Our other trends are here:
On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions. To register, click here.
Trend #7: DDoS Moves Up the Stack
Distributed Denial of Service (DDoS) attacks are gaining popularity and were part of high profile hacking campaigns in 2011, such as the Anonymous attacks. We predict that in 2012 attackers will increase the sophistication and effectiveness of DDoS attacks by shifting from network level attacks to application level attacks, and even business logic level attacks.
A Denial of Service (DoS) is a relatively old attack aimed at data availability by exhausting the server's computing and network resources. Consequently, legitimate users are denied service. A Distributed Denial of Service (DDoS) is an amplified variation of the DoS attack, where the attacker initiates the assault from multiple machines to mount a more powerful and coordinated attack.
Today, DoS attacks require the attacker to invest in a massively distributed network which can create enough traffic to eventually overwhelm the victim’s resources. At the other end of the DoS spectrum, there's the SQL shutdown command. An attacker exploiting an application vulnerability can use this particular command to shut down the service using just a single request, initiated from a single source, which, from the attacker’s perspective, proves cheaper and is just as effective. Historically, we have seen DoS attacks gradually climb up the protocol stack. From the most basic Network layer (layer 3) attacks, such as the UDP Flood, through the Transport layer (layer 4) with SYN flood attacks. In the last years, we also saw the HTTP layer (layer 7) being targeted with such attacks as the Slowloris in 2009and RUDY attack in 2010.
We predict that in 2012 we will see hackers advance one more rung. This means creating DDoS attacks by exploiting web application vulnerabilities, or even through web application business logic attacks (Such an attack can be performed by profiling the victim web application for resource consuming operations, such as searching a large database, and then constantly applying that operation to deplete the victim server resources). Indications for this trend are already emerging. For example, the #RefRef tool, introduced in September 2011, exploits SQL injection vulnerabilities used to perform DoS attacks.
There are several reasons attackers are moving up the stack:
- Decreasing costs. In the past, attackers have taken the "brawn over brains" attitude. This meant that they simply inundated the application with garbage-like requests. However, these type of attacks require a large investment on the attacker’s side, which include distributing the attack between multiples sources. In time, hackers have discovered that they can add "brains" to their attack techniques, significantly lowering the heavy costs associated with the "brawn" requirements.
- The DoS security gap. Traditionally, the defense against (D)DoS was based on dedicated devices operating at lower layers (TCP/IP). These devices are incapable of detecting higher layers attacks due to their inherent shortcomings: they don't decrypt SSL, they do not understand the HTTP protocol, and generally are not aware of the web application. Consequently, the attacker can evade detection in these devices by moving up the protocol stack.
The good news is that enterprises can prepare themselves against these application-targeted DoS attacks. How? By adding application-aware security devices, such as Web Application Firewalls (WAFs). These devices can decrypt SSL, understand HTTP and also understand the application business logic. They can then analyze the traffic and sift out the DoS traffic so that eventually, the business receives – and serves- only legitimate traffic.