Four strategies for protecting against a new breed of encrypted DDoS attacks

The State of Europe is seen behind fencing near to the European Parliament on March 03, 2020, in Brussels, Belgium. Because of the EU’s GDPR and other such regulations, most organizations now encrypt their traffic. Today’s columnist, Eva Abergel of Radware, offers four strategies for helping organizations mitigate a new breed of encrypted DDoS attacks. (Photo by Leon Neal/Getty Images)

Today’s new breed of encrypted DDoS attacks are huge security threats that are shutting down and damaging some of the largest most powerful companies in the world. From financial services firms and healthcare organizations to transportation companies, energy pipelines, and government agencies – countless organizations continually endure a stream of increasingly sophisticated nonvolumetric DDoS attacks. Whether it’s “low-and-slow,” burst attacks, syn floods, SSL negotiation floods, HTTPS floods, or other attacks from diverse sources, the results can cripple services and damage brands through downtime, latency, and frustration.

Thanks to GDPR and other regulatory frameworks, most organizations encrypt almost all their internet traffic today, which means most of the time users enjoy important levels of security and privacy. Unfortunately, SSL/TPS encryption also sets the stage for a new-breed of encrypted DDoS attacks that make it very difficult to identify and isolate malicious traffic. In fact, more than 50% of application-layer attacks are encrypted, and HTTPS-based attacks are increasing at a rapid 20% annually.

Encrypted cyberattacks are as diverse as they are sophisticated  ̶  and organizations must prepare to adapt. For example, they deplete resources that are devoted to completing the SYN-ACK handshake. Encryption further complicates the challenge by encrypting traffic and forcing SSL handshake resources to be depleted. SSL renegotiation attacks work by initiating a regular SSL handshake and then immediately requesting renegotiation of the encryption key. The tool constantly repeats this renegotiation request until all server resources have been exhausted.

Because they need to decrypt traffic and assess the source, destination servers expend up to 15x more overhead resources than the requesting host, enabling attackers to launch major assaults with only a small amount of traffic – without additional bots or bandwidth. As a result of this amplification effect, even a small attack can create crippling damage. What’s more, since they’re encrypted, multi-vector campaigns often attack web application logic after slipping through DDoS and web application protective measures.

Strategies for protection from encrypted DDoS attacks

So, what can an organization do to minimize its vulnerabilities, maximize its protection, and thwart encrypted DDoS attacks? If the company has access to the certificate, consider these important issues and strategies:

  • Determine where to decrypt the traffic: After gaining access to the certificate, the next consideration relates to network topology and the desired level of security. In some network topologies, it’s ideal to decrypt SSL traffic closer to the servers. In other deployments, it’s often preferable to decrypt the traffic sooner (on the perimeter) and eliminate threats early. When the decryption gets performed closer to the server, security teams are typically reliant on application protection solutions. DDoS attacks are better mitigated earlier in the network.   
  • Determine when to decrypt traffic: Constant decryption of all SSL traffic gives full visibility, but at significant cost. Computation resource usage soars – and so does latency, which means it’s not feasible to decrypt of all sessions. Some organizations prefer a security solution that decrypts only under certain conditions, or decrypts only some sessions (or none at all). Decrypting less of the SSL traffic can offer added security while balancing latency and the user experience.  
  • Determine which part of the session to decrypt: When the team assesses when to decrypt, they might want to select the level of decryption the organization employs. Decrypting only part of the SSL session (rather than the full session) can offer high levels of protection from specific attacks. This lets the team strike a balance between desired security levels and an optimized user experience.  
  • Determine a strategy for content delivery networks: A CDN passes traffic on an organization’s behalf. In this case, it’s only possible to find the real IP address inside the encrypted HTTP headers, so there’s no way of knowing the real client without decrypting all SSL traffic. With CDNs, the security solution must decrypt full SSL sessions, identify the real client in the HTTP header and apply targeted security measures.  

In some organization, there’s no access to the certificate, often because of regulations or privacy restrictions, network and security architectural concerns, or Security-as-a-Service models. If the company doesn’t have access to the SSL certificate or can’t decrypt traffic at the perimeter, try keyless protection as an option. In this manner, the team can detect, characterize, and mitigate HTTPS attacks without requiring any traffic decryption, so there’s much less resource consumption. 

Many products rely on limiting the rate of requests, which results in rejection of legitimate traffic. To minimize latency and disruptions to legitimate user sessions, new solutions can leverage behavioral-based algorithms to detect and mitigate encrypted attacks either without requiring decryption or applying decryption only when under attack. Behavioral-based protection uses machine-learning algorithms to learn the normal behavior of your traffic during peacetime and identify malicious traffic when the company faces an attack, thus limiting false positives and increasing the protection accuracy.

As encrypted DDoS attacks continue to rise, network operators and managers will need a diverse set of tools and strategies to prevent and mitigate these threats — from selective decryption to keyless protection that doesn’t require SSL certificates and keys. These strategies reduce the impact and cost of attacks and minimize the impact on the user experience.

Eva Abergel, security solution lead, Radware