Late autumn and early winter in the Northern Hemisphere are closely associated with various holiday celebrations and relatively cold weather (with or without snowfall). At the same time, this stretch from roughly late October to early January is usually a hotbed of activity for cyber criminals. Attackers eagerly take advantage of the predictable rush of consumers to online retail sites and gaming networks, as well as the reliance of enterprises on network uptime to have a good holiday quarter.
DDoS during the holidays
One attack type that is particularly common around days like Christmas and Christmas Eve is the distributed denial-of-service attack. DDoS can be understood as the cyber crime equivalent of the frantic rush to claim Black Friday "doorbuster" deals at big box retailers early in the morning on the day after Thanksgiving in the U.S.:
- In the case of doorbusters, a bunch of people head toward a single set of doors simultaneously, slowing entry to a crawl and preventing many would-be shoppers from getting where they need to go in time.
- Similarly, DDoS involves lots of traffic being directed at network infrastructures and/or applications, to such a degree that their capacities are overwhelmed and their services eventually become unreachable.
Like malware and botnets, DDoS attacks have come a long way since their inception. Classic techniques such as DNS reflection have been joined by novel vectors like exploitation of the legacy Network Time Protocol; the latter approach really came into its own during the winter of 2013-2014.
"There isn't a surefire formula to stop every DDoS attack," explained a November 2015 Trend Micro document about a DDoS attack against end-to-end encrypted email service, ProtonMail. "Just like any other attack, cybercriminals have varied their attack vectors depending on their motives. Sometimes, a malicious actor can deploy a DDoS attack to create a diversion while going for more valuable data. Any company that has an online presence should be wary of these attacks, especially since being a target also means putting its users at risk."
The types and intensities of these attacks indeed vary widely, but overall the trend has been one of more frequent (if less intense, in terms of peak volume) incidents, especially ones targeted at software and gaming companies. Let's look at these two verticals in more detail.
Why software and gaming companies are so frequently targeted by holiday DDoS
You could say that in late 2015, DDoS reached an all-time high in popularity. According to the "Q3 2015 State of the Internet – Security Report" from Akamai, DDoS attacks increased by 180 percent compared to the same quarter in 2014. However, the duration of the average attack, at nearly 19 hours, was actually down from 22 hours last year, as was peak attack volume.
Between them, the software and gaming industries accounted for more than 75 percent of all the DDoS attacks documented in the Akamai report. Game companies saw their share of the total surge from 35 to 50 percent in just one year.
Both software and online gaming have unique vulnerabilities that DDoS is well-equipped to exploit:
Single points of failure
Many cloud-delivered applications and online games are managed from central platforms, which if taken down would cause most services to go dark for their respective users. In some cases, a DDoS attempt can wreak havoc even if it doesn't succeed in taking the targeted servers completely offline. Just a bit of pressure resulting in slower or more inconsistent performance can ruin the day for a game player, for instance.
Scale and notoriety
On Christmas Day 2014, Sony and Microsoft collectively sold 11 million consoles. In the run-up to Christmas 2013, Amazon was selling 426 items per second. These numbers provide some context for understanding the scope of disruption that DDoS attackers can create by going after something such as the PlayStation Network, Xbox Live or an Internet hosting provider, especially during the winter holidays. A wave of social media notoriety is almost sure to follow, too.
Many routes of attacks
DDoS attacks provide many options, from UDP flooding to NTP vectors. With gaming in particular, there are also many custom protocols to take advantage of. These protocols are soft spots in cyber security because unlike HTTP they are not as well understood in terms of what "good" and "bad" traffic look like.
Optimizing defenses for DDoS attacks
Defending against DDoS can feel like a game of Whack-a-Mole, due to the number of possible attack vectors. However, there are plenty of free and paid solutions that can be used together to protect infrastructures and applications from danger. For example, Trend Micro threat researcher Ben April outlined how to implement BCP-38 and change the configurations of edge routing devices. This approach is particularly helpful against the aforementioned NTP attacks.
Beyond that, there are dedicated tools that can be put to work in fending off DDoS. A 2012 white paper from Solutionary provided step-by-step details for minimizing the risk of a devastating DDoS attack, including measures such as information gathering about your infrastructure components and taking a more proactive approach to what limits are placed on network traffic and protocols.
"Limit traffic by implementing access control lists on border routers," stated the white paper authors. "This provides an additional layer of protection to the infrastructure and reduces the traffic handled by firewalls. Limit Internet-facing services and protocols. Ensure all services and protocols exposed to the Internet are absolutely necessary and block all others."
Other techniques recommended in the document included partnering up with a managed services provider, exploring ISP options for DDoS mitigation and drawing up an action plan based upon a thorough enterprise risk assessment. Like many other cyber security issues, DDoS requires a mix of strategic measures and technical solutions in order to be adequately contained.
Even if you are not a software vendor or online gaming provider, DDoS is a risk worth preparing for, especially in light of the growth in incidents documented by Akamai. Find out more about how you can protect yourself by visiting the Trend Micro Deep Security page.