Encryption is one of the most basic necessities in the security arsenal. It’s what makes it possible for banks to offer online banking and funds transfers, or for consumers to make purchases online using their credit or debit cards. It’s what protects the public’s online interaction with government agencies or health care providers. It should surprise no one, however, that encrypted services are prime targets of DDoS attacks. Such services enable access to a wealth of personal, confidential, and financial data. Identity thieves and cyber criminals can have a field day if they succeed in breaking web service encryption.
According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report (WISR), attacks targeting encrypted web services have become increasingly common in recent years. Among enterprise, government, and education (EGE) respondents, 53% of detected attacks targeted encrypted services at the application layer. And 42% of respondents experienced attacks targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol governing client-server authentication and secure communications. Among service providers, the percentage seeing attacks targeting secure web services (HTTPS) rose significantly over the previous year, from 52% to 61%.
The Four Key Encryption Attack Types
DDoS attacks targeting encrypted services tend to fall into four categories:
- Attacks that target the SSL/TLS negotiation, commonly known as the “handshake,” which determines how two parties to an internet connection will encrypt their communications.
- Protocol or connection attacks against SSL service ports, which seek to exploit SSL vulnerabilities.
- Volumetric attacks targeting SSL/TLS service ports, which overwhelm port capacity with high volume traffic floods.
- Application-layer attacks against underlying service running over SSL/TLS.
Attackers are unrelenting in their assaults on high-value encrypted targets. Given the critical nature of most encrypted applications and services, a single successful attack can have devastating consequences. The breadth, variety, and escalation of attacks on secure web services heightens the need for a multi-layered defensive posture, with capabilities to detect and mitigate the full range of today’s attack types.
Fighting Fire with Fire: Foiling Encrypted Attacks
To make matters even more challenging for security teams, attackers often use SSL/TLS encryption themselves to hide their nefarious activity. A high volume of internet traffic moves among networks without being detected or inspected, making it easy for malicious actors to hide amid legitimate traffic, preparing to unleash attacks on secure HTTPS services. A key component of the security arsenal, therefore, is the ability to inspect encrypted traffic securely and attest to its authenticity without slowing, disrupting or compromising legitimate traffic. While decryption is not always necessary for successful mitigation, there is clearly a growing need for scalable solutions for decrypting packets.
One positive conclusion coming out of the 13th WISR is that both service providers and enterprises are recognizing that traditional firewalls and intrusion prevention systems are insufficient in confronting sophisticated DDoS attacks – particularly encrypted attacks targeting encrypted services. Encryption is essential, but cannot be relied upon on its own to thwart determined and sophisticated attackers. Operators and hosts of secure web services increasingly recognize the need for purpose-built Intelligent DDoS Mitigation Systems (IDMS) as the only effective option for mitigating DDoS attacks. Best practices call for a layered approach combining always-on, on-premise defenses with cloud-based mitigation capabilities that activate automatically based on the size and nature of the threat.
Reputational and brand damage are frequently cited as the worst consequences of a DDoS attack. Nothing could be more damaging to an organization’s reputation than to compromise the secure services that consumers have come to trust and rely upon every day with hardly a second thought. Institutions need to take measures that go beyond encryption to ensure the integrity and availability of their most critical services.