Akamai Diversity
Home > Daniel Shugrue

Recently by Daniel Shugrue

The DDoS Paradox

According to the Department of Homeland Security, almost 50 US Financial Institutions have suffered more than 200 Distributed Denial of Service attacks since September 2012 . Because we protect the majority of world's biggest banks, asset management firms, and online brokers, Akamai is in the unique position of having witnessed and actively defended against many of these attacks, and can describe the evolution of attack targets as well as attack techniques. 
Over the past few months, we've seen attackers migrate towards two broad techniques:

  1. Request large objects (PDFs, image files, etc.)
  2. Attack non-cacheable pages (login pages, pages served by adwords, etc.)

Security professionals will be neither surprised nor impressed by these findings. Nor will they question that unprotected sites typically suffer increased response times or downtime when they are victim to these attacks. What might surprise them, however, is how the common responses to these threats is leading, in some cases, to increased latency in sites even when they are not under attack, and in some cases are leaving sites more likely to crash or suffer data exfiltration than they were before "preparedness steps" were taken.

The DDoS Paradox
The tendency to tighten rules and broaden inspections to the point of decreasing performance is what we have come to describe as the "DDoS Paradox". The logical thinking that leads to the paradox is as follows:

  1. CSO at Company ABC reads about attacks.
  2. CSO tightens and broadens rules on Web Application Firewall in order to better prepare for attacks.
  3. Tightened and broadened rules lead to increased inspection of incoming requests which slows down legitimate traffic and makes it easier for malicious traffic to flood and knock down the WAF.

The first outcome (slowing down legitimate traffic) is clearly bad for Company ABC, and good for the threat actors who are looking to cause widespread interruptions to economic activity. The second outcome (knocking down the WAF) is unfortunately good for threat actors who are trying to steal data. If they've launched an application layer DDoS attack that knocks down a firewall, they can then move in with a relatively simple SQLi or XSS attack in order to steal data or install malware on site visitors' PCs.  

For companies trying to protect their web assets, the DDoS Paradox presents a lose/lose situation. Fortunately, there are ways around the paradox. Interestingly, these options involve tightening and broadening WAF rules outside of the data center. In other words, tightening and broadening rules at the edge of the Internet is the best way to ensure that your tighter security measures do not inadvertently lead to deprecation in performance and/or an increased susceptibility to data theft.


Akamai's Kona Security Solutions do just that --- they provide inline, always on, and highly scalable DDoS and application layer defense at the edge of the internet, giving CSOs the ability to respond to attacks without suffering trade offs.

 

Dan Shugrue is a senior product marketing manager at Akamai.

Why Do Media Companies Need Web Security?

Media companies, of course, have long enjoyed the video streaming and web performance benefits that Akamai provides. In fact, we'll be showing some of our latest content preparation, delivery and measurement solutions at the 2013 NAB Show in Las Vegas. But that's not all.

Many of our media customers also trust us to help them solve their security needs. Why? Media companies need to protect their Websites from DDoS attacks and enforce Web application security. It sometimes surprises me, however, that some organizations outside of the financial services industry don't take Web security needs as a given, and have not already taken measures to protect themselves and their brand. But then, three years ago many people outside of the CIA didn't think they would ever be the victims of email hacking.

I remember sometime around the summer of 2010 finding myself at a neighborhood BBQ having burgers and beer. As I balanced my paper plate in the same hand that held my beer, I managed to shake hands with a neighbor. Out of sheer politeness, he asked what I did for a living. I told him I worked for a computer security company and expected my answer to have the usual effect: glazed eyeballs, maybe a glance around the room, and a quick, "anybody need another?" after which the victim of my hopeless attempt to engage in conversation would slink away, never to be seen or heard from again. Instead, my answer actually seemed to irritate my neighbor (let's call him Jim). Jim: "Oh, so you are one of those guys who makes me change my password, like, every three months?" My answer, "Not really," was ignored as he called his buddy, Kyle, over to the conversation. "Kyle, how often do you change your password?" 

Kyle dutifully replied, "Every three months, but only because the IT guys make me."  

Jim, angry now: "Yeah, so what's the deal. Do you really think someone is going to break into my correspondence with my wife over who is going to pick up milk on the way home?"

Kyle: "Yeah, I really don't think anyone is interested in my Gmail account."

Me: "Well, you never know, I mean..."

Kyle: "And even if I do change my password, how are the odds any different that they'll guess the new password versus the old one?"

Jim: "Right. Ha ha ha. Only thing that guarantees is that I'll forget my new password sooner and have to call the IT guys." Turning to me: "Well, I guess you just guaranteed yourself a job, ha ha ha. You have to answer the phone at the help desk when I call because you forgot your password."

Are you a Liar or Outlier, or Both?

Akamai is pleased to host Bruce Schneier at the Akamai booth at RSA® Conference in San Francisco the week of Feb 25th. We will be giving away free copies of Bruce's newest book - Liars and Outliers - and Bruce will be available for signings.  Bruce will be signing copies of his new book Liars and Outliers.  Bruce is both an innovative thinker and a thought leader in the field of security.
 
Liars and Outliers is an enormously candid book, especially coming from someone who makes his living in the security industry.  In the book, Bruce makes a case that many within the security industry consider dirty secrets:
 
1)      Security systems are inherently, and will always be, flawed
2)      As technology advances, the ability of threat actors to outpace security innovation will expand
3)      More security is not always beneficial
4)      In order to function effectively, society needs the following pressures, in equal measure, to work in conjunction with security:
a.       Moral
b.      Reputational
c.       Institutional

In the end threat actors will always exist, and in many ways are necessary for the survival of society, much in the way that hawks are a necessary part of the food chain.  This is not to say that Liars and Outliers is fatalistic, or even pessimistic.  It is simply a well-researched, well-written, and entertaining book that comes to the conclusion that the evolution of security, moral, reputational and institutional pressures is a process, not a product-- and that "There is no 'getting it right' - this process never ends."  We couldn't agree more, and are happy to host Bruce Schneier throughout the week at our booth, #1630.

For a complete book signing schedule, visit www.akamai.com/RSAC2013. Please stop by to meet Bruce and get a free signed copy of his book.
1 2 >>