Posts tagged ‘WAF’

Analysis of Black Friday Data Reveals Shift in Attack Vectors

December 8, 2014 12:08 am


Akamai can see and analyze enormous amounts of attack data during events such as Black Friday. This year they tracked requests coming into dozens of online retailers over 24 hour...

Continue Reading

Shellshock Update

October 1, 2014 1:59 pm

The Shellshock vulnerability, originally announced as one critical issue in bash that allowed an adversary to execute arbitrary code, has grown from one vulnerability to six in the last week. For background on Shellshock, we’ve collected an overview and list of the vulnerabilities; for some history on Akamai’s initial responses, read our original blog post.
Shellshock raised a lot of questions among our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event.
Are Akamai production servers vulnerable? What is the status of Akamai mitigation?
Akamai’s HTTP and HTTPS edge servers never exposed any vulnerability to any of the six currently available CVEs, including the original ShellShock vulnerability. Our SSH services (including NetStorage) were vulnerable post-authentication, but we quickly converted those to use alternate shells. Akamai did not use bash in processing end-user requests on almost any service. We did use bash in other applications that support our operations and customers, such as our report generation tools. We switched shells immediately on all applications that had operated via bash and are deploying a new version of bash that disables function exporting.
Akamai’s Director of Adversarial Resilience, Eric Kobrin, released a patch for bash that disables the Shellshock-vulnerable export_function field. His code has aggregated additional upstream patches as available, meaning that if you enable function import using his code, the same behaviors and protections available from the HEAD of the bash git tree are also available. His patch is available for public review, use, and critique.
We do not believe at this time that there is any customer or end user exposure on Akamai systems as a result of Shellshock.
What about Akamai’s internal and non-production systems?
Akamai has a prioritized list of critical systems, integrated across production, testing, staging, and enterprise environments. Every identified critical system has had one or more of the following steps applied:
  • Verify that it the system/application is not using bash (if so, we disabled the vulnerable feature in bash or switched shells);
  • Test that the disabled feature/new shell operates seamlessly with the application (if not, we repeated with alternate shells);
  • Accept upstream patches for all software/applications where available (this is an ongoing process, as vendors provide updates to their patches); and
  • Review/Audit system/application performance to update non-administrative access and disable non-critical functions.
Can we detect if someone has attempted to exploit ShellShock? Has Akamai been attacked?
Because the ShellShock Vulnerability is a Remote Code Execution vulnerability at the command shell, there are many possible exploits available using the ShellShock vulnerability. Customers behind our Web Application Firewall (WAF) can enable our new custom rules to prevent exploits using legacy CGI systems and other application-level exploits. These WAF rules protect against exploits of four of the six current vulnerabilities, all that apply to our customers’ layer seven applications.
However, because ShellShock was likely present for decades in bash, we do not expect to be able to find definitive evidence — or lack thereof — of exploits.
There have been news reports indicating that Akamai was a target of a recent ShellShock-related BotNet attack. (See information about WopBot). Akamai did observe DDOS commands being sent to a IRC-controlled botnet to attack us, although the scale of the attack was insufficient to trigger an incident or need for remediation. Akamai was not compromised, nor were its customers inconvenienced. We receive numerous attacks on a daily basis with little or no impact to our customers or the services we provide.
Akamai’s Cloud Security Research team has published an analysis of some attack traffic that Akamai has seen across its customers for Shellshock. As the authors note in that article, the kinds of payloads being delivered using the ShellShock vulnerability have been incredibly creative, with Akamai’s researchers seeing more than 20,000 unique payloads. This creativity, coupled with the ease of the ShellShock vulnerability, is one of the many reasons that Akamai is keeping a close eye on all of the associated CVEs and continuing to update its systems and developing better protections for its customers, including custom WAF rules.
Where can I find updates on Akamai’s WAF rules?
Information about our WAF rules can be found on our security site.
How will Akamai communicate updates?
We will maintain this blog with interesting news from Akamai.
As the list of CVEs and implications of ShellShock expand, we do our best to only deliver verified information, sacrificing frequency of updates for accuracy.
Akamai is maintaining additional materials for the public on its security site at , including a running tally of the bash-related vulnerabilities.
If you have questions that aren’t addressed by one of these vehicles, please feel free to contact your account team.
How bfw Advertising Protects Its Web Apps

September 8, 2014 12:00 pm


By Cliff Turner, Sales Engineer, Alert Logic

bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.

The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.

A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.

Web Application Firewall (WAF) Basics

Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.

WAF Example – SQL Injection

To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.

Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.

The SQL code would go to the database looking something like this:

In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.

A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.

Alert Logic Web Security Manager at bfw Advertising

A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.

If you want to read more about bfw Advertising, you can read the case study on the Alert Logic website. To learn more about Alert Logic Web Security Manager, visit the Rackspace Marketplace.

Your network is under attack. What are your mitigation options?

September 2, 2014 8:00 am


Let’s make one thing absolutely clear at the outset: the time to think about the best options for cyber-threat mitigation is NOT when your network is being attacked. In the best-case scenario you will already have a mitigation strategy in place for defending against both network-layer and application-layer attacks. The most important thing to know when you are building a multi-layered approach to securing web applications is that security solutions aren’t one-size-fits-all. You have several options to mix and match. Akamai’s free eBook, “Threats and Mitigations: A Guide to Multi-Layered Web Security”, gives you options for making the choices that best fit both your business and IT infrastructure requirements.
These days it’s not enough to have a web-application firewall (WAF). The key to using hardware devices in a mitigation strategy is understanding what these devices can and cannot do. Defending against today’s increasingly sophisticated application-layer attacks can be resource-intensive. WAFs require large amounts of computing resources and processing, which can degrade performance. The fact is that most devices represent a single point of failure. Moreover, by definition on-premises hardware attempts to stop an attack only after it’s entered the data center – when it’s simply too late.

Enter the new era of cloud-based mitigation services that reside outside of your data center and stop malicious traffic before it can penetrate your company’s infrastructure. You have choices to make here, too. You can go with always-on mitigation that acts like a shock absorber that protects your network by taking the first big hit of a cyber-attack. Or you can choose an on-demand solution that you can engage once an attack is suspected to intercept your incoming traffic using mitigation services where legitimate traffic is forwarded on and malicious attack traffic is scrubbed.

Yet another option is Website Protection Service providers who utilize CDNs to provide network- and application-layer security for Web sites and applications. As a cloud-based proxy, these networks sit in front of your IT infrastructure and deliver traffic from your end users to your Web sites and applications. The cloud platform examines network traffic for known threats and passes only legitimate traffic to the Web application. Chapter 3 in “Threats and Mitigations: A Guide to Multi-Layered Web Security” discusses the advantages and caveats of using each of these solutions, or blending them in a multi-layer mitigation strategy.

Don’t wait until your business is targeted by a cyber-attack. Download our free eBook, “Threats and Mitigations: A Guide to Multi-Layered Web Security,” which covers everything you need to know about the types of cyber threats, how to secure websites, how to protect applications against data theft, how to choose a web security solution, and how to make your network less vulnerable to attack.

Is Your Web Security in the Dark Ages?

August 25, 2014 8:29 am


The data center perimeter is dead – web assets cannot be protected by a fortress wall – but a historical view of web protection lives on in the way many IT departments continue to defend their infrastructures. Websites and web applications increasingly live outside the data center. Cloud-based applications and websites are at constant risk from web threats that are becoming more damaging and sophisticated by the day.
Akamai advises organizations to avoid becoming the next cyber-attack victim in the headlines by making a critical evaluation of cybersecurity practices – and then take steps to extend multi-layered security controls to the cloud. Of course, before you can even start to build a multi-layered web defense, you must understand your enemy and its weapons.

Generally, attacks fall into two categories: Distributed denial of service (DDoS), which is also called denial of service (DoS), and hacks against web applications that steal data, such as SQL injection and other command injection attacks.

Akamai predicts that by 2020, the average distributed denial of service (DDoS) attack will generate 1.5 Tbps of network traffic, but even today’s large and sophisticated denial of service attacks can easily overwhelm available IT resources. The more you understand the nuances of different types of DDoS attacks and web threats, the better you can determine how they will affect your network.

A mind-boggling array of DoS and DDoS attacks occur at the network layer. These can be grouped into two broad categories: simple flooding and amplification attacks. Several readily available tools are available to attackers to automate the process of creating both types of attacks, allowing malicious actors with no technical background to quickly and easily threaten their choice of website.

Attacks at the application layer are also common and often very sophisticated. They consist of high bandwidth attacks and low-bandwidth denial of service attacks, Domain Name System (DNS) attacks, and attacks that steal data. Attempts to steal data are most likely to take the form of command injection attacks where a hacker injects commands into a vulnerable application. The attacker can then execute these commands to view data, wipe out data, or take over the machine.

Akamai advises practicing good web-application hygiene by using a secure software development lifecycle that includes secure configuration, updates, patches, and secure validation. In addition, a web application firewall (WAF) with anti-DoS capabilities provides a strong line of defense against application-layer attacks such as SQL injection commonly used to cover data theft. The eBook goes into greater detail on how to ensure good web-application hygiene and what to look for in a WAF.

With knowledge you can identify and close network vulnerabilities before your company is harmed. And the reality is that it is when, not if, your network will be threatened by cyber-attackers.

To that end, Akamai has released a free eBook, Threats and Mitigations: A Guide to Multi-Layered Web Security that covers important information that you need to know about the types of cyber threats, how to secure your sites, how to protect web applications from data theft, the different types of cybersecurity solutions, and how to make your network less vulnerable to attack.

There is no one solution to cybersecurity. Before you sign on the dotted line, know the key differences between on-premise hardware and cloud-based services; learn about the strengths of Security Operations Centers (SOCs) and Content Delivery Networks (CDNs) and of always-on services versus on-demand services. The eBook includes a guide to asking the right questions when seeking a web security services provider.

The fortress can no longer be defended by traditional methods, but it can be defended. The cyber battlefield keeps changing with powerful attacks that can down the websites and web applications of global brands, but you don’t have to become a victim. Learn how to defend your web and cloud resources – and win. The free Akamai eBook “Threats and Mitigations: A Guide to Multi-Layered Web Security” explains how. Download it today and learn how to build the strongest defense to protect all of your network assets and web applications.