it in fundamentally different ways. Network-based attacks overwhelm the network equipment and/or totally consume network capacity by throwing everything including the kitchen sink at a site. This prevents legitimate traffic from getting to the site. This volumetric type of attack tends to be what most folks consider Denial of Service, because it is the most visible type. If your adversary has a big enough cannon it’s very hard to defend against these attacks, and you will quickly be reminded that bandwidth may be plentiful, but it’s certainly not free. Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These kinds of attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions. The beginning of a network-based attack is fairly obvious. But application-based DoS attacks are less obvious – you are unlikely to discover the attack is underway until servers inexplicably start falling over – so they require more sophisticated defenses. That said, much of DoS defense is about properly leveraging existing controls, and of course compliance mandates haven’t gone away, so still have those required controls. Since you are already robbing Peter to pay Paul to address audit deficiencies, for DoS protection you need to focus your defenses on the attacks you are most likely to see. Which brings us to our next concept: studying your adversaries. Adversary Analysis A new tactic increasingly leveraged by security practitioners is adversary analysis. It’s not enough to just understand attacks and build defenses based on attacks – there is simply too much attack surface, and too many attack vectors. Your security success depends on your ability to prioritize your efforts, as we hammered home in the Vulnerability Management Evolution paper. This involves making strategic bets about who is most likely to attack you and what tactics they tend to use. This will enable you to build control sets with the right initial focus, based on what’s likely to happen. Of course you will be wrong – attackers evolve tactics over time – but in the universe of things you can do, this approach helps narrow your options into something (mostly) manageable. So let’s coarsely group the kinds of adversaries who use DoS attacks. Protection Racketeers: These criminals use a DoS threat to demand ransom money. Attackers hold a site hostage by threatening to knock it down, and sometimes follow

Read Post

Friday Summary: September 14, 2012

Rich here. Way **way** back in my earliest Gartner days one of my first speaking engagements was a series of three-city tours where I was paired up with an extremely experienced telecom analyst. I was still in my twenties, and probably wasn’t qualified to wash my privates — never mind advise anyone on their security strategy. This was an awesome training ground for a number of reasons. First of all, the stakes were low — these were smaller audiences, out for a free event. Second was all the practice I got, giving the same talk three days in a row to different groups. And it was great to work with an exceptionally good speaker with oodles of experience. But that’s not what I’m going to talk about. The best part for me, as someone with an unhealthy attraction to wireless devices, was spending time with someone who’d been on the inside of the telecom industry for over 20 years. The tech part I could understand easily enough, but the business side was far more fascinating than I expected. And this was after I had worked in Europe for a few months helping design the first system to sell and activate mobile phones over the Internet. Nick hammered one rule into my head that hasn’t changed in the dozen-odd years since. “Telecom providers are greedy and stupid”. Every single decision they make is dependent on those baseline traits. This is especially relevant as I try and figure out just what combination of iPhone 5 and data plan will best fit my needs. First there are the relevant technology limitations. Such as the fact that LTE is a data-only standard, and carriers around the world haven’t really figured out the voice details. So the phones have to support their *old* voice and data standards (GSM or CDMA) *plus* LTE, and your phone might behave differently depending on your coverage. The best example is that Verizon only supports voice and data at the same time if you are on LTE, but not on 3G. Then there are all the roaming agreements and spectrum issues for us world traveler types. Like when I was in Russia and it was $5 per minute for voice calls *on the discounted plan*. For comparison a satellite phone is around $1 per minute, but you need a clear view of the sky. Then there are the plan and transition issues. All the carriers hooked us with unlimited data, then said “f*** off — you are over-using what you paid for”. So we have things like shared data plans, which look better but probably cost more for most people. And then there is the very special case of AT&T, who will change their iPhone 5 signal indicator to a big fat middle finger. (Or the other 2-finger gesture, if you are roaming from the UK). Want FaceTime over cellular? Just switch to our more expensive plan and consider yourself lucky we **let** you install Angry Birds! You want 4G? Fine, we’ll change the display to say 4G to shut you up. Not that Verizon is innocent. They might make a big deal over not restricting FaceTime, but they have to allow it (and Personal Hotspot) thanks to agreements they made with the US government for LTE spectrum. It’s only a feature because they were forced. And those of you in Europe and Asia? Man, when I worked in Europe back around 2000 it was paradise compared to the US. Now I hear it’s more like paying for a high-priced dominatrix who beats the crap out of anyone else who looks at you funny. And that still beats Australian providers, who are friggin’ Mother Theresas compared to *Canadian* providers. So I hear. Then again, us Apple folks live in paradise compared to all the hacked-together Android phones you can’t update, which carriers load down with their “value add” user interfaces and crapware. I don’t mind the carriers making money, and I don’t mind paying for my data, but they clearly haven’t figured out that brand loyalty and happy customers might, just possibly, come from a positive user experience beyond “Oh good, I didn’t lose this call.” Instead of adopting the traits that made Apple so popular, they are trying their damndest to maxmize revenue and reduce churn through penalty-based lockin. But it could be worse. They *could* start smashing your head against a wall of glass shards while calmly stating “your call is very important to us,” like cable companies. On to the Summary: ##Webcasts, Podcasts, Outside Writing, and Conferences * [Mike quoted in this Silicon Angle series on CyberWars]( Probably too much hype here and overuse of buzzwords, but decent perspectives on the attackers. [Part 1](, [Part 2](, [Part 3]( * Rich quoted [about a not-so-great mobile study]( ##Favorite Securosis Posts * Adrian Lane: [The Five Laws of Data Masking]( I pulled another classic Securosis post for this week’s fave. * Mike Rothman: [Incite 1/25/2012: Prized Possessions]( Evidently we don’t blog any more (doh!), so we have taken to digging through the archives and highlighting pieces from the past. Here is an Incite I wrote back in January, and it reminds me of what’s important. To me, anyway. * Rich: Mike starts his new DDoS series — [Defending Against Denial of Service (DoS) Attacks]( ##Favorite Outside Posts * Mike Rothman: [It’s More Important to be Kind than Clever]( Most businesses are always striving for improvement. But at what cost? This HBR post puts things in the proper context. _”Just make sure all their efficiency doesn’t come at the expense of their humanity.”_ * Adrian Lane: [Tracking Down the UDID Breach Source]( The thoughtful quest to figure out the UDID breach source. Well done! * Rich: Verizon’s [third post in a series on opportunistic attacks]( I may pick on the wireless side, but the Verizon Business security guys are our best industry source for data driven reports right now. ##Research Reports and Presentations * [Understanding and Selecting Data Masking Solutions](

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.