Uri Harel, worldwide services vice president at Imperva Incapsula, recently visited our Redwood Shores office. I had a chance to catch up with him to discuss network security, botnets, DDoS protection and cyberattacks.
Incapsula: Our recently-released Q3 DDoS Threat Landscape report reveals recent attack trends Incapsula has seen, including:
- Mitigation of an average of 129 DDoS attacks every day
- A 100+ Gbps network layer attack being mitigated every other day
What is your take on these trends?
Harel: We definitely see the number and size of DDoS attacks increasing. It used to be a reality for certain industries and businesses to deal with cyberattacks. However, we now see that such assaults are no longer confined just to certain business types. Today it’s not a matter of “if,” but rather “when” any organization will be an attack target.
Incapsula: Can you tell us why there are more attacks and why they’re bigger than ever before?
Harel: Absolutely. A few years ago, only technical gurus were able to do launch these kinds of massive attacks. To launch one required significant resources—such as huge botnets, for instance.
Today the ability to launch massive attacks has technically become easier and is now widespread. There are many entities that provide this kind of “service,” if you will. With DDoS technology now being fairly advanced, anyone can launch a big assault from a small network. In other words, the dark side of technology has been productized into illegal services.
Incapsula: Can you help readers understand why some attacks target the application layer versus the network layer?
Harel: The goal is always the same for attackers: to take down a site, so it depends on the perpetrator’s resources and the resultant impact. Layer 7— the application level—attacks require more sophistication as the perpetrators are also after data such as identities and financial information. These take more effort to launch and are customized to the site, making them much more difficult to mitigate.
A layer 3, or network layer, attack is a blind assault that floods a target network, overwhelming it with excessive traffic. They are easier to launch. The attack vectors commonly succeed, regardless of the type of application the attacker wants to shut down.
To explain why application layer attacks are more difficult to mitigate, I often use the analogy of protecting a large store. To do so, first you lock all the doors and windows. This type of physical security represents your traditional firewalls.
However, the front door still needs to be open for business. The challenge is to identify who is a legitimate customer and who is not. You can put a security guard at the door to visually check each customer—this is your web application firewall, or WAF.
Application layer mitigation requires technology at the front door. You can install protection there, but since layer 7 DDoS imitates legitimate traffic, more analytics are required to determine whom to let in and whom to block.
Incapsula: We just released an expanded beta for our protected IP service. Can you tell us about it?
Harel: Sure. We developed IP Protection to secure origin servers from direct-to-IP DDoS attacks. Here we provide customers with a new origin IP address, which is broadcast to users and services. IP Protection works by routing all traffic through the Incapsula network, where it’s scrubbed for network layer 3/4 DDoS traffic via a GRE tunnel.
The new service offers the benefits of BGP-enabled security to customers who don’t own an entire Class C subnet. It protects individual servers and IP addresses.
Incapsula: Who will benefit from IP Protection?
Harel: Since IP Protection covers the entire infrastructure, it’s ideal for protecting all network elements—everything from FTP and email servers to gaming servers and cloud environments. In addition to network layer protection, IP Protection also defends against application layer attacks.
Incapsula: We have a new feature called always-on DDoS protection. What can you tell us about it?
Harel: Traditional layer 3 DDoS protection was an on-demand service. ISPs offer limited, or no DDoS mitigation. If a website is a DDoS attack target, ISPs will typically just shut the site down.
Always-on DDoS protection guards against both network and application layer attacks. Layer 3 protection operates like a highly trusted ISP. Even while under a DDoS attack, the service won’t stop.
We also learned that layer 7 protection became more of a necessity because once an attack is underway, in many environments it can take too long to discover and mitigate it. It became clear that organizations need to be protected at all times.
Incapsula: What is the biggest challenge about building a network of such a large scale?
Harel: I would say keeping it up-to-date and up and running at the same time is a balancing act. Today’s security challenges require a constant update of our online arsenal of defense software and threat DB and signatures. Doing so on a daily basis on such big network represents a challenge as we must also keep the service stable and maintain our high, committed SLA.
If you have a question for Uri, please leave us a comment or email us. We’d love to hear from you.