Thursday, August 18, 2011

[Juniper] Anomaly Detection and DPI Defend Against Application-Layer DDoS

Raju Manthena, from Juniper's Security Services and Research team published a new article to Juniper's "Networking & Security Now" blog about "Application-layer Denial of Service" (here).

"Sony PlayStation Network experienced Distributed Denial of Service (DDoS) attacks that compromised millions of user accounts and resulted in 3 weeks of outage [see "PlayStation Network Outage the Worst Service Outage Ever?" - here - and chart below] .. Application-layer DoS exploits vulnerabilities in application software such as buffer overflows or null pointer dereferences in database or web server software. These attacks can appear to be legitimate application-layer traffic and are not easily detectable. Although a single or slow application request rate may trigger DoS, DDoS involves engaging large botnets (with millions of nodes) to send minimal per-client traffic that is large enough to overwhelm and exhaust application resources".

According to Arbor Networks' "Network Infrastructure Security Report" (here, registration required) - "Application-Layer DDoS Attacks Are Increasing in Sophistication and Operational Impact .. IDC and mobile/fixed wireless operators in particular are reporting significant outages, increased OPEX, customer churn and revenue loss due to application-layer DDoS attacks. These attacks are targeting both their customers and their own ancillary supporting services, such as DNS, Web portals, etc" (see chart).

Back to Juniper's article - "The ability to defend against application-layer DoS attacks and implementing an optimal mitigation solution relies on understanding the nature of the attack and the objectives of the attacker. Using information collected by Network/Application Anomaly Detection, Deep Packet Inspection (DPI/IPS), and Network Access Control systems, it may be possible to identify attack traffic.  Depending on the nature of attack, several mitigation strategies need to be considered"

1 comment:

  1. Sorry, but this is not correct. PSN network was brought offline while the vulnerability was fixed internally; this outage is not due to DDoS but rather a suspension of service during security review (albeit an emergency review, however Juniper and Arbor had little or nothing to do with the eventual solution to the actual attack which compromised the user accounts).

    Whilst I agree that DDoS attacks are increasingly becoming focussed at the application layer, most attacks which I have seen recently (particularly those associated with Anonymous) have been very much mixed in nature - some traffic is traditional DDoS (SYN flood etc), but the greatest threat is due to application attacks such as SQL injection, brute force password guessing, and the emerging range of L7 HTTP DoS tools - Slowloris, SlowPOST, KillApache, Keep-Dead, and others. These attacks are simple to modify such that signatures don't work; and in fact can be conducted over SSL with a minimum of bandwidth consumption which hides them from most mitigation technologies.

    Be very careful when accepting a network security vendor's claims relating to application security.