Distributed denial-of-service attacks have long been used to disrupt Internet properties for financial, political or reputational motives. Beginning in the 1990s, DDoS was initially an innovative way to knock participants out of chat rooms and otherwise exacerbate issues with slow Internet service.
Since that time, DDoS has become professionalized and much broader in scope. Perpetrators now have access to more affordable and powerful network resources, and they have used them to conduct cyberattacks even against major targets such as the South Korean government and banks in the U.S.
Accordingly, stakeholders can no longer discount the risk that DDoS poses to their infrastructures. A 2014 BT survey of 640 IT decision makers in 11 countries found that more than 40 percent of their organizations had been hit by a DDoS attack in the past year. Not only are attackers casting an increasingly wide net, but they are also reshaping their tactics, going after obscure protocols to thwart cybersecurity.
Why has DDoS suddenly become so widespread?
The DDoS name, while elaborate, simply refers to using a large number of compromised PCs and/or Web servers that act in concert to send tons of meaningless traffic in the direction of the target. In many instances, the victimized infrastructure buckles under the increased load and is unable to process legitimate requests, rendering it unresponsive to end users.
There has always been strong incentive to carry out DDoS, since a successful attempt can embarrass the target or serve as a distraction during a concurrent data breach. Now, using cutting-edge methodologies and on-demand resources, cybercriminals have remade DDoS into a top threat category, encompassing everything from low-budget but effective attacks to sophisticated, multi-pronged campaigns:
- The BT study discovered that 59 percent of respondents felt DDoS was becoming better at subverting network security measures. This concern may be related to an uptick in hybrid DDoS, which goes after multiple attack surfaces simultaneously to confuse and frustrate security teams. BT noted a 41 percent year-over-year increase in this type of DDoS.
- Firms such as Gwapo have made it almost trivial for cybercriminals and amateurs to get what they need to orchestrate DDoS. These outfits may charge a few dollars an hour to take down small sites and slightly more for bigger ones. On top of that, they may take payment in Bitcoin to anonymize their transactions.
- Similarly, there are many freely available DDoS tools, including the popular Low Orbit Ion Cannon app, that have intuitive graphical user interfaces and as such are usable even by novices. After an IP address or URL is entered, LOIC or one of its many imitators does the rest, spamming the designated site with TCP, HTTP and/or UDP requests.
- Moreover, cybercriminals are moving beyond use of self-supplied PCs and machines that were compromised by malware. Instead, they’re turning to Web servers, which typically can send 100 times as much data per second as a PC.
- Sometimes, even a single server is enough. CloudFlare CEO Matthew Prince lamented that a record-breaking attack on his company was “too easy” since it had been conducting using minimal resources devoted to exploiting the obscure legacy Network Time Protocol.
Despite the rising sophistication and feasibility of DDoS, many enterprises are unprepared. Less than half of BT’s respondents in the U.K. reported having a response plan in place. The consequences of being unprepared are clear, with the average organization requiring 12 hours to recover from a significant DDoS attack and 58 percent of U.K. firms admitting at least 6 hours of related system downtime.
“DDoS attacks have evolved significantly in the last few years and are now a legitimate business concern,” stated BT Security president Mark Hughes. “They can have a damaging effect on revenues and send an organization into full crisis mode. Reputations, revenue and customer confidence are on the line following a DDoS attack, not to mention the upfront time and cost that it takes an organization to recover following an attack.”
What can enterprises do as DDoS escalates in scale and sophistication?
Back in 2011, following attacks on MasterCard and PayPal attributed to the Anonymous hacktivist collective, Trend Micro’s Rik Ferguson predicted DDoS escalation due to the widespread availability of tools like LOIC. He also noted the asymmetrical relationship between attackers and their targets, in which the latter have only finite resources to fend off the widely distributed and on-demand capabilities of the former group.
For that reason, Ferguson argued that DDoS was especially difficult to mitigate. Attacks are easy to stage, plus it’s possible that some users may eventually become active, rather than passive, participants by agreeing to lend their PCs to the pool of DDoS resources as part of an online protest. In addition to MasterCard and PayPal, many prominent public and private sector entities have been targeted by advanced DDoS:
- This June, Hong Kong suffrage movement Occupy Central was hit by a DDoS wave exceeding 300 Gbps, making it one of the largest DDoS incidents in history.
- Popular notes service Evernote was unavailable for a short time this year following a DDoS attack. Its 100 million users were unable to log in during the outage.
- Code Spaces went out of business after DDoS perpetrators gained access to the company’s cloud instances and deleted much of its data.
To avoid similar fates, businesses have many options, including seeking the expertise of a cybersecurity firm before, during and after a DDoS attack. On a technical level, they could also follow the lead of gambling and gaming sites by becoming their own ISPs, although this approach - like most modification of network infrastructure to make DDoS more threatening - is expensive. Security appliances that monitor network activity can be both economical and helpful in thwarting DDoS, but over the long term stakeholders must work together to address the growing DDoS issue.
“The responsibility for preventing these types of attacks, and stopping them at source relies on greater future collaboration of law enforcement, technology companies and individuals to take down the networks of computers, known as ‘botnets’ that are used to launch these DDoS attacks,” stated Adrian Davis of (ISC)2, according to Forbes.
In the second half of this series, we’ll look at some of the specific DDoS techniques, such as NTP exploitation, that must be addressed going forward.
Read Part 2: DDoS attacks Affecting Enterprises