New attack types now target applications and services
Most ISPs can’t detect layer 7-based (app) attacks
NETWORK security specialist Fortinet urged organisations to stop relying on Internet service providers (ISPs) to protect them from Distributed Denial of Service (DDoS) attacks.
DDoS attacks is one of the oldest Internet threats and continues to be the top risk to networks around the world, the company said in a statement.
As protections evolve, the technology used by hackers has also become much more sophisticated. New attack types now target applications and services and often, they’re masked in bulk layer 3 and 4 DDoS events, making them difficult to detect, said Fortinet.
SYN floods and HTTP GET floods – both forms of denial-of-service attacks – are the two most commonly used methods to overwhelm network connections or overload the servers behind firewalls and intrusion protection services (IPS), it added.
More worrisome, however, is that application layer attacks use far more sophisticated mechanisms to attack organisations’ network and services, Fortinet said.
Rather than simply flooding a network with traffic or sessions, these attack types target specific applications and services to slowly exhaust resources at the application level (layer 7).
Application layer attacks can be very effective using small traffic volumes, and may appear to be completely normal to most traditional DDoS detection methods. This makes application layer attacks much harder to detect than other basic DDoS attack types, the company added.
“The financial services industry is one of the biggest targets for DDoS attacks, followed closely by the government sector,” said Eric Chan (pic), solution consulting director for Fortinet South-East Asia and Hong Kong.
“Besides disrupting Internet operations through a brute-force data onslaught, DDoS attacks have recently been used to hide more sophisticated attempts to break into financial and e-commerce information.
“These attacks often have the intent of disrupting operations mostly through the destruction of access to information,” he added.
Most local ISPs offer layer 3 and layer 4 DDoS protection to keep organisations' links from becoming flooded during bulk volumetric events. However, they do not have the capability to detect the much smaller layer 7-based attacks, Fortinet claimed.
Data centres should not rely on their ISP alone to provide a complete DDoS solution that includes application layer protection.
According to Chan, the evolving nature of DDoS attacks means that enterprises can no longer depend solely on their ISP for protection. Organisations must start making the shift now towards more proactive defences for network and application-level services.
“DDoS attacks are on the rise for almost any organisation, large or small. The potential threats and volumes are increasing as more devices including mobile handsets join the Internet,” he said.
“If your organisation has a Web property, the likelihood of getting attacked has never been higher,” he added.
To protect against DDoS attacks, enterprises should take some of the following measures:
DDoS service providers: There are hosted cloud-based DDoS solutions that provide layer 3, 4, and 7 mitigation services. These can range from inexpensive plans for small websites to large-scale enterprise plans that can cover multiple ones.
Firewall or IPS: Almost every modern firewall and intrusion protection system (IPS) claims some level of DDoS defence. Advanced next generation firewalls (NGFWs) offer DDoS and IPS services and can mitigate many DDoS attacks. Having one device for firewall, IPS and DDoS is easier to manage, but one device may be overwhelmed with volumetric DDoS attacks, and it may not have the sophisticated layer 7 detection mechanisms other solutions offer.
Dedicated DDoS attack mitigation appliances: These are dedicated hardware-based devices that are deployed in a data centre that are used to detect and stop basic (layer 3 and 4) and advanced (layer 7) DDoS attacks. Deployed at the primary entry point for all web-based traffic, they can both block bulk volumetric attacks and monitor all traffic coming in and leaving the network to detect suspicious patterns of layer 7 threats.
Enterprises should look for DDoS attack mitigation appliances that use adaptive behaviour-based methods to identify threats, Fortinet said.
Fortinet arms Malaysian providers against DDoS attacks
Four things banks need to know about DDoS attacks
Cyber-war: Staying clear of DDoS attacks
Against DDoS attacks, an end-to-end approach needed
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.