I spoke with Lori MacVittie of F5 Networks about what they’re seeing in terms of security attacks.  The F5 Networks equipment, which I had thought of as load balancers and such, is actually really good at intercepting and reporting on network traffic.  For example, if an attacker were manipulating packet headers then since all the traffic flows through the BIG-IP, it is easy to find anomalies in the BIG-IP.  There’s also an application security firewall (Application Security Manager) that runs on top of BIG-IP.

One of the things they’re seeing with attacks like Apache killer and BEAST is that they have become application specific – javascript, known exploits in web server software.  The user goes to the attacked site, downloads malware and spreads it.  This is very hard to prevent.  The user thinks he’s on a familiar site, but it has been hacked, then the malware gets downloaded and installed.

Users can download a javascript DDOS tool without knowing it, or participate in a cross site scripting attack unwittingly.  “The application providers need to do a better job protecting their sites in general,” says Laurie.  It’s like a public service for application providers to protect their own stack so that end users are protected.

Because we can’t control the endpoint we need to do a better job of securing the applications and web sites that.  In this way, hackers have a way of exploiting a series of trust relationships.  Mobile devices may go outside the firewall, get infected, and then come back inside the firewall.

In this way, consumers aren’t only at risk, they’re becoming part of the attack.  As attackers move up the stack and figure out how to involve more users unknowingly they will.  This spreads out the threat in such a way that it is difficult to address.  Now you’ve got a DDOS coming in from all over the world, not from a few dozen servers.

“Everybody is a suspect now.  Every connection needs to be examined as an attack of some kind.”  The traffic inspection tool becomes much more important at this point.  Websites need to protect themselves in order to protect users.  When attackers use the protocol itself as part of their strategy, then it is very difficult to search for anomalies and detect them.

Potential solutions include running a web application firewall, conducting regular vulnerability scans, scan code before implementing it.  Make sure that the web app firewall is configured to scan incoming and outgoing traffic to better find anomalies.  Use some of the security features built into your load balancer, which are usually not used because people think of the devices just as load balancers.  Use all the tools at your disposal in a layered approach.

Attacks are now being combined, where an attacker could use a DDOS to mask an attack on the application.