Tip of the Week: Understanding Mobile Devices and DDoS

I’ve seen a number of articles this month about how Distributed Denial of Service (DDoS) attacks evolve through the use of mobile devices. I think the articles blur the lines on several issues, so I wanted to clarify each scenario. There are several security issues at play, and it’s important to distinguish the difference between a DDoS attack itself and the tools used to initiate and execute one from a mobile device.

The standard DDoS attack is an attempt to overwhelm the available network connections available in order to prevent legitimate traffic from getting through. This is typically done by coordinating a botnet to initiate a flood of traffic aimed at a specific victim. The challenge that organizations face is how to identify and filter the bad traffic from the good traffic.

In some ways, the mobile element is not particularly unique, because at the end of the day, it’s still traffic that originates from a computer that you do not control. The primary difference is that mobile traffic is not easily blocked by source IP or domain (since it originates from a constantly moving device from a service provider or public WiFi hot spot), so the filtering technology has to be more precise. In any case, whether organizations chooses to use protection technologies upstream (in the cloud or at their ISP) or whether they employ DDoS mitigation technologies in the next-generation security platform, the fundamental issue is not about the mobile device, per se, but rather the technology used to scrub traffic.

The articles bring up a second and far more interesting issue, and that’s related to the mobile applications that perform a DDoS attack. Several of the tools mentioned cross several broad categories, so let’s clarify these issues a bit further.

The tools for opt-in DDoS, such as a client for Low Orbit Ion Cannon (LOIC) for mobile devices, are big challenges. They allow users to participate in a DDoS — it’s essentially a way to opt-in to a botnet. The security issue here is not the DDoS attack itself (unless your company happens to be the intended target), but rather a mobile device policy issue. In other words, these applications can place the device under the control of a third party and make your organization a participant in an attack against another victim.

Botnet participants do not always join willingly. The other way to build a large community of participants is to use malware to turn the victim into a zombie. The malware does not necessarily attempt to steal data or otherwise harm the host, but rather lies in wait until called upon to participate in a DDoS attack.

In all cases, the common denominator for mitigating these issues is to identify devices that have unapproved tools and block their participation in the larger attack. Palo Alto Networks has a unique set of technologies to disrupt the use of unapproved applications, botnets and malware, summarized as follows:

  • You can use GlobalProtect Mobile Security Manager, which we released this month as part of our PAN-OS 6.0 update, to blacklist unapproved hacking tools and opt-in DDoS clients for mobile devices. Assigning policy based on the state of the device, such as the presence of blacklisted apps, places restrictions on what the device can do until the issues have been remediated.
  • Detect botnet acttivity to keep users from participating in a DDoS (whether it’s willingly or unwillingly).  Botnet Report gives the organization a proactive tool to spot users that may have devices that may be taking direction from an outside party.
  • Use network policies for application control to block unwanted applications and intercept their ability to contact command & control servers.
  • Employ threat prevention to stop exploits and mobile malware. Break the malware lifecycle by identifying both known and unknown forms of malware, and  disrupting its ability to communicate.

Hopefully these tips help you get started with a plan for dealing with unwanted applications on mobile devices participating. Breaking complex attacks (including ones that your users willingly participate in) can require a new approach for security, one that is based on blending the protections for controlling applications, traffic and mobile devices. This is why the next-generation security platform and Palo Alto Networks mobile security solutions are ideal for dealing with the applications and threats that you don’t want on your network.

Mobile and End-User Security is a marquee session track at Ignite 2014. Join us in Las Vegas March 31-April 2 and get all your questions answered.