Security Experts:

Radware Warns Attackers Will Use More DDoS Attack Tools And Techniques

DDoS Attacks Getting More Complex

Distributed-denial of service (DDoS) attacks are becoming increasingly sophisticated and severe as perpetrators adopt new techniques, Radware said in its year-end report.

Server-based botnets, encrypted layer attacks, attack tool kits, and attacker-for-hire services are some of the new methods being used in DDoS attacks, Radware researchers said in the 2012 Global Application and Network Security Report released Jan. 22. The in-depth report also included the results of the Radware Security Survey.

Attackers are launching attacks that last days or weeks, and security teams don't always have the resources to mitigate attacks over a prolonged period, according to Radware's Emergency Response Team (ERT). Security professionals invest in security before the attack starts and conduct excellent forensics after the attack ends, Radware's ERT said. However, there is one "vulnerable blind-spot" because they don't have the capabilities to sustain defense efforts against complicated campaigns while they are in progress, Radware said.

"In today‘s security environment, most organizations are bringing a knife to a gunfight," Radware said.

This was a concern, since Radware found that attacks are not just lasting longer, but are much more complex. To illustrate the increasing sophistication of these attacks, the company unveiled the Advanced Persistent Threat score, a 10-point scale which quantifies and qualifies the force, sophistication, and persistence of the attack. Radware found that 58 percent of attacks in 2012 scored a 7 or higher in complexity on the APT scale, compared to a mere 23 percent of attacks in 2011. From only 30 percent of attacks scoring higher than 3 in terms of severity in 2011, Radware found over 70 percent of attack in 2012 had APT scores of 3 or higher.

“The Radware ERT sees hundreds of DoS/DDoS attacks each year, and we’ve found attacks lasting more than one week have doubled in frequency during 2012,” Avi Chesla, chief technology officer at Radware, said in a statement.

Radware ERT outlined some of the new attack methods used in 2012, including the shift towards DDoS botnets made up of multiple Web servers in different geographic locations. Since servers generally have a larger bandwidth pipe and better processors, attackers can launch more powerful DDoS attacks by commandeering a handful of these systems, rather than trying to harvest hundreds and thousands of client computers. Small server-based botnets produce the same attack traffic as a large client-based botnet, and are more reliable as the servers are on 24/7.

The waves of attacks against U.S. financial institutions appear to be coming from a server-based botnet. Radware predicts these types of botnets will gain in popularity in 2013. Organizations need to ensure their defenses are going to be able to withstand these scaled up attacks.

Even though 70 percent of companies who use Content Delivery Networks believe CDNs can be used to defend against DDoS attacks, the story appears to be not as simple. In recent attacks, the CDN was easily bypassed by changing the page request in every Web transaction, Radware said.

Attackers also increasingly attacked the application and encryption layers in 2012, Radware said. Attacks launched Secure Socket Layer (SSL) attacks that can escape detection and remain hidden until it is already too late.

Attackers have managed to "weaponize the encryption layer," Radware said.

The number of sites devoted to helping attackers "do it yourself," with new tool kits and online tutorials, have reached "commodity market proportions," Radware said. The tool kits and attacker-for-hire services are available to just about anyone, regardless of technical expertise, for as little as $10. "This has significantly reduced the barrier of entry for individuals or organizations to launch an attack," Radware said.

Today's attacks are carefully planned, last days or weeks, and switch between multiple attack vectors, Radware said. In contrast, organizations are focusing on defenses that absorb as much of the attack traffic during the "first strike," and even for the "second strike," but then fall after a period of time. The server under attack, the firewall, and the Internet pipe are the bottlenecks in DDoS attacks, Radware found.

Of the organizations ERT analyzed for the report, over half felt their organization was likely to be attacked, very likely to be attacked, or possible to be attacked, by cyber-warfare. Despite the time and effort spent to prepare beforehand, a little less than 20 percent felt they were well-protected or would be able to successful fend off the attacks. Half of the organizations felt there would be some impact, Radware said.

Placed alongside the latest survey from Corero Network Security of 650 IT and security professionals at 351 banks, Radware's numbers looks even more serious. According to Corero's survey, 48 percent of the respondents said their banks had suffered multiple DDoS attacks in the past 12 months. Nearly half said they had insufficient personnel, expertise, and security technology in order to deal with these attacks.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.