Denial-of-service attacks are frequently deployed, yet often organizations fail to prepare themselves against the threat. Ted Kritsonis talks to industry experts about using analytics to prevent and respond to DDoS attacks
Cyberattacks don’t always grab headlines among the mainstream press, but when they do, it’s often a case of distributed denial-of-service (DDoS) attacks that have crippled an enterprise or government website, forcing IT departments to devise methodologies to contain the threats and get back up and running.
This external threat can be debilitating for the sheer fact that a DDoS attack, particularly a DNS flood, starves a system’s available resources using any number of infected computers, rendering moot all access from users or customers. Notwithstanding the lost revenue and reputational black-eye stemming from these attacks, the perpetrators don’t always have a singular purpose in mind. It may be financial in some cases, or a competitor aiming to damage a rival, or perhaps even a politically motivated act known as ‘hacktivism.’
“Regardless of gains, DDoS attacks are getting cheaper and cheaper to launch. It’s simple to find many free tools online capable of bringing down a small to moderate site, and botnets can be rented for as little as $100 an hour”, says Sean Power, security operations manager at DOSarrest, a firm specializing in preventing and managing these attacks. “Only the really big impressive attacks make the headlines, and some people may think they are immune for this reason, but that is not the case.”
Attack vectors can come in thousands of different ways, but they usually break down into one of three categories. Volumetric attacks cause congestion between the target and the internet through the use of botnets. TCP State-Exhaustion attacks go after infrastructure components like load-balancers, firewalls and the application servers themselves. It’s the third category, however, the Application-Layer attacks that are arguably the most dangerous and ubiquitous because they stealthily target an aspect of an application or service using as little as one machine to generate a low traffic rate.
Despite mitigation attempts from IT specialists, Power believes attackers can be shrewd in responding to them by focusing on other vulnerabilities. One example is a headless browser attack, which uses infected computers to participate in a DDoS attack by running it in the background unbeknownst to the user of the infected computer, and fooling mitigation devices into thinking that it is actually legitimate traffic. Because it appears as a simple web browser, it can be effective at sneaking through capable defenses.
The impact can be devastating if not countered promptly and efficiently. At the time of writing, the largest reported DDoS attack was launched in March 2013 against Spamhaus, an international non-profit that battles spam. It had peaked at 300Gbps, three times the size of the previous largest reported attack, making headlines around the world for its scope.
Hackers also benefit from unique attacks that lay low and propagate over time. DNS spoofing has been cited as a form of industrial espionage or blackmail because a company’s DNS server can be compromised to route email to unauthorized mail servers, potentially revealing sensitive internal information and communications.
Rakesh Shah, director of product marketing and strategy at Arbor Networks, has dealt with threats of varying sizes, and has witnessed clients feel the pain of an attack.
“We know of one company that suffered 90 minutes of downtime because they were unprepared when in the heat of an attack scenario”, says Shah. “They couldn’t connect with key people internally or at their cloud mitigation provider, so that 90 minutes of confusion cost the firm over $1 million in revenue and angered their customer base greatly.”
Shah wouldn’t name the affected firm, but did say there were two levels of preparation its IT department should have pursued. The first was deploying a DDoS defense requiring multi-layered protection that includes both on-site and cloud-based protection. The second, which he feels is often overlooked, is a standard incident response wherein staff know the processes to follow and people to call to minimize the downtime associated with an attack.
Power agrees, suggesting that IT managers must prepare a ‘playbook’ to follow in case a DDoS attack occurs. This blueprint should include building a capable DDoS response team that can monitor the range of legitimate traffic, outline the network’s topology, create robust remote access and follow the procedural plan with efficacy.
From an analytical perspective, this also includes collecting baseline measurements of all network activity as it relates to public access points – for example, graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in the network.
“It bears repeating, but you have to keep your documentation up to date, monitor the DDoS industry for changes and ensure your technology is on top of the latest threats and test both your DDoS defense strategy and your team”, Power advises. “There are companies whose sole expertise is preparing for and defending against sophisticated and large-scale DDoS attacks, and they come in a range of flavors and prices. Make sure you understand your needs and vendors’ service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation.”
Traditionally, DDoS attacks have been a looming threat for enterprises and businesses for reasons of extortion and fraud, where cyber-attackers seek a ransom or plant the seeds for fraudulent activity under the guise of an attack. But DDoS attacks have gained more publicity when used as a political tool, particularly from the hacktivist group Anonymous.
The tactic was also deployed as part of geopolitical subterfuge, like the Iran-based Izz ad-Din al-Qassam Cyber Fighters, who targeted US banks from September 2012 and into 2013, along with the Syrian Electronic Army, which has targeted sites as varied as eBay, the Associated Press and the US Marine Corps recruitment page. There is no concrete evidence that either group is state-sponsored, but the implication is clear that no one is immune from an attack, regardless of the motivation behind it.
This has been noted in Arbor Networks’ ninth annual ‘Worldwide Infrastructure Security Report’, which highlighted “dramatic growth in high-volume DDoS attacks” and that 71% of data center operators reported a DDoS attack in 2013, compared to 45% from the year before. Moreover, 36% of those attacks exceeded the total available bandwidth, almost doubling the mark set the year before. But perhaps even more damaging, targets reported a cumulative 35% customer churn rate and 27% revenue loss as consequences of those attacks.
The gloomy stats cast a light on the problem’s pervasiveness, given that Arbor Networks had a mix of 220 service providers and network operators from various industries and categories weighing in. Google collaborated with Arbor Networks by using the latter’s ATLAS global threat monitoring system to build the Digital Attack Map, which reports and visualizes daily attacks and their origins worldwide.
“One of the clear targets that emerged in Europe when reviewing our own data was media and entertainment, specifically news organizations, accounting for 15% of all attacks in North America, and nearly 25% of all attacks in Europe”, notes Martin McKeay, senior security advocate at Akamai. “News organizations aren’t the most heavily secured and protected environments, often lacking in controls that an online merchant or bank might employ, since the cost of downtime for a news organization is much less.”
McKeay adds that the amount of data traveling across Akamai’s networks doubles every 18 months. The increase of broadband and computing power in emerging markets could lead to more intense attacks, although DDoS sizes have yet to grow at the same rate as broadband adoption. Even so, compromised systems tend to originate from the developing world, with China, Indonesia and India leading the charge. Since virtual attacks usually cross real-life borders, litigation is of little recourse.
“The lack of laws concerning different forms of computer abuse in many markets make it harder for the target of the attack to defend themselves legally, and make it nearly impossible for law enforcement agencies to follow up and enforce any such laws that do exist”, he says.
This puts more of the onus on organizations to protect themselves with the right plans and tools in place. Shah says knowledge and preparedness varies from industry to industry and then from company to company within that industry. Low and slow application-layer attacks can be dealt with on-site, including protecting infrastructure like firewalls and IPS, while cloud-based protection is necessary against large-volume attacks.
Not surprisingly, cyber-attackers are innovating their techniques to deal with emerging defensive methods. Although still a recent trend, malware used for attacks are implementing anti-DDoS capabilities to evade purpose-built DDoS defenses, thereby tying up resources and opening up holes that they can exploit.
“Some think it won’t happen to them, while others think they are protected if they subscribe to a cloud-based DDoS managed service. An organization is not protected from the full spectrum of DDoS attacks unless they have a multi-layered defense in place”, says Shah.
“The hottest trend in DDoS today is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a sustained attack that dynamically changes. These attacks are popular because they’re often highly effective and difficult to defend against”, Shah concludes.