Hi, and welcome to our podcast. I'm John Tolbert, director of cybersecurity research here at KuppingerCole. And today I'm joined by George Tarasov, who is product manager and Qrator Labs headquartered in Prague. And today's topic that we wanted to discuss is how to protect against multi-vector DDoS and bot detection. So welcome, George.
Thank you so much, John. Thanks, everyone. Pleasure to be talking on this podcast today. So, yeah, multi-vector DDoS attacks and everything which comes with them are. Probably you're wondering what that does even mean, and why we're talking about them.
Yeah, I think, you know, we've heard of DDoS for many years, you know, as a step up from the denial of service, or distributed denial of service, meaning many, many different sources can be included to try to bring down network services of the target companies or target organizations. Multi-vector being, you know, the latest iteration of this. So I thought, it would be good to just sort of really define these at the beginning. So a multi-vector attack, you know, uses a combination of different attacks that can be deployed at the same time or maybe in some sort of coordinated sequence. It can use different attack methods and, you know, exploit different kinds of vulnerabilities on different systems. You know, to try to maximize their chances of success. Multi-vector usually starts with some sort of reconnaissance, and then from there, the attacker might use a whole host of different methods, anything from, you know, malware, ransomware, social engineering, compromising machines on the target network, phishing, business email compromise, and then ultimately DDoS attacks. So these combinations can overwhelm the targeted organizations. Well, what would you like to add about that, George?
Well, what I think might shed some light on here is that we've been coming to this concept for quite a long time. So multi-vector DDoS first appeared as the variation to like the old [...] techniques. As some of you might know, some of our listeners might know the common techniques for denial of service attacks have been roughly the same for about 30 years. Well, as long as the protocols that they are exploiting were developed and standardized, like TCP, TLS, SSL, HTTP of course, this kind of thing. And probably the first real iteration of multi-vector attack suits came with the famed Mirai botnet back in [2016]. This marvelous piece of code was able to launch something in the vicinity of 19 different attack types and the most beautiful thing about this, is that you could draw them in parallel. So combining different methods, if one kind of attack wasn't able to come through, you could always launch a different one to see how the defense tools would react to that. And in many cases they wouldn't. And the attack came through and brought down lots of famous websites. So this is where originally multi-vector attacks came from. And nowadays we have more different methods, more different techniques, new protocols. Everything can be combined into some kind of shrewd combination for DDoS.
Yeah, for sure. And the volumes have gotten so much higher to the amount of malicious traffic that can be delivered, especially when you do multi-vector just thinking on the DDoS side, I mean, we've seen volumes grow exponentially. It seems over the last 10, 15 years. What can you say about the volumes of those kinds of attacks and then the frequency with which they happen?
Oh well, with volume it is usually coming towards counting different attack types and their metrics separately. For example, for volume metrics, it is kind of normal nowadays to have at terabit-scale attacks, as we call them. So the bandwidths they occupy on the final leg towards the target. Might be as well in the vicinity of one, two terabits per second. Hundreds of gigabits per seconds is the average scale for volumetric attack. It is something you won’t gets people scared with now. And with application layer attacks, it mostly boils down to the number of concurrent connections, the number of requests per seconds and millions of requests per second is the high watermark now for application layer attacks. Each of these types growing over the years is able to knock out a middle sized company infrastructure and the Internet infrastructure, the load balancers, the application servers, the routers, this kind of equipment. And when you combine this stuff, especially running against a single target, this might grow towards a devastating effect because several sorts of defense tools usually are available to all those businesses now. The cloud based services, the on premise equipment, firewalls, all of them are good at stopping one kind of attacks and are worse in mitigating the other ones. So you need to mix it up to knock down your defenses and to let at least some of the garbage traffic to get through.
Well, you know, we've also heard for years that things like DDoS for higher services are out there so that, you know, this is a type of attack that doesn't necessarily require a lot of sophistication. There's an infrastructure out there on the dark web that bad actors can use to increase the number of sources from which DDoS attacks originate.
Yeah, the bigger the botnet is the more effective it is and the safer it is to operate because security companies will eventually find out the origins of the botnets. They block them, they use honeypots to fish for the real IP addresses of the infected machines, so the infected devices, bringing them to justice eventually. After months and years of usage, the botnets tend to shrink because they're getting discovered and you need to produce to procure new ones to keep yourself in these cybercriminal business. But in addition to that, it is interesting that not only the common DDoS methods are widely used for multi-vector attacks. The attackers are not only combining the tried and true tested technologies, they’re also using some from the other fields, like using the bad bots as we defined them. The automated tools that can be purposed for different tasks but can also be used for large scale application layer attacks as well. And this is something that we've that we didn't see before the previous years. But this year I think it's a new trend that we are observing and trying to fight against
You know, we've been hearing about these combinations of attacks for several years now. Sometimes, you know, victims will see DDoS attacks in combination with ransomware attacks. And really, I think it's all about trying to keep the security team off guard, because if your security team's trying to deal with a ransomware attack, then, you know, other things might slip past, you know, it may make it more difficult for them to be able to respond to a DDoS attack or be alerted about every phishing attempt. So it really means focusing on the multi-vector part. I think that this is a strategy that the sophisticated attackers have for trying to ensure that one kind of attack gets through. What would you say are some of the main motivations for doing these kinds of attacks then?
Well, most of the time multi-vector attacks as with the rest of denial of service type of things are used to knock down the key components of the Internet business websites, DNS servers, culprits, offices, endpoints, mobile API. Well, everything that outside users might use preventing them from doing that will be a big upset for the victim. So that is the idea and of course keeping the security team, the monitoring team the upstream busy with some kind of prevention work while keeping doing the other types of threats is a good strategy to knock someone down. And the same goes with using like the the bad bots for the same purpose. You know, we're usually used to see them as a constant background noise like the mains hum from a single pick up on the guitar. It is always present on your website. With the rest of the users there are scraper bots scraping for some things. There are the guys who are trying to collect some public data, some metrics from your website, but suddenly the same toolset might be used to cause a huge influx of requests, bringing down the firewalls, bringing down the application servers. Do you think this is really making an imprint on the modern usage of websites.
Well, you said something really interesting there, too, about APIs. I mean, I think we historically have thought of DDoS attacks as mostly being just against networks, but with everybody exposing everything via API to be able to integrate applications from different providers and whatnot. Some of the APIs are are out there and probably not as well protected as they should be because a DDoS attack against APIs, is just a different way of bringing down that service.
Yeah, APIs are huge because you have all the mobile applications, the native mobile applications, iOS, Android using them you have for huge businesses which don't even operate the websites, you cannot use them effectively in the browser. Most of the customer base comes from smartphones and tablets. So APIs serving these devices, of course, are the main entry points and it gives the idea to the attackers on where to hit best. And being an application. You have a variety of methods.
So what kinds of combinations of attacks are your customers seeing these days? Well, last year it was mainly the combination between Layer 4 and Layer 7 types of attacks with some Layer 5 encryption mixed in. So it's usually a TCP attack like a connection flood or SYN flood combined with application requests down to HTTP, HTTPS, sometimes TLS encryption is added here. The TLS handshake attack is widely used now because it's very cheap to do and takes a great toll on the application server on the victim's side. So combining this two of three main threats together and adding some bad bots, doing legit application requests in the mix, this is a real pain to mitigate. The only way you could effectively defend against this kind of attack is having a set of fully automated tools which analyze not only the incoming load for the service, not only the incoming traffic, but also the health, as we call them, the health metrics of the application. How does it feel after the attack? What are these server response times? What is the percentage of server errors? Because if you don't do so, it's like prescribing a medicine to a patient you haven't seen before and you don't know the diagnosis, the symptoms and so on. It's like the blind luck.
Thinking about bots. I mean, we recently published a Leadership Compass on Fraud Reduction Intelligence Platforms and it had a lot of emphasis on bot detection, bot management there. You make a point of, there are good bots, there are bad bots, there are bots that are in between. So, you can't just say as an organization, we don't want to allow any bots in because some of the work on the web depends on good bots getting their work done. So yeah, can you describe how bad bots actually fit into this then? What are, what is a bad bot, what are some of the kinds of behaviors that you see bad bots doing?
Yeah. You see, this topic is very tied in with the multi-vector idea of attacks because these guys are also used in these combinations. We have these numbers measured on our customer base, about 60% good users, humans and the rest of bots, good and bad, are roughly the same share they are occupying. So good bots are of course the spiders, these search engine crawlers, these good guys who identify themselves, let themselves be recognized to do their job. And the bad bots are the rest of them. These are the automated tools who mimic human behavior, human appearance in the web, like user agents, the types of request they do with the browser that humans are using for collecting data, for scraping personal information, for brute forcing passwords, accounts, this kind of shady things. Lots of very advanced tools are used for this kind of automation. They are mostly open source and they are being developed very fast, so they evolve quickly and all kinds of protection for that have to participate in this arms race.
Yeah, yeah, definitely. I mean, again, thinking about some of the recent research on bot detection, bot management, there are a whole lot of different kinds of techniques that can be used to identify first of all, that something is a bot and then try to discover its intentions. Everything from, you know, something, what you might consider signatures or bot activity all the way to behavioral biometrics, technologies like that.
Lots of ways to try and look into what is behind the curtain, what is behind disappearance of the Internet user, Is it a human, Is it a bot, how can we distinguish them from each other? Lots of techniques, mostly involving some invasive techniques, involving searching for the parameters of the environment the user has for their browser, for their operating system, for the device, of course. Comparing all these things with each other and seeing all the traces of tampering when the user has tried to change some of the parameters without letting us know. So it is a cat and mouse game, a quite advanced one compared, for example, to recognizing DDoS patterns because the mimicking is deeper here and the human likeness of modern advanced bots is huge. Also, the price of running these scraping botnets has decreased, and the number of incidents again, we have a picture of how many bot attacks we've seen over the last three months. I think it's important here because back in the day we thought of bots as this background noise and now they're creating huge pain due to sudden bouts of very high level activity. Lots of requests, millions of requests in a short amount of time. This is very harmful to the targeted servers, acts like a DDoS attack and has the same results.
So what do you see as the future, specifically on these multi-vector DDoS kinds of attacks? What are you forecasting?
Well, my opinion here is that we have several new protocol stacks. The most prominent of them is, of course, the quick and HTTP free based on UDP, which is intended to replace the suits that we are using now and have been using for 30 years already. And of course it brings new challenges, new types of attacks, new mitigation techniques we have to adopt and for some time all of these, for example, all of these protocol stacks, HTTP/1.1, HTTP/2, HTTP/3. All of them will have to run in parallel in order to facilitate those kinds of users. So the attackers will be able to combine the attack methods for all of these three protocol suites together, run them together, because there is such thing as fallback, you can switch off the protocol version and have the rest fall back to other types if you are being attacked as it happens with for example, IPv6 six now. But the attackers will have to use all all three of them to be effective, to reach the target. So it's a whole new world in front of us. And I'd also like to hear your opinion on that. What comes next for us in this case?
Yeah, I certainly agree. I think the range, you know, and the breadth of the different kinds of attacks will certainly increase. I think it becomes even more imperative for organizations to think very carefully about bot detection, bot management for any and all customer or web facing properties. There's really no way around having to, you know, have a good strong network and application layer infrastructure as well as, you know, on the identity management side, too. So being able to use things like behavioral biometrics to figure out what's a bot, what kind of bot it is, what are its intentions. I think, you know, the range of technologies that are needed for detection, prevention and mitigation will continue to expand just as the different kinds of methods that attackers will use will continue to unfortunately be innovated.
Yeah. So the bottom line, I think we agree upon it, is that more data is being used everywhere. More data is needed to find out what the user is good about. More data is needed to run all this algorithms and of course, the attackers are exposed to more vulnerable data they might use for attacks, for cybercrime and so on. So it's a data driven race and we have to participate in it.
Yeah. Well said. Well, thank you. It's been a great discussion. Very informative.
Thank you so much. Pleasure to me and thanks to all listeners.
