DDoS Mitigation Strategies in a Nutshell

There are several options from which you can choose a DDoS mitigation strategy.

On Premises DDoS Appliance: A DDoS detection and mitigation device installed in front of the firewall in your data center. It offers immediate mitigation of all types of attacks, including SSL attacks, but offers limited protection against volumetric attacks that saturate your internet pipe.

Always-On Cloud DDoS Protection Service: A cloud service wherein your traffic is constantly routed through the provider’s scrubbing center for attack detection and mitigation.

On-Demand Cloud DDoS Protection Service: A cloud service that kicks in only when you are under attack by diverting your traffic to the providers’ scrubbing center.

Hybrid DDoS Protection Solution: This is the best of both worlds: an on-premises device that integrates with a cloud mitigation service (can be on-demand or always-on cloud service).

How to  Choose a DDoS Mitigation Plan?

There are a few guidelines that can help simplify your selection process, simply by asking  the following questions:

Can you afford a few minutes of downtime when under DDoS attack?

If the answer is YES, then go for the On-Demand Cloud DDoS Protection Service. This is the lowest cost solution and offers effective mitigation against DDoS attacks. The payoff is extended time-to-mitigate of several minutes which is driven by the need to re-route your traffic to the provider’s scrubbing center.

If the answer is NO, then select the Always-On Cloud DDoS Protection Service. This option provides immediate mitigation (within seconds) of DDoS attacks.

Do you process HTTPS traffic extensively?

If YES, then you need the Hybrid DDoS Protection solution, where the on-premises device mitigates HTTPS attacks and the cloud service mitigates volumetric attacks.

Are you frequently attacked?

If YES, then you need an Always-On Cloud DDoS Protection Service. An On-Demand service may overwhelm your network with extensive diversions of your traffic.

There are several flavors from which to choose when selecting an effective DDoS mitigation strategy. Most enterprises opt for one of the cloud protection flavors (always-on or on-demand). Financial service providers, health care or utilities typically go with hybrid solutions, due to the nature of their business: they require utmost application availability and process SSL traffic extensively.

The post Mantra to Choose the Appropriate DDoS Mitigation Strategy – Keep it Simple appeared first on Proche.

For online businesses and their customers, the growing threat of online fraud is a real concern. With stringent regulations on data and privacy such as GDPR and CCPA, online fraud is not just a business issue, but a legal challenge as well. For many organizations, a data breach means ceasing to exist due to massive fines under new data security regulations.  

The real challenge here is not weak data and payment security opted by the organization. With every measure online merchants take to tighten security and thwart malicious activities, cyber criminals seem to up their game and outwit them. Online businesses today are faced with a tireless legion of bots that can bypass security defenses to perform fraud.

The bad bots that perform online frauds are highly sophisticated and can mimic human behavior. According to the Big Bad Bot Problem 2020 report, 62.7% of bad bots on the login page can mimic human behavior. That means these bots can take over user accounts or can even create fake accounts to perform carding or cashing out attacks. Similarly, 57.5% of bad bots on the checkout page can simulate human behavior when performing carding attacks.

Online Fraud Attacks and Symptoms to Identify If You’re Under Attack

Per OWASP, here are the attack symptoms you should watch out for:

Online Fraud During the Coronavirus Pandemic

While the world struggles to find a cure for coronavirus, even healthcare organizations are under cyber-attack. We observed a spike in bot activity against e-commerce, entertainment, and BFSI in March. Cybercriminals are targeting e-commerce and financial services institutions with account takeover attacks during this pandemic.   

Conclusion

Online businesses need to adopt various measures to avert online fraud. Conventional security measures identify and block bots using thresholds set on traffic from recognized attack sources, for example, known botnet herders’ IPs. Such approaches are ineffective in stopping bots that simulate human behavior and shift through thousands of IPs to commit fraud.

We recommend following the action plan to spot and prevent online fraud:

• Constantly monitor traffic sources and restrict login attempts per session/user/IP address/device.
• Develop competencies to detect automated behavioral patterns of users and deploy systems that can detect the intent of automated traffic distributed across multiple sessions and sources.
• Building an accurate bot detection engine is a tightrope act. If you try to eliminate false negatives, you end up with few false positives — and vice versa.  Lack of historical labeled data is one of the major concerns for an accurate detection system. The best approach for an organization that is trying to build an ML-powered automated bot management solution is to create a closed-loop feedback system that dynamically improves the machine-learning models based on signals collected directly from end-users.
• Monitor and restrict social media login. Ensure that users have unique passwords and educate users about password re-use to prevent credential stuffing and credential cracking attempts.

The post How Human-like Bots perform Online Fraud appeared first on Proche.

One such example of COVID-19’s impact on the economy is reflected in people’s shifting behaviors; they are avoiding public contact, large events, public transportation, shopping malls, restaurants, flights and more. These self-imposed limitations on outside contact is likewise hitting the workforce; some organizations that never allowed remote work are now implementing it to protect the health of employees and the business itself.

Online living and working creates two major glitches:

• Huge traffic surges. Organizations are ill prepared to handle these; do they have enough bandwidth, for example, if their online customer base doubles in a matter of months? Are they prepared to capture the opportunity and ensure performance and availability of their online systems/services?
• It creates opportunity for threat and nation state actors to leverage the increased attack surface and new segments that arise. If people are opting to conduct their lives and business online (versus in person), thereby creating more online accounts, there’s a bigger opportunity for account takeover, credit card fraud, ransomware, denial of inventory, service disruption and more. What’s more, panic and demand for news makes great breeding grounds for malware.

Global Impacts

In the last few weeks, the world has observed an increase in attacks, and moreover, their sophistication and adaption to world events.

• In Japan, threat actors are leveraging coronavirus fears to issue malicious malware campaigns for personal gain
• In the U.S., a similar malicious malware campaign is on the rise, leveraging the tax season in its prime to infect and steal private information
• In Australia, the largest logistics supplier (Toll group) went offline due to ransomware. This resulted in a huge disruption to the general market, as other major businesses couldn’t stock retail stores or deliver to customers. Similarly, the nation’s wool trading system has been breached and taken offline. The entire wool delivery supply chain has been shut down for a few days. How many wool producers were considering the security, availability and integrity of the trade platform as business critical to their operation? Probably not top of mind for most sheep farmers, until now.

Globally, as coronavirus infections increase and spread to more countries, phishing attacks are becoming more pervasive. The most recent example comes from the World Health Organization, a United Nations unit, which warned this week that fraudsters have started to use its name and images as part of phishing attacks and other scams.

Is There Any Good News?

The good news is that inside any disruption are hidden opportunities that the prepared can capture (online businesses with logistics, reviving local producers, etc.). This pandemic has the high likelihood of forcing habit changes on society and a drastic shift in how we operate day-to-day. Some companies will be prepared to capture the opportunities, while some industries will be irrevocably changed.

How can organizations protect their business to better to handle the growing threat?

• Infrastructure protection against disruptive network and application level attacks – To stay protected, organizations need to implement different tools and technologies. For example, DDoS prevention solutions help organizations win the ongoing security battle against available attacks by detecting and mitigating known and zero- day DoS/DDoS attacks in real time. They can protect against emerging security threats that can go undetected by traditional DDoS mitigation tools, such as SSL-based flood attacks, DNS attacks, attacks on login pages and attacks originating from IoT botnets.
• Advanced web application attacks – The digital transformation era is mainly around user experience. Thus, applications become more centric and public facing but at the same time, more exposed to attacks. In order to ensure fast, reliable and secure delivery of mission-critical web applications for corporate networks and in the cloud, a comprehensive WAF is needed.
• Identify legitimate traffic with malicious intent – 26% of the total internet traffic is generated by bad bots. While good bots help accelerate business processes, such as data collection and decision making, bad bots target websites, mobile apps and APIs to steal data and disrupt service. Unfortunately, 79% of organizations cannot distinguish between good and bad bots.
• Cloud workload protection – Moving workloads to a public cloud means new threats. Putting internal resources in the outside world creates a larger vulnerable attack surface, and external threats that could previously be contained can now strike directly at the heart of an organization’s workloads. In other words, when your inside is out, the outside can get in. Cloud providers are vigilant in how they protect their data center. But responsibility for secure access to applications, services, data repositories and databases falls on the enterprise.
• Application delivery and performance – As organizations are adopting cloud as an infrastructure for their applications, for both development and production, new challenges arise because their application portfolio gets scattered across multiple environments. The need is for a new breed of application delivery and security for on premise data centers, private and public clouds, using one centralized service management and control to simplify administration via centralized policies that are proposed that are propagated to all environments and ensure operational consistency.

Embrace the elastic cloud – Leverage the elasticity of the cloud to flexibly grow business. Those with cloud native applications will be able to scale faster and more effectively.

The post COVID-19; Global impact on Markets & Digital Experience appeared first on Proche.

As the information on the novel virus deluges WhatsApp inboxes and social media feeds, the WHO recently warned of a different type of outbreak in regard to coronavirus: the overabundance of information makes it difficult for people to differentiate between legitimate news and misleading information–which could be disastrous. EU security services have also warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society using its bot army.

An Infodemic

Regular monitoring of  internet traffic is being processed by bot managers to track the “infodemic” that WHO and the EU security services have warned of. Data shows that bots have upped their game. Organizations from social media, e-commerce, and digital publishing industries have witnessed an unexpected surge in bad bot traffic after the rise of the coronavirus pandemic. These bots were involved in executing various insidious activities, including spreading disinformation, spam commenting, etc. 

IT was also found that 58.1% of bots in February could mimic human behavior. This means they can disguise their identity and can create fake accounts on social media sites to post their masters’ propaganda as a genuine user. With such advanced bots, spreading disinformation becomes easy for countries such as Russia.

Gaining from the pandemic is not limited to Russia and social media. Given the attention that the “coronavirus” keyword is receiving, cybercriminals and scammers are more vigilant than ever to profit. For example, our research shows there has been an exponential rise in automated attacks on e-commerce and media industry as well. Let’s take a detailed look at it.

Coronavirus Related Articles being scraped by Cybercriminals

Malicious actors are always in search of opportunities to scam people. So much so, they won’t let go of any significant event, whether it’s a natural calamity, a pandemic, or a celebration.

Coronavirus is, in this respect, no different than other events. Fear and a continuous need for latest news provide an excellent breeding ground for automated attacks. A lot of phishing campaigns on the internet today are aimed at luring people with the promise of essential or breaking news on COVID-19, enticing them to click on malicious links or open infected attachments.

In the UK alone, coronavirus scams costed victims over £800k Pound sterling (the equivalent of nearly USD 1M) in one month (February 2020).

Research also suggests that cybercriminals are targeting media and digital publishing sites to scrape their unique content, publish scraped content on malware-ridden shady websites, and scam visitors. 27.7% of traffic on media sites was bad bot involved in automated activity, including scraping in February.

Take a look at how cybercriminals are exploiting coronavirus fear and using media sites as facilitators to perform phishing attacks through the following case study. This is a  renowned media site that has a dedicated section for coronavirus related news. The figure  highlights how bots’ presence gradually increased on the coronavirus section of this website in February and March.

Bots on this website are attempting scraping. As figure 4 highlights, as soon as an article on coronavirus is published (blue dots), bots are trying to scrape it (red bots). These bots then post the scraped articles on malware-ridden shady websites owned by their masters to lure visitors for scams.

Search for Sanitizers and Face Masks by Bots

Bots’ quest to gain from the coronavirus pandemic doesn’t end with media sites; they are also targeting e-commerce websites. With 31.3% of traffic comprised of bad bots, e-commerce was the second most targeted industry by bad bots in February. The sector witnessed an unexpected surge in bad bot traffic after the rise of the coronavirus pandemic.

Let’s take a detailed look at how cybercriminals are targeting e-commerce firms through a real-world case study. We monitored the traffic of a top European e-commerce site that has hand sanitizers and face masks listed on its portal. As coronavirus fear increases, bots ramp up their search for face masks and sanitizers as shown in figures 6 and 7.

These automated attacks could be aimed at performing denial of inventory attacks, hoarding these essential products to sell in black markets, or even scraping product details to list similar products on malware-ridden sites to scam people.

As the coronavirus threat intensifies, bots will drive the infodemic much further, continuing to be an efficient tool for cybercriminals, nation-state actors, and conspiracy theorists alike. The impact of information — true or false — especially in times of fear, uncertainty and confusion is greater. Because communication channels are diverse, authorities have very little control of Bot activity. In the coming months, we expect the use of bots to accelerate due to the COVID-19 pandemic and the US presidential election.

The post Are Bots exploiting Coronavirus fears? appeared first on Proche.

Most organizations use old, antiquated remote VPN applications and concentrators which work in a hub-spoke architecture. This is because VPNs were always considered to be a “fill the gap” piece of the IT infrastructure, meant for workers on business travel or for people accessing the company resources off-hours. The traffic expected to come thru the VPN was a small percentage of the total IT traffic.

A pharmaceutical industry customer actually prepped for this day. They anticipated a situation wherein most of their workforce would have to work from home and they designed their DDoS defenses around this assumption. Not only that, they hired an external DDoS testing company to run attacks on the VPN infrastructure to measure the resilience of the different components.

Some lessons learnt from the DDoS attack run on their VPN infrastructure :

Lesson #1: It is easy to exhaust resources on VPN concentrators and firewalls, even with a low volume attack.

Even at an attack volume as low as 1 Mbps, a fine-tuned TCP Blend attack–where the attacker sends a small amount of TCP packets with the SYN flag checked, another batch of TCP packets with ACK flag, another set of URG packets, and so on–was able to bring the network firewalls to a state where they could handle no more new connections. Most DDoS defenses do not trigger because the volume thresholds don’t trigger.

To protect against this type of attack, you need to tune your hosts, your firewalls and your DDoS policies. Many network firewalls have a “SYN defender” or “embryonic connection” feature, which can protect against SYN Floods. For the DDoS policy, use features which allow out of state packet detection and prevention.

An on-premise DDoS mitigation appliance will generally allow more options for fine-tuning during an attack than a cloud-based DDoS service, as the policies are completely in the customers’ control and not shared with other customers in the cloud. Finally, if you use rate limiting, it is best to set thresholds that match your expected number of VPN connections; many mitigation device have default parameters which don’t always work well for VPN applications.

Lesson #2: SSL VPNs are susceptible to SSL floods, just like your web servers.

Two of the DDoS tests were variations of an SSL flood attack. The first attack was a high-volume SSL connection flood. This attack tries to exhaust the server resources using a high volume of SSL handshake requests.

To protect against this attack, stateful devices like firewalls, VPN concentrators and load balancers should be carefully monitored for TCP sessions and states. Also, creating a baseline and setting up alerts against those baselines will help during troubleshooting during an actual attack.

On the firewalls, use features like “concurrent connection limit,” and reduce session timeouts for connections without any data packets. On the DDoS policy, allow a limited number of connections to be established concurrently from a given source IP address. Also, reduce session timeouts to free up the connection tables on the firewall.

Patented defense mechanisms  can help with SSL floods – both on-premise and in the cloud. DefenseSSL identifies suspicious traffic using behavioral analysis and then activates the in-the-box SSL module for decryption. Via a set of challenge response mechanisms, applied only to the suspicious traffic, the attack is identified and mitigated. If the client passes all the challenges, subsequent HTTPS requests are allowed to reach the protected server directly, thus creating a new TLS/SSL session between the client and the protected SSL server.

This unique deployment model enables a solution which introduces zero latency in peace time and minimal latency under attack – only on the first HTTPS session per each client. For scenarios where it is not possible to use a certificate for decryption, behavioral SSL protection can be used. This can protect against SSL floods without decrypting the SSL connection.

 An SSL/TLS renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. It sends spurious data to the server or constantly asks to renegotiate the TLS connection, thus exhausting the server’s resources beyond its limits.

To protect against this attack, disable SSL re-negotiation on the server. Weak Cipher Suites should be disabled as well. Another option is to use SSL offloading using high capacity external load balancers to relieve your firewall or VPN concentrator. Radware can protect against this type of attack in both on-premise and cloud-based deployments.

Lesson #3: VPNs are susceptible to UDP floods.

Two of the attack scenarios included UDP floods. One was a randomized UDP flood and the second was an IKE flood. IKE is used for IPSec VPNs for authentication and encryption.

Because the UDP port numbers are randomized, use a behavior-based DDoS defense mechanism.

Lesson #4: Monitoring and alerting are mandatory.

Mitigation of many of the attacks conducted needed real-time visibility and tuning of parameters on the DDoS policy as well as on the network firewalls and VPN concentrators. To tune the thresholds accurately, it is imperative to have a thorough understanding of your normal VPN traffic, both the volume (in Mbps or Gbps) as well as the normal number of connections that are expected. Monitoring connections on different devices can be easier with a SIEM. Also, real-time measures like reducing session timeouts and rate limiting work best if you know the normal baselines.

While the above lessons were from a controlled DDoS test, many of the attack vectors used in the test are like what one can expect from malicious entities. As you scramble to get your VPNs up to the capacity to support the increase in remote workers, please don’t forget to prepare for DDoS protection as well.

Stay safe and healthy – we all need to come out stronger on the other side of the tunnel.

About Radware

Radware (NASDAQ: RDWR), is a global leader of application delivery and application security solutions for virtual, cloud and software-defined data centers. Its award-winning solutions portfolio delivers service level assurance for business-critical applications while maximizing IT efficiency. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.

The post Protect Your VPN by learning from DDoS attack test appeared first on Proche.

Most organizations will use multiple cloud providers, some in addition to their private cloud and on-premise deployments. This fluidity creates unique challenges in terms of how to make advanced services simpler to consume and maintain, and to address the need for both quicker and consistent deployment across multiple environments, each of which may have different capabilities, configurations, monitoring, management and administration.

The process of migrating applications to the cloud is not easy.  The flexibility and the cost-benefit that drives the shift to the cloud also presents many challenges – security, business continuity and application availability, latency reduction, issues with visibility and SLA guarantees and isolation of resources. 

Migrating applications to the cloud(s) present some interesting challenges that require careful thought:

• Licensing – May quickly become a planning nightmare without cost predictability for their organizations, as scaling an application with a metered model may create cost spikes. Pay as you go models may also promote shadow IT initiatives that impact both security and cost controls.
• Lock-in with a cloud service provider.
• Lack of standardization across clouds may require value-added advisory services, such as technical and consulting to deploy.
• Architecture to address hybrid deployment.
• Automation – Self-service tools to reduce resource requirements in order to automate and integrate across multiple environments.
• Visibility- Solutions that span both private and public cloud infrastructure also drive the need for a single pane of glass for management, monitoring and root cause analysis.
• Security – For organizations, applications in the cloud may not have the same level of physical controls as they have for on premise deployment in their own data center. In addition, as applications are accessible over the web, the attack surface increases.
• Other security requirements such as user access, user privacy, and compliance needs.

Moving to the Cloud: The Non-Negotiables

Scalability and Availability:  Autoscale capability is important for organizations looking to automate operations – that is, to add and remove services on demand without manual intervention for licensing and to reclaim capacity when no longer in-use. This directly affects and saves costs.

Security: As hackers probe network and application vulnerabilities to gain access to sensitive data, the prevention of unauthorized access needs to be multi-pronged:

• Routinely applying security patches
• Preventing denial of service attacks
• Preventing rogue application ports/applications from running in the enterprise or on their hosted container applications in the cloud
• Routine vulnerability assessment scans on container applications
• Preventing bots from targeting applications and systems while being able to differentiate between good bots and bad bots
• Scanning application source code for vulnerabilities and fixing them or using a preventive measure such as deploying application firewalls
• Encrypting the data at rest and in motion; and
• Preventing malicious access by validating users before they can access an application

Analytics and visibility:  When deploying microservices that may affect many applications, proactive monitoring, analytics, and troubleshooting are critical before they become business disruptions. Monitoring may include information about a microservice such as latency, security issues, service uptime, and problems of access.

Not only is proactive monitoring and troubleshooting through actionable insights helpful in configuring the appropriate technical capability to address the issue at hand, this visibility into application performance is important in terms of cost savings (for example, to de-provision unused resources when not needed or to mitigate an attack in progress).

Automation: Although there are many benefits to a container-based application, it is a challenge to quickly roll out, troubleshoot, and manage these microservices. Manually allocating resources for applications and reconfiguring the load balancer to incorporate newly instantiated services is inefficient and error-prone. It becomes problematic at scale especially with those that have short lifetimes.

In addition, cross-domain services that span networking, application and security require collaboration across teams, often creating conflicts and delays in the testing and provisioning. Even more difficult is the learning curve across these different domains. Rolling out new services that are secure and high-performance requires deep IT expertise and familiarity with quirks of various systems.

Automating the deployment of services quickly becomes a necessity. Automation tools transform the traditional manual approach into simpler automated scripts and tasks that do not require deep familiarity or expertise.

Cost Predictability: Flexible licensing is one of the critical non-negotiable elements to consider. As you move application delivery services and instances to the cloud when needed, you should be able to reuse existing licenses across a hybrid deployment. Many customers initially deploy on public cloud but cost unpredictability becomes an issue once the services scale with usage.

Any journey from a physical data center to the cloud requires careful thought, education and investment in new capabilities to enable migration to the new environment. As applications change in how they are designed, built, deployed and consumed, so have the application delivery infrastructures that have evolved to address the non-negotiables for applications in a continuous delivery/integration, hybrid and multi-cloud deployment.

About Radware

Radware (NASDAQ: RDWR), is a global leader of application delivery and application security solutions for virtual, cloud and software defined data centers. Its award-winning solutions portfolio delivers service level assurance for business-critical applications, while maximizing IT efficiency. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, Please visit www.radware.com.

The post Cloud Migration – Challenges & Ways to Overcome Them appeared first on Proche.