By Eliot Beer
Denial of service attacks are on the rise, and Middle Eastern organisations are as much as risk any others. But network managers are fighting back using new security techniques and a growing awareness of how the attackers operate.
|~|fence200.jpg|~||~|One of the truisms about the Middle East IT sector is that it remains around five years behind Europe and the US, in terms of technological trends. But when it comes to the internet and its many and varied security threats, the region is as vulnerable as anywhere else in the world – more so if organisations here are not up-to-date with patches and definitions for network devices.
And for organisations which do some or all of their business online, one of the most potentially devastating threats comes in the form of a denial of service (DoS) attack. Around the world organisations have been faced with anonymous, virtually untraceable attackers trying to shut down or otherwise compromise their systems, or even extort money.
The basic principle behind DoS attacks has not changed since the early days of the commercial internet – the main difference is the scale of the attack now. “Two years ago the attacks we were seeing were consumption-type attacks, and they were at a much lower level,” says Keith Laslop, president of Prolexic Technologies. “When I started in this sector in 2004, the largest attacks we saw were SYN floods, and the largest sizes we saw were in the 800Mbit to 1Gbit range. Now we see the same type of attack, but in the 8-10Gbit range.
“Given that people the world over are moving much more to broadband, and the attackers are getting much more clever – instead of straight PCs, we’ve seen webservers used for attacks, which while they’re easier to shut down, they potentially have a 100Mbit feed directly into the internet, in both directions. It doesn’t take many webservers to launch a 10Gbit attack,” adds Laslop.
Prolexic, a US-based company, offers a ‘traffic cleansing’ service to organisations suffering from DoS attacks. It operates three data centres around the world, and is planning on opening two more in the near future, with a third to follow after that. Laslop claims the company offers a superior service to locally-based hardware solutions, because Prolexic can absorb much more extensive attacks – into the tens of gigabits – than is possible for a local system. The company also sells itself on the specialist staff it has available to monitor attacks constantly, and adapt systems to combat them.
This approach solves one of the key issues with current DoS attacks, especially the increasingly-problematic distributed denial of service (DDoS) variant, where an attacker uses a botnet of hundreds, or sometimes thousands of machines hijacked through the use of malicious worms. DDoS attacks are simply designed to overwhelm an organisation’s bandwidth, so however effective a company’s internal DoS defences are, the attack has done its job
by simply making it to the corporate network.
“Bandwidth attacks are more problematic, particularly in this region because of the lower bandwidth levels on offer here, compared to other areas of the world; if an organisation is targeted on its bandwidth, it would be fairly easy to overwhelm it,” says Bjorn Kalle, systems engineer at security vendor Fortinet. ||**|||~|fernandes200.jpg|~|“Whenever we host anything online it has to go through a security assessment process where the information security team will assess the whole application or service, and identify all the weak points.” Vincent Fernandes, information security division, Mindscape.|~|
He suggests an alternative DoS mitigation method to complete outsourcing: “One option that a lot of organisations are using is to have specific internet links for different services; you might have multiple links going into the organisation’s security device – one of these is for email, it does nothing other than email – another link is for browsing. So even if someone makes an attack against the email line, browsing is unaffected, and you can even bring in another back up line which could be activated.”
Kalle acknowledges that often the damage is already done, though, and the best way in an ideal world to mitigate a DDoS attack is to liase with the bandwidth provider – usually a telecoms company in the Middle East – to get them to divert or ignore the offending traffic. But telcos around the world are often reluctant to offer this type of service, due to the high demands it can place on their systems, and the issue of providing SLAs for the attack prevention – a provider could end up liable for damages if it misses an attack on one of its customers.
Here in the region, while telcos do not commonly offer DoS prevention services, they do work with target organisations to attempt to prosecute the attackers. Mindscape, the IT division of Mashreqbank, regularly liases with Etisalat to gather information about attacks, and pass them on to the relevant authorities – generally DoS attacks will not originate from the same country as the target, and the attacking ‘zombie’ hosts will almost certainly be scattered around the world.
Vincent Fernandes, a manager at the information security section of Mindscape, says there is not much that can be done for shorter attacks, beyond reporting the activity afterwards: “If a DoS is happening for a shorter duration – say 15 or 20 minutes – there is nothing much a solution can do at the moment. It can reduce the TCP window sizing, but actually it cannot take much action, unless the attack is of a longer duration.”
Fernandes says one of the most effective tools Mindscape has against DoS attacks, especially ones targeted at specific software vulnerabilities or exploits, is a robust policy structure for hosting services and applications.
“A key part of our DoS prevention strategy is to have effective policies in place,” he says. “For example, whenever we host anything online it has to go through a security assessment process where the information security team will assess the whole application or service, and identify all the weak points – based on their report, management will make a decision on whether or not to host the service. There are similar policies for the email system as well.”
One of the main changes which has occurred with DoS attacks over the past two years is the increase in highly-targeted attacks against specific organisations. This follows the same trend which has seen far fewer virus, trojan and worm variants which are aimed at mass destruction, while specific, more tailored attacks have proliferated.
“There are three reasons why an organisation might be attacked,” says Patrick Hayati, regional director of McAfee Middle East. “The first is for financial gain – it could be for blackmail, it could be a competitor trying to disable a service, it could be a disgruntled employee. The second attack is random – someone created a worm, and it just so happened that the worm attacked that organisation. The third is obviously a more targeted attack – someone decides to target bank A, or organisation B, for whatever reason, malice or financial.||**|||~|bjorn200aa.jpg|~|“One option which a lot of organisations are using is to have specific internet links for different services; you might have multiple links going into the organisation’s security device” Bjorn Kalle, systems engineer, Fortinet.|~|“It used to be the second type of attack we saw most commonly, but now the third type – very focused attacks – are becoming the norm. This is not a case of an attacker saying ‘we are targeting banks’, but saying ‘we are targeting that specific bank’ – an organisation targeted by name, specifically. There are technologies out there which can determine organisations which are more susceptible to attacks, and it is these organisations that get targeted.”
One of the problems with DoS attacks is the lack of hard statistics to say which companies have been targeted, and how – very few organisations are willing to go into details of security issues – but as yet the Middle East has not seen any of the high-profile blackmail cases against major online businesses, as has happened in Europe and the US. Just because the publicity around attacks is lower here, though, doesn’t mean organisations should think they are safe.
“Any organisation connected to the internet is subject to attack – it would be a surprise if an organisation wasn’t attacked. It’s a matter of when, not if,” says Anwer Kotob, senior systems engineering manager at Cisco Systems. “Luckily there haven’t been any major DoS attacks in the region, at least nothing that was successful. There have been attacks which were painful for the organisations concerned, and which caused them to revisit their IT security infrastructures, but didn’t cause them any
He gives the example of one – unnamed – organisation in the Middle East which suffered a DoS attack: “An organisation’s email service started to suffer – people weren’t able to connect to their email, and the problem started to spread. On closer checking, it was obvious they were being subjected to a DoS attack; in this case it was a distributed denial of service (DDoS) attack, which makes it even more difficult to recover from.
“It took a good couple of days for the organisation to recover fully from the attack, and its users could feel the impact; luckily their whole system did not go down, so it was not obvious to the general public that there had been an attack. For the operations team, it meant close to 48 hours’ non-stop dealing with the attack. Since then the company has brought in more elaborate protection schemes that are a lot more suitable for dealing with DoS attacks.”
One area which has evolved is the ability to at least detect attacks in progress. Indeed, McAfee’s Hayati believes this is one of the key reasons behind the dramatic increases in reported attacks, with previously-unidentified incidents now identified for what they are, rather than simply a ‘slow’ day for email or web browsing, for example.
For attacks other than DDoS, network-based appliances are much more effective, but it is still a major challenge to stay on top of the wide range of vulnerabilities, exploits, malware and other potential security holes.
“We never used to see any targeted attacks at all; it’s really in the last year and a half that we’ve seen targeted attacks using HTTP GET or some of the more innovative DNS attacks,” says Prolexic’s Laslop. “I think it will continue to go back and forth between bandwidth and exploit attacks, in terms of the attackers’ choice.”
And as for the future of DoS attacks, Laslop looks to voice: “Voice over IP is in the same state of security as web traffic was eight years ago – there’s going to be a huge potential to attack VoIP, and then IP TV will become a big target as well.”||**||