According to network security specialists at Radware, a leading provider of application delivery and application security solutions for virtual and cloud data centers, the second half of January contained one of the most intense periods of cyber attacks ever.
The wave of hacks started on January 16 when pro-Palestinian "hacktivists" unsuccessfully tried over three days to bring down the Israeli stock market, national airlines, the central bank, the ministry of foreign affairs, and several major and vulnerable private banks. That was followed on January 23 when hackers loosely affiliated with the Anonymous collective crashed websites in the U.S. to protest proposed antipiracy legislation and the shut down by authorities of the Megaupload.com website. Among the sites attacked were the U.S. Department of Justice, the Federal Bureau of Investigation, and the White House, as well as corporations like the Motion Picture Association of America, the Recording Industry Association of America, CBS.com, Warner Music and Universal Music.
An analysis of the cyber attacks by Radware's Emergency Response Team (ERT) notes that companies relying only on 'one-size-fits-all' managed security, or on-premise security solutions alone could not withstand the coordinated attack campaigns. The Radware ERT review of the attack traffic from several of the reported cases shows that:
• Attackers are deploying multi-vulnerability attack campaigns, targeting all layers of the victim's IT infrastructure – this includes the network, servers and application layers.
• Attackers who previously used distributed denial of service (DDoS) attack tools that focused on networks have developed new DDoS tools focusing on applications.
• Attackers are using "low & slow" attack techniques that misuse the application resource rather than resources in the network stacks.
• Attackers have improved evasion techniques to avoid detection and mitigation including SSL-based attacks, changing the page request in a HTTP page flood attacks and more.
The recent attack campaigns against the Israeli banking system originated from multiple points on the globe as this map shows.
This diagram of a volumetric DDoS attack on a service provider shows the inherent security limitations in the provider's network.
This doesn't mean that businesses should abandon service providers when instituting DDoS protection. Radware's ERT points out that the cloud anti-DoS and CDN should be considered the first line of defense because they can remove the volumetric bandwidth attacks that saturate the online business links. That should be followed by a second line of defense consisting of perimeter network security capable of removing the application DDoS attacks,"low & slow" DoS attacks, and SSL attacks such as Slowloris, Socketstress, SSL handshake attacks, HTTPS floods and others. These threats require more "intimacy" with the application level and thus must be done on-premises. The service provider typically cannot detect these attack tools proficiently, or even if detected, will not be able to accurately mitigate them.
DDoS Protection Golden Rules
Radware's ERT offers these Golden Rules to defend against DDoS attacks:
• Deploy an in-house attack mitigation system that can fend off Network DDoS flood attacks, application DDoS flood attacks,"low & slow" attacks and SSL attacks.
• Obtain and register an anti-DoS solution through your service provider or an MSSP (managed security service provider). This will help remove the volumetric attacks.
• Deploy a Security Information Event Management (SIEM) system to get the full visibility into your business security status including detection of attackers and fireproofing, which may provide you the early notice for upcoming attack campaigns.
• Establish your response team and make sure it includes members from your IT team and the service provider's team.
Radware Attack Mitigation System (AMS) and the Radware ERT
Radware's AMS is the industry's first fully integrated IT security strategy and portfolio that protects the application infrastructure in real time against network and application downtime, application vulnerability exploitation, malware spread, information theft, Web service attacks and Web defacement. Radware's AMS provides the most comprehensive solution to fight multi-vulnerability campaigns that are hard to defend against because they are aimed at multiple layers in the IT architecture, particularly at network infrastructure equipment, servers and applications.
Radware AMS can be deployed in the cloud and on premises to deliver the best mitigation solution against DDoS threats. Together with an integrated SIEM the system can be synchronized to fight attacks at the point where they can be most effective: Volumetric attacks are mitigated in the cloud, while on premise is the best point to fight application floods, low & slow attacks and SSL attacks.
Radware supplements these capabilities by adding the human factor — the professional security consultants of its ERT who are available around the clock. As literal "first responders" to cyber attacks, Radware's ERT members gained their extensive experience by successfully dealing with some of the industry's most notable hacking episodes, providing the knowledge and expertise to mitigate the kind of attack a business's security team may never have handled.
"These techniques have raised the bar for detecting and mitigating cyber attacks. Common security solutions including cloud anti-DoS services and relying on Content Delivery Network (CDN) were shown to offer a partial solution against the recent attacks. Cloud anti-DoS tools can mitigate network bandwidth attacks; they are limited, however, in protecting against application DDoS and cannot protect against the low & slow and SSL DDoS attacks. Also, these attack tools were able to bypass the CDN by changing the page request in every Web transaction – content cannot be cached – making the CDN act as a proxy disembarking the attack traffic directly at the target servers." – Ron Meyran, director, Product Security at Radware.
"To effectively mitigate all attack vectors during the recent attack campaign against our financial services customers, we have deployed Radware's Attack Mitigation System (AMS) in the cloud and on-site. The in-the-cloud AMS removed the volumetric SYN and UDP flood attacks, while the customers' AMS device could effectively mitigate the application DDoS attacks. Their business was kept alive throughput the attack campaign while legitimate users experience excellent response time. After considering several DDoS mitigation solutions, Radware's AMS is the only solution that can effectively detect and block all type of attacks that overuse the network resources and our customers' application resources within seconds." – Shlomi Cohen, Business Development, Bezeqint
Radware's chief technology officer Avi Chesla offers more insight into the ways security architectures need both CPE and service provider security tools to protect sites on the Radware corporate blog at blog.radware.com/.
Radware (radware.com), is a global leader of application delivery and application security solutions for virtual and cloud data centers. Its award-winning solutions portfolio delivers full resilience for business-critical applications, maximum IT efficiency, and complete business agility. Radware's solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down.
Radware encourages you to join our community and follow us on LinkedIn, Radware Blog, Twitter, YouTube and the Radware Connect app for iPhone®.
This press release may contain statements concerning Radware's future prospects that are "forward-looking statements" under the Private Securities Litigation Reform Act of 1995. These statements are based on current expectations and projections that involve a number of risks and uncertainties. There can be no assurance that future results will be achieved, and actual results could differ materially from forecasts and estimates. These risks and uncertainties, as well as others, are discussed in greater detail in Radware's Annual Report on Form 20-F and Radware's other filings with the Securities and Exchange Commission. Forward-looking statements speak only as of the date on which they are made and Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware's public filings are available from the Securities and Exchange Commission's website at sec.gov or may be obtained on Radware's website.