• United States



Akamai researchers on BroBot DDoS and adversarial resilience

Apr 22, 20134 mins
Application SecurityCloud SecurityCybercrime

Two of the more interesting talks I attended during SOURCE Boston 2013 were from Akamai.

I wrote quite a bit about SOURCE Boston 2013 last week. As always, the event was full of top-notch content. This last post on SOURCE is about two of the more interesting talks I attended, both from researchers at Akamai.

I chose these presentations because I’m always fascinated by the data Akamai has access to. At last check, the company was handling tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military.

The first talk, by Akamai Senior Security Architect Eric Kobrin, was an analysis of the BroBot DDoS attacks that have targeted the banking sector. The attacks are something we’ve reported on extensively at CSO, and much of what he said was no surprise.

[Recent bank attack stories: Banks can only hope for the best with DDoS attacks | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]

We knew, for example, that:

–The amount of bandwidth flooding websites was substantial. Akamai CSO Andy Ellis recently wrote that BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps.

–The DDoS attacks are crude, exploiting large networks of compromised machines to overwhelm a website with requests. 

–The battle often comes down to the amount of bandwidth a banking site has and whether it is large enough to withstand traffic from the botnet and customers. “If the attacker can find a way to exhaust the resources of any business critical component of the system, they win,” Jeremiah Grossman, chief technology officer for Whitehat Security, recently told writer Antone Gonsalves.

But Kobrin offered some fresh color to the picture.

For example, he noted, the compromised machines often get that way because attackers were able to own them through security holes in the online content management systems (CMS) content publishers take for granted. The WordPress interface you use to blog? It could have been used to make your computer part of the botnet, and it’s something you would not notice. That vanity email domain you opened for yourself? That’s an easy target, too.

One of the problems is that the hosted service providers build sites to be as accessible as possible and to make them easy for Google to index. As you’ve heard by now, accessibility and security are often at odds.

“There is no single cause,” Kobrin said. “A half a dozen failures have to happen along the way.” One such failure is a lack of routine patching. Another failure is that admin access is often easy to get.

What to do about all this? Kobrin offered this advice:

–Banks can build a more defensible online infrastructure, get a better handle on all the apps in its system and build closer relationships with its hosting providers, since attacks usually come from trouble on the provider’s side of the court.

–CMS users can be more diligent in adding patches as they’re released, and remove unused plug-ins. The more customized your site is, the more plug-ins you probably have sitting there. Users can also add IDS and turn off unused sites.

–Hosting providers can set up safer defaults, offer automatic updates and offer a fully managed CMS.

The other talk, by security researcher Christian Ternus, was about Akamai’s Adversarial Resilience program. The goal: better protect Akamai’s customers by thinking like those who those who attack them.

“At Akamai the attack surface is huge,” Ternus said. “As the bad guys attack our customers, we are constantly being tested to see if our systems are good enough. What’s needed then is resilience — the ability to adapt. Our job is to think and act like the adversary to make Akamai safer.”