App firewalls silver bullets to DDoS attack?

With cyber attacks getting more sophisticated, enterprises that rely on web applications should look to application firewalls for better protection, particularly against distributed denial-of-service (DDoS) attacks, urged a security expert.

With cyber attacks getting more sophisticated, enterprises that rely on web applications should look to application firewalls for better protection, particularly against distributed denial-of-service (DDoS) attacks, urged a security expert.

Vladimir Yordanov, director of technology at F5 Networks, explained that with 80 per cent of attacks hitting web apps these days, traditional protection such as the conventional perimeter system firewall offers very little protection. Such systems are the reason why DDoS-type attacks are successfully executed to compromise websites and payment systems, he added.

"Traditional systems, such as intrusion prevention or intrusion detection systems, cannot block effective requests as these are not easily detected. The attacks targeting coding or browser flaws are usually let through, and it is the application firewall's job to weed out bad traffic," Yordanov noted during a one-on-one interview with ZDNet Australia's sister site ZDNet Asia on Monday.

Typically, the application firewall responds by sending a cookie or response to ensure the user is real and sending a valid request, before allowing access into its system, the security expert pointed out. In many instances of DDoS attacks used recently against PayPal, MasterCard and Visa, requests are sent out by botnets, or zombie machines, and these computers are not able to respond to requests, he added.

According to earlier reports, this series of attacks — code-named "Operation Payback" — were initiated by supporters of jailed Wikileaks founder Julian Assange, whose website has been shut down by internet service providers (ISPs), web hosting companies and payment providers across the US and Europe.

As a form of protest to the treatment of Wikileaks and Assange, supporters made use of 3000 voluntary computers and up to 30,000 hacked machines to shut down the websites of PayPal, MasterCard and Visa, which had earlier deemed Wikileaks to be a criminal organisation and denied it their services.

No foolproof solution

Besides creating app firewalls, other forms of protection that enterprises could look at include "clean pipes" from ISPs that filter out bad traffic and putting in place a high level network security, Yordanov pointed out. Also, enterprises can sanitise their protocols, ensure that all information needed to establish the connection is present before allowing access, he added.

However, as security technology is constantly evolving, hackers and cyber criminals have managed to find ways to compromise systems, and this is made worse by the increasing access of networks from mobile devices. Yordanov let on that the more dispersed a workforce is, the greater risk of an attack, which is currently a situation that criminals are exploiting.

Conceding that no solution is 100 per cent foolproof, the executive said the best way for a system to be kept safe from attacks is to have the system shut down.

"Rather than having the website be compromised, it's better to have it shut down completely," Yordanov said. "If the engineers are able to trace the IP addresses of where the requests are sent, they can also eliminate the sources by blocking the addresses, but only if they are static. But increasingly, these requests change frequently, so it is not that useful."

The F5 director noted that while shutting down the system is helpful, the option is suited only for enterprises with enough manpower to constantly monitor web traffic.

Cloudy security prospects

When quizzed on the level of security for cloud computing, the IT expert expressed pessimism at the current situation, but said things will improve given time.

He revealed that he had personally gone through SLAs (service level agreements) offered by six cloud providers, but none made commitments to protect customers' data.

"One even asked for all of your data, but there is no procedure that tells you how to get it back, and how they actually protect the data," Yordanov noted. "[Protection agreements] are all worded loosely now."

He went on to say that the industry is still at an early stage, rather like e-commerce when it first started. The executive expects to see a similar "revolution" within cloud computing to spur adoption, though.

In the meantime, many large enterprises are eyeing the private, rather than public, cloud, he said. That is because cloud providers are not sure if they can fully guarantee the safety of their clients' data, so private cloud deployments are a way of shielding themselves from potential legal action, Yodanov added.

Via ZDNet Asia


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All