TLS Flood Attacks — When Encryption Becomes a Liability

Welcome back! In my previous blog (Keeping Up with TLS Technology Trends: Insights and Analysis), we explored the latest trends in TLS technology and how it's evolving to keep up with changing security threats. Today, we're going to delve deeper into one of those threats — TLS flood attacks. TLS (transport layer security) flood attacks can overwhelm most DDoS protection solutions. So, if you’re using the wrong solution, it means your web applications are at risk! Let’s first take a look at what TLS flood attacks are and how they work. Then, I’ll share practical tips and insights on how you can protect your web applications against this growing threat.

The Hidden Risks of TLS Traffic — What You Need to Know

TLS can provide strong protection against many types of cyberattacks, but they are not immune to DoS (denial of service) attacks. DoS attacks, which are a type of DDoS attack, are encrypted flood attacks designed to overload a web application by sending a high volume of encrypted traffic. This type of attack looks legitimate; most are able to create legit TLS connections, even correctly responding to Layer 4 and Layer 7 challenges that are sent to confirm a user’s identity.

DDoS attacks on websites have been on the rise in recent years, with the trend increasing in the past year. Attackers are launching more frequent and sustained attacks against targeted websites; they may generate CPS (connections-per-second) or RPS (requests-per-second) floods to overwhelm a website and take it offline.

Don’t Let Smaller Sized Attacks Fool You Into Thinking the Threats Are Diminishing

According to Radware’s 2022-2023 Global Threat Analysis Report, the frequency of attacks is increasing while the size of attacks is decreasing. This drop in size sounds good, but it’s not. Attackers are simply using smaller-scale attacks and combining them with other attack vectors to maximize their impact. Don’t be fooled into a false sense of security because the number of DDoS attacks in 2022 only slightly increased. Remember, they exhibit greater strength, frequency and complexity, and encompass a wider range of attack vectors.

The following represents the number of blocked malicious web application transactions in the second half of 2022. That number grew by 201% when compared to the second half of 2021. Note that the number of malicious transactions in the fourth quarter of 2022 was higher than the total number of malicious transactions in all of 2021.

Here are some additional, potential risks that may hide behind decrypted TLS traffic:

• Malware: Hackers may use TLS encryption to hide malware traffic, making it more difficult for security measures to detect and block it.
• Data Theft:  Hackers may use TLS to steal data that is transmitted over the internet. This can include sensitive information, such as login credentials, financial information and personal data.
• Man-in-the-Middle (MitM) attacks: TLS is designed to prevent MitM attacks, but it is not foolproof. If an attacker can intercept the TLS traffic, they may be able to decrypt and read the data, allowing them to steal sensitive information or manipulate communication.

Challenges When Detecting and Mitigating Encrypted Flood Attacks

Detecting and mitigating encrypted flood attacks can be challenging for several reasons. Some of the major challenges are:

1. Difficulty in Identifying Malicious Traffic (false positives/false negatives) As mentioned earlier, TLS encryption can make it difficult to identify and block malicious traffic. Encrypted flood attacks can generate a large number of false positives, which can lead to unnecessary security alerts and impact the performance of security solutions. Detecting these attacks accurately requires advanced threat detection solutions that can distinguish between legitimate traffic and malicious traffic.
2. Resource Consumption
   Decryption traffic requires a significant amount of processing power and memory, including other resources. If a DDoS attack floods a server with decryption traffic, it can quickly overwhelm the server's resources and render it unable to handle legitimate traffic.
3. Traffic Volume
   A DDoS flood attack can generate an enormous amount of traffic, far more than a server can handle. If this traffic is also carrying out decryption operations, it can increase the latency and the load on the server even further, making it more difficult to mitigate the attack.
4. Cost Detecting and mitigating encrypted flood attacks can be expensive, especially in cloud environments where customers pay for processing. Organizations need to invest in advanced security solutions and infrastructure to protect against these attacks, which can be costly.

Prepare Your DDoS Appliance for Encrypted Floods

Today, most of the DDoS solutions in the market require full decryption 24/7/365 to detect and mitigate encrypted flood attacks. This is problematic for two reasons:

• Customers are not willing to share the certificate — or don’t have access to the certificate — so detection and mitigation based on decryption are not feasible.
• Decrypting traffic 24/7/365 to detect attacks is not recommended due to performance impact, latency (user experience), privacy concerns, technical challenges and cost.

Below are several Radware recommendations for how to efficiently secure your environment from encrypted flood attacks:

1. A Zero decryption solution is a behavioral mechanism based on machine learning (ML) that can detect and mitigate encrypted floods without decryption. It is a critical capability, especially for encrypted CPS and RPS floods.
2. A partial decryption solution is designed for optimizing the user experience by minimizing latency. Thanks to this innovative technology, it’s possible to decrypt traffic after the attack is detected and only on suspicious sessions. There isn’t any impact to the legitimate traffic. After detection, the most efficient way to proceed is to decrypt only the “first HTTPS request” and authenticate the source(s). As a last resort, you can only decrypt the suspicious sessions and mitigate the attack with traditional protections.
3. A scalable solution should be used when traffic decryption taxes CPU consumption to the maximum. In this case, it’s important that the solution have TLS accelerator hardware that supports TLS v1.3 to support the CPU by offloading the decryption processing.
4. TLS v1.3 support - if you choose this solution, you already understand the importance of TLS v1.3. Just make sure your environment supports the protocol and can decrypt TLS v1.3 traffic, if necessary.

Remember, You Need a Multi-Layered Defense Strategy

Overall, it's important to have a multi-layered defense strategy in place. This must include using specialized DDoS protections that can detect suspicious patterns with zero decryption, mitigate encrypted flood attacks automatically and keep your websites and applications available to users. A great first step to ensure your organization is prepared for DDoS attacks is by learning about Radware’s DDoS Protection Solutions HERE. For additional information, please reach out to Radware’s cybersecurity professionals. They would love to hear from you.

To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.