The Security Impact of Performance

Thursday, December 22, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I keep reading about how Distributed Denial of Service (DDoS) has been in the past, and is being used, to cause all sorts of damage. 

A DDoS is an attack where  hundreds, thousands, or millions of zombie computers/systems are used by someone or some group to send fake traffic to a particular website or place on the Internet. 

The result is something that is analogous to attempting to get to the gate when they call "Business class" and there are 200 economy class people standing shoulder to shoulder waiting for their turn... it's a struggle to get through, if you can make it at all.

The latest one that hit my virtual windshield overnight was the DDoS story from the Russian elections.  In what can only be described as obvious political activism (or hacktivism if you prefer) websites claiming to expose violations in Russia's election system were DDoS'd off the face of the Internet recently. 

This attack is interesting in that it proves that no matter how big the (virtual) pipe you have to your website it's possible to push so much traffic, garbage or real, that the odds of handling it properly and staying available are virtually zero.

While there are threat mitigation techniques, and lots of DDoS Solutions they tend to all be implemented at the carrier level, or very, very expensive...  Some of the more common ways to be Distributed Denial of Service'd into oblivion can actually surprise you...

  • Poor application design - Yes, it's possible to do it to yourself.  Applications that are poorly designed can fail under heavy load (see yesterday's article on OWWWS).  Everything from holding database connections open too long, to allowing an application to take up too much memory, or improperly doing session destruction and garbage collection can cause an application to become magically unavailable even under reasonable load.
  • Poor network design - If you'll be hosting or performing critical transactions on your segment on the Internet or network you need to plan on redundancy, traffic abatement, and other things that can keep your network from being over-run by malicious or garbage traffic.  Even though the technology behind network DDoS mitigation keeps getting better,

There are other ways to "be disappeared" - but in the end I make the same recommendation that I make to people who need their applications to be resilient against security issues - test, test, and re-test using the latest techniques and technologies.

There are some serious security implications to availability, or rather, poor performance.  Let's take a couple of failure modes and quickly analyze their impact:

  • Impact to revenue - As discussed in the previous article, poor performance on an application or a condition where performance grinds to a halt can and will lead to direct loss of revenue for companies and organizations that thrive on Internet traffic.
  • Impact to emergency systems - Imagine a world where all our mobile devices, radios, networks are inter-connected for the express purpose of getting emergency announcements out.  Now imagine that the infrastructure can be surgically DDoS'd to prevent emergency broadcasts from going out, or worse, that system can be abused to become a DDoS itself... no it's not a Bruce Willis movie but it could happen.
  • Loss of life - Yes, a DDoS can lead to loss of life in extreme cases.  A poorly designed network which can be downed (remember SQL Slammer?) by garbage traffic which just happens to be located inside a hospital or other critical care facility can cause loss of life.  Systems such as life support are increasingly become dependent on network (even if a semi-private network) connectivity for central monitoring and decision making ...when those links go down loss of life is not only possible, it's very real.
  • Catastrophic failure - Think of SCADA control systems that need to be inter-connected.  A DDoS on a control point which controls a critical piece of energy or life-sustaining infrastructure like water plants can keep instructions from being executed ... so whether you think of it on a grand scale like a nuclear power plant control system being DDoS'd remotely (which is high impact, low probability as we've read already), or something much smaller like the remote engine kill in your car ... DDoS'ing systems that can cause catastrophic failure has dire consequence.

It's strange, but security keeps creeping into every aspect of a connected society.  It's not just for kids anymore - from political activists, to terrorists, to mischievous kids...

DDoS is being used as a tool that has turned poor performing systems into weapons against their implementers.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
9223
Network->General
Information Security
Denial of Service SCADA Enterprise Security Application Security DDoS Network Security Infrastructure Hacktivist
Post Rating I Like this!
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Rafal,

We see this in the ICS/SCADA space all of the time: "You cant scan our SCADA systems/PLCs/HMIs, etc, cause they will crash"...

Uh, if you dont build your apps to handle unknowns, you've got yourself an insecure system there....
1324930830
A8b60694b1555d2ba3572a8917dad110
Paul Lopez According to my experience Proxyshield is the best service to prevent DDOS attacks. The cost for this sort of service is quite minimal and it is worth because customer get optimal stage of safety. This method of protection filters out all malicious visitors properly just before it enters in the clients servers. By using this service customer will obtain powerful and reliable security at a fraction of the cost.

Paul Lopez
BODHost.com
1325245515
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.