The War on Encryption

By Jason Hilling, Regional Director, South Asia, NETSCOUT Arbor

Encryption has been around for a very long time and was used extensively in both world wars to transmit secret messages. The decoding by British Naval intelligence of the encrypted Zimmermann telegram in 1917 helped bring the United States into the war. The technology industry argues that encryption is essential to secure personal information and communications. But government and law enforcement officials say that encryption hurts their ability to investigate criminal and terrorist activity, many of whom use services like WhatsApp, Signal and Telegram to communicate in secret.

Despite the ongoing disagreements, we need encryption so that our banks can safely offer online banking and funds transfers and so we can do online shopping securely using a credit card. It’s what protects the public’s online interactions with government agencies or healthcare providers. It should surprise no one then, that encrypted services are now prime targets for DDoS attacks. Such services enable access to a wealth of personal, confidential and financial information. Identity thieves and cyber -criminals can and do have a field day if they succeed in breaking web service encryption.

According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Security Report (WISR), attacks targeting encrypted web services have become increasingly common in recent years. Among enterprise, government and education (EGE) respondents, 53% of detected attacks targeted encrypted services at the application layer. And 42% of respondents experienced attacks targeting the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol governing client-server authentication and secure communications. Among service providers, the percentage seeing attacks targeting secure web services (HTTPS) rose significantly over the previous year, from 52% to 61%.

The Four Key Encryption Attack Types

DDoS attacks targeting encrypted services tend to fall into four categories:

 Attacks that target the SSL/TLS negotiation, commonly known as the “handshake,” which determines how two parties to an internet connection will encrypt their communications.

  • Protocol or connection attacks against SSL service ports, which seek to exploit SSL vulnerabilities.
  • Volumetric attacks targeting SSL/TLS service ports, which overwhelm port capacity with high volume traffic floods.
  • Application-layer attacks against underlying service running over SSL/TLS.

Attackers are unrelenting in their assaults on high-value encrypted targets. Given the critical nature of most encrypted applications and services, a single successful attack can have devastating consequences. The breadth, variety and escalation of attacks on secure web services heightens the need for a multi-layered defensive approach to DDoS security, with capabilities to detect and mitigate the full range of today’s attack types.

Fighting Fire with Fire: Foiling Encrypted Attacks

To make matters even more challenging for security teams, attackers often use SSL/TLS encryption themselves to hide their nefarious activity. A high volume of internet traffic moves among networks without being detected or inspected, making it easy for malicious actors to hide amid legitimate traffic, preparing to unleash attacks on secure HTTPS services. A key component of the security arsenal, therefore, is the ability to inspect encrypted traffic securely and attest to its authenticity without slowing, disrupting or compromising legitimate traffic. While decryption is not always necessary for successful mitigation, there is clearly a growing need for scalable solutions for decrypting packets.

Both service providers and enterprises are recognising that traditional firewalls and intrusion prevention systems are insufficient in confronting sophisticated DDoS attacks – particularly encrypted attacks targeting encrypted services. Encryption is essential but cannot be relied upon on its own to thwart determined and sophisticated attackers. Operators and hosts of secure web services increasingly recognise the need for purpose-built Intelligent DDoS Mitigation Systems (IDMS) as the only effective option for mitigating DDoS attacks. Best practices call for a layered approach combining always-on, on-premise defences with cloud-based mitigation capabilities that activate automatically based on the size and nature of the threat.

Reputational and brand damage are frequently cited as the worst consequences of a DDoS attack. Nothing could be more damaging to an organisation’s reputation than to compromise the secure services that consumers have come to trust and rely upon every day with hardly a second thought. Institutions need to take measures that go beyond encryption to ensure the integrity and availability of their most critical services.


Tags DDoS attack

Show Comments