Akamai Diversity
Home > Daniel Shugrue

Recently by Daniel Shugrue

A WAF for the Other Half

A WAF for the Other Half FIG_1.png

The other half asks "May I please have some more (application security)."

Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you".  In hindsight that conclusion was flawed for two reasons:  First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them?  By the same token, what if you don't trust a 3rd party to update your rules for you?  Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves.  Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested.  Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?

Community, Convenience, and the Claviger

One of the most common complaints on the Akamai Community is from people who are browsing the web from IP addresses that Akamai has seen performing malicious activity.  Depending on the severity and number of these malicious activities, Akamai assigns the IP address a rating that predicts the likelihood that the IP will perform a malicious act in the future.   These ratings come from our Client Reputation module, a module that is sold to Akamai Kona Site Defender Customers.

(All We Are Saying Is) Give Bots a Chance

Lately, it seems, bots have been taking a beating in the security press.  They are blamed for DDoS attacks, for Web Attacks, for price scraping, for Grey Marketeering, and even, according to some, for Ted Cruz's recent win in Iowa.  Bot are ALL bots bad ALL the time?  We say NO!  Why not? Let me count the ways:

Do the WAF Revolution

Akamai famously lost the first competition it entered, the MIT 50k, before securing funding and becoming a wildly successful start up and one of the largest IPOs in history.  Today Akamai is a 2B public company that prides itself on fighting the odds in order to challenge the status quo and provide business value to customers.

Because Akamai is trusted by thousands of online retailers, and in fact all of the 20 top global eCommerce sites, we see and analyze enormous amounts of attack data during events such as Black Friday. This year we tracked requests coming into dozens of online retailers over 24 hour periods for each of the 5 Fridays leading up to Black Friday. During that period we analyzed 4.2 billion HTTP requests directed at dynamic application pages (not including requests for media files, JavaScript or other static objects). For those 4.2b requests, we saw 574 million WAF rule triggers. We analyzed which rules were triggered more on Black Friday in order to answer a few questions. Our main goal was to figure out: Were the bad guys busy trying to wreak havoc or were they looking out for some good "deals" of their own?

Preparing for the Holidays: Security Trends

Last time in our "Preparing for the Holidays" series, we focused on what you should know about mobile trends. And as promised, we're back at it with some more trends you should be aware of. This time, it's all about security. If security hasn't been top of mind in the past, it certainly is (or should be) now, given the number of high-profile breaches we've seen over the past several months. With that said, here's what you need to know:

Akamai Launches New Protection for Shellshock-Bash

Akamai has created custom rules to help protect customers from the Shellshock-Bash vulnerabilities. The official names of these vulnerabilities and the WAF rules to address them are as follows:

Movin' On Up (The OSI Stack)

For months now, those of us working to protect Akamai's customers have been trumpeting the same theme: in the same way that companies, technology and applications are moving "Up the Stack" to the web layer, attackers have followed. For the first time since the inaugural "State of the Internet Report" was published in Q1 2008, we saw solid statistical proof to date that the threat landscape has changed:  As of Q2 2013, Port 443 (SSL [HTTPS], 17 percent) and Port 80 (WWW [HTTP], 24 percent) are the most targeted ports on the internet.

Soti Image for Shugrue.jpg

Akamai has been delivering and securing internet traffic for the better part of 15 years. The breadth and scale of the Akamai Intelligent Platform is second to no other content delivery network: Akamai delivers traffic for the Top 30 Media and Entertainment companies, all Top 20 global eCommerce sites, and all of the top Internet portals, and 9 of the top 10 largest newspapers. At any given time, we see 15 - 30 percent of the world's web traffic.  

This scale and breadth gives us unusual visibility into attack traffic.  As we've grown with the internet, our ability to track attack trends has matured.  Today we combine the human intelligence of our CSIRT team with security analytics provided by our "big security data" team.  We have seen this day coming:  More and more, hackers are attacking the web layers.  We talked about it in our pieces on Account Checkers here, here, and here.  And now we are seeing our predictions born out in the latest State of the Internet report.  The attackers are moving up the stack.  The attacker's shift to the web layer was as inevitable, as is Akamai's response.  Look for more information on how we are improving our Kona Site Defender product through Big Data that improves our security intelligence and informs our Web Application Firewall rules in the coming days and weeks.

Dan Shugrue is a Senior Product Marketing Manager at Akamai 

The Bouncer and the Concierge

Most of the readers of this blog already know Akamai and our connection to e-Commerce.  We've been helping IR 500 companies accelerate traffic for 15 years.  Today 96 of the Top 100 retailers (as measured by Internet Retailer) take advantage of the Akamai Intelligent Platform to optimize content and deliver traffic.  

What many of you may not know is that in addition to delivering performance, Akamai also protects etailers from the threat of Denial of Service attacks and data theft.  We are able to do this precisely because of the architecture of our platform.  We have servers delivering traffic in 1100 different networks, in more than 650 cities, and 74 countries around the world.  That is why, after all, we are able to cache, optimize, and deliver Web experiences for our customers.  But that is also how we are able to prevent downtime by blocking Denial of Service attacks and prevent data theft by inspecting traffic for SQL injections and cross site scripting.  We are close to end-users, and we are also close to attackers.  So we block attacks far away from your Web server and away from your data center, at the edge of the Internet. 

We like to think of our services as akin to the concept of the "Bouncer and the Concierge".  The concierge is the perform part of our offering.  The concierge greets people at the door and ensures that real customers get what they need as quickly and painlessly as possible.  But the concierge is also skilled in the art of "filtering."  The concierge can spot an intruder, keep a certain class of intruders out, and in some cases minimize the damage that an intruder can do to other customer's experience.  And the concierge works hand in hand with the bouncer - the "Protect" part of our offering - communicating with him regarding visitors and potential attacks.  And vice versa.  The "Bouncer" distinguishes real customers from rabble rousers and keeps the latter at bay - just as the Akamai platform distinguishes good traffic from malicious traffic and blocks the malicious traffic from ever accessing the Web site. 

So what does this mean in practice for existing Akamai "Protect" customers?  Akamai customers are protected against, first and foremost, attempts to steal data from Web applications and Web sites.  Our Web Application Firewall, after all, is installed in every one of our 140,000 servers around the world, and thus can inspect incoming requests for information in order to separate legitimate users looking to browse or purchase from illegitimate requests looking to "scrape" information for competitive advantage or steal credit card credentials for later sale on the black market.  Akamai customers are also protected against "Denial of service" or "DoS" attacks.  These attacks are perpetrated by hackers who are motivated by a variety of desires - financial, political, or simply "glory."  Denial of Service attacks attempt to serve more traffic to a Web site than it can handle in order to cause the Web site to crash.  

You may have heard the recent press reports about high profile attacks against banks and e-Commerce sites in the past year.  Akamai is uniquely positioned to protect against this kind of attack because it is inline (present in all 140,000 servers in the Akamai Intelligent Platform), always on, and has unmatched scale.  In fact, one attack against retailers that Akamai defended against saw 1 - 10k spikes in traffic against 5 separate customers in a coordinated attack designed to harm the US economy as a whole.  Akamai detected the attack and was able to prevent crashes.  In doing so, Akamai averted 15M USD in lost revenue for our customers.

That, by the way, is only the loss that would have occurred as a result of direct opportunity cost - downtime.  It does not calculate the loss to brand value or the potential loss due to regulatory fines as a result of data exposure.

So the nature of our Intelligent Platform allows us to protect against both Web site downtime and data theft.  The other advantage that the platform brings is visibility into trends.  Because we see 15% to 30% of the world's Internet traffic, we see attacker trends well before they take hold and are able to mitigate them before they do damage to our customers.  One recent example of this is the "Account Checker" attacks that has been covered previously on this blog and elsewhere.

Please join us on Sept 26th at 11 AM ET for our next "Crush the Rush" holiday readiness Webinar to learn more about how to protect your site and holiday season revenue.  Mike Smith, director of our CSIRT Team, and myself will be detailing the types of attack trends that Akamai is seeing, and ways in which other customers have mitigated the latest threats.  Click here for more details.

How Akamai eDNS Protects Against DNS Attacks

Andy Ellis's recent post "DNS Reflection Defense" describes how DNS works and lists general guidelines for defending against DNS attacks. This post continues the discussion of DNS protection by describing how Akamai's "eDNS" offering protects customers from both volumetric and reflective attacks on DNS infrastructure.

What is a Volumetric Attack?
In a volumetric attack, a attacker uses a BotNet to generate a large volume of DNS requests. The attacker's goal is to take down the target web site by taking down their DNS infrastructure. A variant of this attack uses spoofed IP addresses to defeat IP address-based access control.  Brobot has used such tactics against financial institutions, particularly during Phase II of their attacks.

How  Akamai eDNS Defends Against Volumetric Attacks
Akamai eDNS defends against volumetric attacks through excess capacity, rate controls, and a positive security model.  Akamai's DNS system is one of the largest in the world. Normal traffic served by Akamai's DNS system is less than 1 percent of total capacity.  Akamai eDNS also provides rate limiting per IP and per request type.  Requests from specific IP addresses can be limited to pre-defined thresholds, and rate thresholds can be set lower for commonly used DDoS request types such as ANY and DNSSEC.  Finally, eDNS can fall back to a positive security model in the rare event that higher rate limiting thresholds are crossed.  In this case, eDNS will prioritize traffic from a list of less than 1m named, known, "good" servers. These servers cover 95 percent of all known DNS traffic.  The positive security model can effectively mitigate a vector in which the attacker spoofs IP addresses.

What is a Reflection Attack?
In a reflection attack, an attacker makes a request to the open resolver using a UDP packet whose source IP is the IP address of the target.  The request is usually one that will result in a large response, such as a DNS ANY request or a DNSSec request, which allows the attacker to multiply up to 100x the amount of bandwidth sent to the target web server.  The "multiplication" factor is what makes this particular attack dangerous, as traffic can reach up to 200- 300Gbps.   The Spamhaus attack is one example of a recent reflection attack.

How Akamai eDNS Defends Against Reflection Attacks
Akamai eDNS defends against reflection attacks first by using specialized rate limiting on the ANY and DNSSec requests, just as it does in volumetric attacks, this ensures the eDNS is not used as a reflector. As important, because the customer has outsourced DNS to Akamai, they can effectively reject all incoming traffic to their data center on port 53 since DNS resolutions are handled by eDNS. The customer may even choose to block port 53 at the ISP level thus ensuring that their connectivity to the internet is not saturated.

Many steps can and should be taken to promote internet hygiene and reduce the effectiveness of DNS attacks. Until those steps are taken, customers can rely on Akamai eDNS to protect their infrastructure and ensure their websites are accessible to legitimate users.

<< 1 2