Securing against escalating cyber threats: Q&A with Omer Yoachimik of Cloudflare

In an era marked by exponential technological advancement, the security of digital assets has become a paramount concern. The landscape of cybersecurity is evolving rapidly, with threat actors leveraging innovative tactics to exploit vulnerabilities. Cryptocurrency companies, in particular, have recently witnessed a staggering 600% surge in targeted attacks. To delve into the intricacies of these challenges and shed light on Cloudflare's approach to safeguarding businesses and organisations, we sat down with Omer Yoachimik, Senior Product Manager at Cloudflare. In this insightful interview with Adgully, Omer discusses the driving forces behind the escalation in attack sophistication, the specific vulnerabilities Cloudflare has addressed, the role of DNS-based attacks, and the company's proactive initiatives, including Project Galileo.

Yoachimik also delves into Cloudflare's automated defense systems and their role in mitigating prolonged attacks, offering a glimpse into the future of cybersecurity in an ever-evolving threat landscape. He sheds light on these aspects in the backdrop of the second DDoS threat report of 2023 talks about DDoS attacks, or distributed denial-of-service attacks, which are a type of cyber attack that aims to disrupt websites (and other types of Internet properties) to make them unavailable for legitimate users by overwhelming them with more traffic than they can handle — similar to a driver stuck in a traffic jam on the way to the grocery store. Omer Yoachimik, Senior Product Manager, Cloudflare,

The report highlights a significant increase in attacks targeting cryptocurrency companies, with a 600% surge. What do you think is driving this alarming escalation in attack sophistication, and what measures has Cloudflare taken to protect cryptocurrency businesses from such attacks?

There could be a number of factors driving the increase and not necessarily one specific reason. Our automated DDoS protection systems have been detecting and mitigating these attacks autonomously. We constantly build and deploy new approaches and mitigation techniques to keep our customers safe. This includes solutions such as statistical analysis of traffic patterns, traffic profiling, and ML-based classification engines.

Cloudflare noticed a 532% surge in DDoS attacks exploiting the Mitel vulnerability (CVE-2022-26143). Could you provide more insights into this specific vulnerability and how Cloudflare contributed to disclosing it last year?

Yes, we have written about this previously and you can find more insights into this through the following blog posts:

https://blog.cloudflare.com/cve-2022-26143/

https://blog.cloudflare.com/cve-2022-26143-amplification-attack/

DNS-based DDoS attacks seem to be a prevalent attack vector, accounting for 32% of all DDoS attacks. Can you explain the implications of DNS Laundering attacks, and how Cloudflare's technology addresses these challenges for organizations operating their own authoritative DNS servers?

The implications are very straightforward — an unprotected DNS server will crash and result in a denial of service event.

Cloudflare offers a suite of solutions to help protect against these threats:

DNS Firewall - a virtual DNS service which works as a reverse proxy. It includes caching, DNS-specific configuration options and additional protection functionality against DNS attacks.

Primary or secondary DNS services: Practically, organizations can outsource their DNS to Cloudflare to benefit from Cloudflare’s global scale, global coverage and protection.

Using a L3 solution such as Magic Transit. This service protects entire IP networks and also offers protection against DNS attacks. It also includes an advanced firewall which can be used to tighten security even more so.

The report mentions Cloudflare's involvement in protecting non-profit organizations as part of Project Galileo. With an average of 67.7 million cyber attacks targeting non-profits daily, what unique security considerations and strategies are implemented by Cloudflare to safeguard these organizations?

Through Project Galileo, a Cloudflare Impact program, we provide free security services to vulnerable organizations supporting the arts, human rights, journalism, and democracy that are often the targets of DDoS and other cyber attacks. We guide and help organizations to implement best practices to reduce the risk of attacks. Cloudflare services bundle up together a wide suite of capabilities–including DDoS mitigation, DNS, Web Application Firewall, and caching–which can all work in tandem to help fend off attacks.

Could you elaborate on the characteristics and impact of the ACK flood DDoS attack, which peaked at 1.4 terabit per second (Tbps) and targeted an American Internet Service Provider? How did Cloudflare's systems automatically detect and mitigate this massive attack?

This attack was detected and mitigated by Cloudflare’s autonomous DDoS protection systems as a Mirai-generated attack. Our systems analyze traffic samples out of path, which allows us to asynchronously detect DDoS attacks without causing latency or impacting performance.

The systems analyze IP packet fields such as the source IP, source port, destination IP, destination port, protocol, TCP flags, sequence number, options, and packet rate. They also analyze HTTP and DNS traffic, but it is less relevant in the context of this attack.

Once an attack is detected, our systems will track that traffic and generate a real-time signature to surgically match against the attack pattern and mitigate the attack without impacting legitimate traffic. The rules are able to generate different signatures based on various properties of the attacks and the signal strength of each attribute.

For example, if the attack is distributed — that is, originating from many source IPs — then the source IP field will not serve as a strong indicator, and the rule will not choose the source IP field as part of the attack signature. Once generated, the fingerprint is propagated as a mitigation rule to the most optimal location on the Cloudflare global network for cost-efficient mitigation. These mitigation rules are ephemeral and will expire shortly after the attack has ended, which happens when no additional traffic has been matched to the rule.

Attacks exceeding 3 hours have increased by 103% QoQ. What challenges does Cloudflare face in dealing with prolonged attacks, and how do you ensure effective mitigation while minimizing disruption to legitimate traffic?

The potential challenge in prolonged attacks is an increased CPU utilization in our servers. Mitigating attacks can be computationally expensive. To overcome this challenge and enable our systems to automatically mitigate attacks without impacting performance, we’ve implemented intelligence to mitigate the attack in the “cheapest” method possible.

We’ve built this capability years ago and have recently made significant improvements to make it even smarter. In short, the higher you go in the OSI model, the more expensive it is to mitigate attacks. So our systems automatically decide if it needs to lower mitigations to a lower level.

For example, mitigating an HTTP attack at L7 requires the servers to process all of the relevant IP packets, construct them, establish a TCP/SSL handshakes and form the HTTP request — and then vice versa to serve a block reponse. This is very “expensive” with large attacks and so our systems will instead mitigate at L5/6 or L3/4 based on what makes the most sense during the attack.

This capability is fully automated and autonomous, and does not require human intervention.

On top of this capability, we also have L4 inter and intra data center load balancers to ensure that traffic is spread correctly — complementing the use of global Anycast.

The gaming and gambling industry was the most targeted in Asia for the past two quarters but has dropped to second place, with cryptocurrency becoming the most attacked industry. What are the factors contributing to this shift in attack focus, and what steps is Cloudflare taking to stay ahead of emerging threats targeting cryptocurrency companies?

It’s hard to pinpoint the exact reason for the increase. It could be competitors attacking one another or a disgruntled customer.

We’re constantly on the lookout for new emerging threats and have multiple systems we leverage to identify and mitigate new threats. Please see response to Q1.

With attack traffic originating substantially from Asia (30%) and North America (30%), how does Cloudflare's global network and presence in these regions contribute to effectively handling and mitigating cyber attacks?

We leverage Anycast wherever possible. This helps us ingest the attack traffic closest to the source. Every server in every one of our data centers can detect and mitigate attacks autonomously — making our network smarter and more resilient.

There are also automated traffic engineering methods that kick in when required to keep our services performant.

In places where Anycast is not available or is limited due to local regulations, we’ve implemented specialized solutions to counter those challenges.

In the context of the increase in HTTP DDoS attacks by 15% QoQ and the decrease in network-layer DDoS attacks by approximately 14%, what trends and patterns do you observe in the evolving landscape of DDoS attacks?

With the introduction of new technologies such as Generative AI and existing technologies such as HTTP/2 and cloud computing infrastructure, it has never been so easy to launch volumetric and sophisticated attacks.

How do you envision the future of cybersecurity and the role that Cloudflare will play in securing the Internet and digital assets against an ever-evolving threat landscape?

No one has a crystal ball into what the future of cybersecurity will look like. All we know is that the world we live in is increasingly relying on the internet to underpin our economies, maintain business continuity across industries, and connect our communities among many other critical functions. With Cloudflare’s founding mission to help build a better Internet, we will play a crucial role in securing digital assets as the threat landscape continues to expand and evolve.