Re-thinking DDoS defences for encryption technology TLS1.3

Mar 7th, 2019

The arrival of TLS1.3, the latest advance in encryption technology, is going to require a re-think of certain mechanisms for detecting and mitigating some forms of distributed denial of service (DDoS) attacks. This is according to Darren Anstee, Chief Technology Officer, NETSCOUT Arbor, who says that certain advances in encryption technology, including the latest version of the Transport Layer Security (TLS1.3), can make identifying and blocking some threats more difficult[1].

He clarifies that while encryption is an extremely valuable tool in any security arsenal – enabling users to ensure privacy when online or making mobile calls, and facilitating the secure storage and exchange of data, including personal information – it is simultaneously not a solution to all security issues, as it can be used to ill effect in ransomware.

Anstee says, “Many network-based threat and fraud detection solutions have historically relied upon transparent, passive decryption of encrypted sessions via access to the server private key(s). With the introduction of TLS 1.3 this is not as simple.”

Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, explains, “One of the key aims of encryption is to prevent so-called ‘Man In The Middle’ (MITM) attacks, ensuring that an intermediate device that attempts to decrypt the flow cannot intercept data between the client and server.  TLS is the encryption mechanism used within enterprise networks and over the public internet, and is a critical internet security protocol. TLS is used to secure data as it is transmitted between web browsers and servers. IP-based protocols like HTTPS, SMTP, POP3 and FTP all support TLS for encryption.

“TLS 1.2 became the web’s standard in 2008. Since then, hackers have discovered several vulnerabilities that have resulted in some high-profile cyberattacks over the last few years. TLS1.3 should assist in this regard – it replaces TLS1.2, and became an official standard in August 2013.”

Describing it as “a major revision designed for the modern Internet,” the Internet Engineering Task Force (IETF) noted that the TLS1.3 update contains “major improvements in the areas of security, performance, and privacy” and will make it harder for eavesdroppers to decrypt intercepted traffic. One of the major drivers in the design of the new protocol was the mass surveillance of internet communications by the US National Security Agency (NSA), as revealed in 2013 by Edward Snowden[2].

Work on TLS1.3 began in April 2014 and was on its 28th draft before it was finally approved in March 2018. Since then, up until 10 August 2018, engineers have been checking it to make sure that nothing in TLS1.3 will cause any major problems. They are now confident that there are no security holes in the algorithms used in TLS1.3, while the same cannot be said for 1.2.[3]

“TLS 1.3 dictates that Perfect Forward Secrecy (PFS) must be used – enhancing the confidentiality of our communications – but it makes us re-think our mechanisms for dealing with another set of problems, including mechanisms for detecting and mitigating some forms of DDoS attack,” continues Anstee.

“The latest NETSCOUT Arbor Worldwide Infrastructure Security Report (WISR) confirms attacks targeting encrypted web services have become increasingly common in recent years. Specifically, in 2017, 53 percent of enterprise, government and education (EGE) organisations detected attacks on encrypted services at the application layer.  Application layer attacks use traffic that is very difficult to distinguish from genuine user traffic, often requiring analysis of the actual application layer transaction to identify the patterns of activity involved in an attack.  Our approach to this process must change as TLS 1.3 is adopted[4].”

“The prevalence of application layer DDoS attacks showcases the need for appropriate solutions being in place. The arrival of TLS1.3 has been welcomed around the digital world, but this DDoS example reminds us that progress in one area often has a knock-on effect in others. TLS1.3 is going to bring welcome change to IT security professionals, and with it the consequent need for organisations to have all of their IT, networks and security professionals working together. Different solutions exist to tackle the intricacies of TLS1.3, and will need to be implemented according to an organisation’s needs, its customers’ needs and the local regulatory requirements. NETSCOUT Arbor is well-equipped to implement the most appropriate solution for any business as this exciting new phase of internet security unfolds,” concludes Hamman.

For more information about NETSCOUT Arbor in Africa, please contact Bryan Hamman at [email protected].