| By Lori MacVittie | Article Rating: |
|
| January 23, 2012 11:00 AM EST | Reads: |
746 |
The past year brought us many stories focusing on successful attacks on organizations for a wide variety of reasons. Why an organization was targeted was not nearly as important as the result: failure to prevent an outage. While the volume of traffic often seen by these organizations was in itself impressive, it was not the always the volume of traffic that led to the outage, but rather what that traffic was designed to do: consume resources.
It’s a story we’ve heard before, particularly with respect to web and application servers. We know that over-consumption of resources impairs performance and, ultimately, causes outages. But what was perhaps new to many last year was that it wasn’t just servers that were falling to an overwhelming number of connections, it was the very protections put in place to detect and prevent such attacks – stateful firewalls.
Firewalls are the most traditional of inbound protection for data centers. Initially designed to simply prevent unauthorized access via specific ports, they have evolved to a level that includes the ability to perform limited packet inspection and make decisions based on the data within them. While this has been helpful in preventing a growing variety of attacks, they have remained unable to move laterally across protocols and understand expected and acceptable behavior within the context of a request, which results in a failure to recognize an attack. This is because modern application layer attacks look and smell to traditional inbound protection devices like legitimate requests. They are simply unable to parse behavior in its appropriate context and make the determination that the intention behind the request is malicious.
A recent InfoWorld article presented a five-point list regarding how to deny DDoS attacks. The author and his referenced expert Neal Quinn, VP of operations at Prolexic, accurately identify the root cause of the inability of traditional inbound protection to thoroughly mitigate DDoS attacks:
But the most difficult challenge has been DDoS attackers' increasing sophistication as they've moved from targeting Layers 3 and 4 (routing and transport) to Layer 7 (the application layer). They've learned, for example, how to determine which elements comprise a victim's most popular Web page, honing in on which ones take the most time to load and have the least amount of redundancy.
"Attackers are now spending a much longer period of time researching their targets and the applications they are running, trying to figure out where they can cause the most pain with a particular application," Quinn said. "For example, they may do reconnaissance to figure out what URL post will cause the most resource-consuming Web page refresh."
Unfortunately the five-point list describing the strategy and tactics to “deny DDOS attacks” completely ignores this difficult challenge, offering no advice on how to mitigate “the most difficult challenge".” While the advice to ensure enough compute resources tangentially touches upon the answer, the list is a traditional response that does not address the rising Layer 7 challenge.
CONNECTIONS not THROUGHPUT
To understand how to mitigate the rising layer 7 security challenge one must first understand the two core reasons traditional inbound security solutions are unlikely to mitigate these attacks. First is a failure to recognize an application layer attack for what it is. This failure cascades into the second reason traditional inbound security solutions fail: connection capacity.
Not bandwidth, connections. A million TCP connections can easily topple most modern firewalls today and yet the bandwidth involved could be miniscule compared to the gigabits of capacity many organizations have at their disposal. It isn’t about bandwidth anymore, it’s about connections. This is why the advice to ramp up compute processing power and memory is partially on target – because memory is imperative in maintaining massive session (connection) tables on infrastructure as traffic flows to and from targeted services.
Because traditional inbound protection devices are unable to recognize the malicious intent of these legitimate-appearing requests, they must maintain the connection. When combined with the need to maintain connections for all legitimate traffic, these malicious requests can quickly push a traditional device beyond its meager connection limitations. When that occurs, the results are disastrous. Performance, of course, suffers unacceptable degradation. One can only hope that is the only impact, for far more often the device simply fails, completely disrupting all services.
To complete the aforementioned list of “how to deny a DDoS attack”, it is necessary to implement a security solution at the perimeter of the network that is both able to detect and thus deny malicious requests and which has the connection capacity necessary to withstand the combined volume of legitimate and malicious requests. This solution must reside at the edge of the network, lest a less capable device be overwhelmed. This is because when it comes to perimeter security, the default is a serial strategy – nothing gets past a failed security device. If that security device is at the edge of the network, as is the case with traditional inbound security solutions like stateful firewalls, then all services residing topologically behind that device will fail should the firewall fall.
This is by design. One does not want unfettered access to services and applications. No perimeter protection, no access. It’s a sound strategy, but one that needs to employ a perimeter device capable of withstanding even the most diverse of attacks.
Traditional inbound security is too constrained in terms of connection capacity to maintain its position on the front lines. A more capable, intelligent security solution is required – one able to provide traditional inbound security protections as well as recognizing the malicious intent of more modern, application layer attacks.
Read the original blog entry...
Published January 23, 2012 Reads 746
Copyright © 2012 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Lori MacVittie
Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
- Wyse Buys Trellia Networks for Its Cloud Smarts
- Big Data, Security & Cloud Computing Identified as IT Super Themes in 2012
- The Top 10, Top Predictions for 2012
- BYOD, Meet Two-Factor Authentication
- The Big Crack in Cloud Security
- Big Data Fights Crime: The FBI’s Next Generation Identification
- The Secure Public Cloud
- The Alignment of Cloud and Security: 2012 Cloud Predictions
- Computers Link WikiLeaks Chief to Source
- Why Rule-Based Log Correlation Is Almost a Good Idea... Part 4
- Encrypted Database in the Cloud: Practical Considerations
- The Cyber-Crime Landscape
- The Future of Cloud Computing: Industry Predictions for 2012
- 9th Cloud Expo | Speaker Faculty A–Z
- Cloud Expo Day 4 Keynote Speaker Profile: Jill T. Singer - NRO
- Cloud Expo Speaker Profile: Dave Asprey - Trend Micro
- 9th International Cloud Expo | Cloud Expo Silicon Valley – Photo Album
- Cloud Expo Speaker Profile: George Gerchow - VMware
- The Cloud Computing Wave Hits Silicon Valley
- Risk and Its Impact on Security Within the Cloud - Part 1
- Cloud Expo Takeaways: Private Cloud is Growing Market in the Business Cycle
- Cloud Expo Takeaways: Cloud Confusion Still Exists
- Wyse Buys Trellia Networks for Its Cloud Smarts
- Cloud Expo Speaker Profile: Anna Claiborne - Open Data Center Alliance
- Effective Page Authorization In JavaServer Faces
- The Top 250 Players in the Cloud Computing Ecosystem
- SOA Focus - Web Services Security in Java EE
- IBM Security Report Predicts Mobile/Satellite Attacks in 2005
- Java Application Security in the Corporate World
- Cloud Expo New York Call for Papers Now Open
- ColdFusion Security Best Practices
- How to Provide Dynamic Security Permissions
- The Next Chapter in the Virtualization Story Begins
- SPI Dynamics Security Guru to Speak at AJAXWorld Conference 2007 East
- How Important Is Security?
- Enterprise Web Services Security: A Reference Architecture























