June 12, 2014

The Never-Ending Cup of Cyber Security

Another four years has passed and the world’s biggest football tournament has come again–on schedule and spectated around the globe. Fans cheer while their teams gather in Brazil to compete with one another, but even top teams like Argentina and Brazil are kept on their toes and need to bring their best performance to fend off challenging underdogs, because all teams are playing by the same fair, transparent rules.


In the cyber security world, however, attacks can come at anytime and from anywhere. They often go unnoticed, and the playing ground is anything but fair. Online businesses owners must pay even more attention to the performance of their security teams than they do to that of their favorite football team, because when their security team loses a match, their businesses are put at risk.


A typical football game can last for 90 minutes, or 120 minutes when there is 30 minutes overtime. DDoS attacks, however, can drag on for as long as a week–the attacker does not stop until he or she achieves his or her goal of taking down the target website or realizes that it is not possible. Thus, preparation for DDoS attacks is based on neither the shortest attack or most typical attack, but based on handling worst case security scenarios and enhancing the weakest link in the team.


Nonetheless, there are many common characteristics between football games and DDoS attacks, in both team structure and defense strategies.


Team roles and responsibilities

The roles in football are quite clear, but the borders can be blurred at times. For example, a player primarily playing a forward role can also act as defense, or even a goalkeeper in extreme cases. In security operations, there is a certain segregation of duties, but the entire team is generally classified by layers or tiers, just as there are forward, midfielder, defender and goalkeeper roles in football.


Security teams play largely on the defense side. The centerback in a security team is someone called the security architect, who decides which defense strategies to use and which defenders (security measures) to place in the corresponding wings.


In DDoS mitigation, there is the front-end operator (Security Operation Centre, SOC) that acts as the team’s frontier for tackling attacks. Infrastructure engineers then ensure attacks cannot easily penetrate the company’s security or cause collateral damages to other customers. The R&D team stays in the back to analyze and respond to the latest security threats—such as 0-day attacks—and performs the internal audits that review each operation log and incident to ensure necessary controls are put in place and that the SLA is met when handling each case of DDoS mitigation.


Identifying the enemy

“So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose; if you know neither yourself nor your enemy, you will always endanger yourself.” — Sun Tzu, “The Art of War”.


In football, no single strategy can win every matches–the winning team needs more formations than just 4-3-3. The same goes with security strategies: attackers are constantly upgrading their infrastructure and attack vectors, so security teams need to study recent attacks and new technologies to maintain effective defense strategies. If the security team fails to keep up, or if it does not even sense the need to constantly analyze the opposing side, then defenses will become increasingly ineffective and provide a false sense of security.


Security threats are dynamic, changing according to time or event, just like members in a security team: I’m currently in a supporting role, doing security research in the back, but 4 years ago, I was in the security defense frontline. DDoS attacks have evolved quite a bit during this time, and I’d like to share some of my thoughts and advice here:


1. The same trick will be used again, and again, if it’s proven to be effective.
Some football teams are very strong in free kick, while some are strong in speedy counter attacks. As long as the attack methods are effective against their opponents, they can–and will–use it again and again as the killer trick.


The most common DDoS attack types we observed 4 years ago was TCP SYN flood. Today, four years later, they are still common; I believe they will still be alive and kicking in 2018. Why? Because most internet services are running on TCP, which was designed purely for reliable transit rather than security. A TCP SYN flood is proven very easy to generate and requires mainly outgoing bandwidth from attacking machines, which are easily provided by botnets.


tcp-synflood-ddos-worldcup.jpgSource: Jun 2014, Nexusguard.

2. The winner goes to the team that is more stable and makes fewer mistakes.


The average of total goals made during these football tournaments is declining each year, lowering from 4 to 2.5. What does this mean? A team that makes two mistakes can possibly hand the game over to its opponents, who could win the game by 2:0.


Peak bandwidth for DDoS attacks has increased by more than 10 times compared to four years ago. Analysis of some of the samples we obtained shows how malicious bot clients are being enhanced support larger botnets while making them much more stable and, of course, much much more manageable by attackers.


The results tell a clear story: four years ago, attack bandwidth would fluctuate 3 Gbps and 6 Gbps, showing a clear jitter for every few minutes; today’s attacks can maintain a stable network traffic of 30 Gbps for as long as a week.


In 2010, a typical attack peaks at 7Gbps was fluctuating between 3Gbps to 7Gbps.
Source: Jun 2014, Nexusguard




In 2014, recent typical attack size surges to 50Gbps, but quite stable and steady.
Source : Jun 2014, Nexusguard

3. Surprise attacks–the play keeps changing.
Attack and defense in DDoS attacks are as interactive and dynamic as they are in football games. The attack side will always want their attack plans to be unpredictable by the defense side. You know, to score.


Demands and responsibilities placed on security operators have certainly increased since the last Cup! Attackers are becoming more sophisticated and unpredictable; attack signature changes are much more frequent than four years ago. Today’s attackers simply assume that there are security countermeasures in place, and they continuously change attack signatures to penetrate or bypass those defense lines and reach their goal–the server. The days are gone when static filters that perform common “best-practice” filtering can keep the sharks away. The unpredictable attacks plans of modern hardcore attackers can only be defended against by closer monitoring and faster reaction.


Friendly matches– anytime, anywhere

The world-class performance of top football teams in each 90-minutes game is backed by preparation and training that exceed 100 times that duration. Bad news for security teams: their games are not scheduled at all. Research, analysis, practice–the knockout stages simply never ends.


Putting together a world-class all-star security team is not easy, and it’s even more difficult getting them to work in a single team pursuing a common goal, which is why we try to make sure all our newcomers have sufficient training and resources to one day serve on the all-star security teams at Nexusguard. While there is always uncertainty and concerns when inexperienced operators turn on mitigation countermeasures for their first time, we eliminate this embarrassing situation through extensive training and rehearsal, simulating DDoS attacks in the lab and letting them practice and fine-tune their skills rather than simply studying from textbooks. Furthermore, all frontline operators that are associated with our uptime SLA must be certified by passing our actual hands-on test.


Unlike in a football game, where the team on defense can use techniques like “offside traps” to slow down attacks, the DDoS mitigation world does not have such techniques. There are no “tricks” like offside traps and no referees to declare an attack was invalid–all we have are cold, hard numbers. We also consume caffeine instead of electrolytes. Attacks can hit anytime, anywhere; security teams need to be trained to cover all kind of attacks because giving up is never an option, and hoping attackers won’t exploit vulnerabilities is never going to work.



Business Continuity Plan (BCP)

Including the 11 football players on the field, each team is also required to have backup players such as a mandatory backup goalkeeper, in case of player injuries and game strategy diversification.


Compared to other technical knowledges like routing and switching, or firewalls, DDoS mitigation is relatively young in the IT industry. Talent and experience is not as widely available, which is why our approach is to train our own dream team, like a U17 (under 17) football team that fosters the next generation of security experts.


And the last bit, enjoy the game and play safely!

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.