A Thief’s Perspective #5: Network and Resource Abuse Methods

Understanding the attack methods and techniques of bad guys provides valuable insights that can help you refine your security posture. This five-part series looks at attacks from a thief’s perspective and shows you how the latest security technologies can block them.

Cyber-criminals are the Hyenas of the Digital Ecosystem (my sincerest apologies to hyenas).

Cyber-criminals are perpetual scoundrels and opportunists who seek out easy prey and only attack when they find weak defenses. Increasingly, they go for the kill using Distributed Denial of Services (DDoS) attacks. Using this attack method, a thief with only a small collection of PC clients can bring down most websites by overwhelming server resources with excessive or malicious connection requests. These attacks are often associated with politically motivated hackers or brazen extortionists who demand ransoms to call off attacks and restore a company’s Internet presence.

Unfortunately, DDoS attacks are on the rise. Close to 109 Million DDoS attacks were detected in 2014, which represents 50 percent year-over-year growth. This astounding growth shouldn’t be too surprising considering the variety of DDoS toolkits available today—some of which are available for as little as $50. In fact, for $6 in Bitcoin, a thief can rent time on a DDoS tool and bring down most websites.

By understanding how these digital hyenas stage attacks you can strengthen your security posture and keep them from laughing at your expense.

Keep a Watchful Eye on Infrastructure and Application Performance

In DDoS attacks there’s nothing abnormal about the traffic itself, as thieves use standard traffic in malicious ways. To effectively mitigate DDoS attacks, scanning engines must inspect the application layer as well as scan and analyze traditional infrastructure traffic. Both of these protections must also work in concert with global threat intelligence feeds to isolate origination sites known for malicious activity.

  • Infrastructure Protection requires three core capabilities. Traffic Behavior Learning must understand normal network traffic and identify unusual changes in traffic patterns. Volumetric Analysis must track and recognize malicious changes in traffic volumes and limit the amount allowed through to the web server. Network Traffic Limiting capabilities are required for administrators to compensate for DDoS traffic patterns.
  • Application Protection requires several IPS capabilities to protect against layer-seven attacks. Web Server Protection must provide both signature scanning and advanced heuristics traffic analysis of incoming SSL traffic. HTTP Application Protection is required to safeguard point HTTP. In addition, Challenge and Response capabilities allow the security solution to send a challenge packet back to a connection host. Since the packet’s required response can only be generated by a browser, this technique effectively identifies whether a person or a bot is attempting to connect, allowing only valid traffic to reach the web server.

Learn more about how bad guys wage DDoS attacks—including what you can do about it. Check out the new Intel Security Tech Brief: A Thief’s Perspective on Network Abuse Attack Methods.

Leave a Comment

20 + 3 =