Have you embraced SSL/TLS to protect the sensitive parts of your website and used client certificates to authenticate connecting parties? If so, this new layer of security may expose you to a whole new set of threats - Distributed Denial of Service (DDoS) and application layer attacks over SSL.
Many people still think DDoS is all about volume - at Akamai we're saying (and seeing) that resource starvation attacks will become more and more prevalent as attackers realize that they can do the same amount or more damage with less computing resources - and to defend against it, you as a security professional need to think differently.
The reality is that a small, but well-organized, DDoS attack that attacks both encrypted and unencrypted web content can easily exceed 3-4Gbs of sustained DDoS traffic. This volume of traffic will knock most organizations off the air, and even if it is not a volumetric DDoS attack, attacks at the application layer can easily consume back-end resources without starving your network bandwidth.
For reference, the largest DDoS attack ever recorded was 124Gbps against a US government website in July 2009.
An emerging trend for attackers is to attack certain SSL handshake functions creating a resource starvation condition. A server will typically use 15x more computing resources in the SSL negotiation than the attacking system. This in turn provides the attacker with excellent economical advantage with force multiplication.
Furthermore, attackers are using SSL to tunnel HTTP attacks to the
target server, knowing very well that most organizations encrypt
end-to-end, and do not have solutions to inspect SSL encrypted traffic
to effectively defend against the attacks.
Security professionals have
examined the patterns and moved toward terminating SSL at the perimeter
of their data center through a variety of methods to thwart SSL tunnel
Application Delivery Controllers (ADC's) do a wonderful job at offloading SSL from the server, and if appropriately licensed, also offer Web Application Firewalls (WAF) to inspect the traffic for signs of attacks. It's an excellent combination: increased performance and security. The challenge here is that all the attack traffic needs to first get to your data center before these devices can offer the protection you're looking for.
Clean pipes and 'scrubbers'
Generally speaking, clean pipe and scrubbing solutions work by rate limiting traffic based on traffic behavior. Only once a rule has been tripped with the solution can it start to clean/scrub the traffic. The goal of these solutions is to reduce the volume of attack traffic to a level the customers' data center resources can handle. Unless an SSL attack or an application attack tunneled over SSL display some identifiable behavior at the network layer, these solutions tend to be ineffective for a variety of reasons. SSL attacks, when combined with volumetric network and application DDoS attacks, create a perfect storm, challenging current thinking and traditional approaches to defending against DDoS.
Distributed Threats Require Distributed Defense
Sounds great, but what does that really mean? You need to push your security policy and countermeasures beyond the perimeter of your data center and close to the source of the attack. In reality, only a cloud-based Intelligent Application Delivery Platform (ADP) optimized for security can offer this protection. To achieve maximum protection and minimize false positives, your SSL protected content needs to be terminated within the ADP. This is necessary so the ADP is able to operate similarly as an ADC and WAF by offloading the SSL from the origin infrastructure and inspecting the application traffic for signs of attack traffic or violations of policy.
A good ADP will also ensure your traffic is re-encrypted and forwarded back to the origin infrastructure, with unencrypted content only ever residing in protected memory on a secure bastion host. The ADP should become an extension of your federated trust model, allowing you to always maintain control with the ADP provider as simply a custodian of an aspect of your digital realm, and enforcer of your security policy.
Old is new, but there's a twist
The old adages about security still remain as true today as when we first heard them. Threats evolve, your controls need evolve, and your security defense should be layered, so should one security control fail, others 'should' succeed in thwarting attacks.
• Continually evolving threat landscape - cyber advisories are looking for new ways to circumvent existing controls and discover new ways to attack you. SSL and DNS are just two the new trends in the ever evolving game of cat and mouse in the cyber security world. Don't make SSL or even DNS (separate article) be your Achilles heel.
• Your defenses cannot remain static - imagine the castles of old trying to withstand a targeted attack from a laser guided bomb (LGB) deployed from a F-22 Raptor? Could your security defenses withstand the cyber equivalent of a LGB being deployed from a F-22 Raptor, or do they need to evolve to withstand the attacks of today and tomorrow?
• Defense in depth - the concept of a de-perimeterized security architecture isn't new, yet so many security professionals still cling to the idea of fortifying the data center yet struggle to contain the sheer volume and complexity of today's cyber attacks.
Leveraging an ADP allows organizations to effectively extend their security policy out to the edge of the Internet, right next to your users and attackers delivers, allowing them to block the bad, and accelerate the good.
To learn more about Akamai's Kona Security solutions please visit: http://www.akamai.com/html/about/press/releases/2013/press_022513.html and http://www.akamai.com/html/solutions/kona-solutions.html
John Ellis is Akamai's Enterprise Security Director in Asia Pacific and Japan (APJ)