Should Your Organization Be Concerned About DDoS Attacks?
In simple terms, a DDoS attack occurs when a network receives too many TCP/IP packets per second for its resources to be able to handle. How many packets per second it takes to create such an attack depends on the bandwidth of the network and the speed of the protection devices, routers and switches outside the network itself. The consequence though is always the same - Internet connectivity comes to a complete halt, users can’t do anything on the Internet. It’s analogous to being in a rush hour traffic jam.
Delivering a DDoS is no easy task; it takes a concerted attack from thousands of computers to clog up a network. The attacker needs to have at his disposal a network of workstations (a botnet) to which he can command to all to start sending traffic to a certain IP.
I saw this about 5 years ago; a company started receiving 15 million DNS queries per second! A DNS query is very small; less than 60 bytes. But when you get 15 million per second, you are getting hit by a very large amount of data. It’s hard for many devices to cope with such traffic, and very few companies have the ability to cope with such use of bandwidth. They didn’t! And even the ISP had difficulty dealing with it.
This type of attack is very targeted and clearly implies the desire to cause a disruption. Given how dependent we all are on the Internet, a DDoS can result in loss of some kind.
A few years ago this had become a means of extortion towards companies that conducted their business on the web. Several articles appeared about online poker companies being targeted; if they paid the ransom they would be left alone; if they didn’t, their website would practically become inoperable for a long time, and that meant heavy revenue losses for such companies.
The only possible mitigation in a situation like this is to be able to reroute your legitimate traffic somewhere else, so that the network receiving the DDoS becomes less relevant to the company business.
One way to thwart such a situation is to seek the collaboration of the ISP; depending on the size of the attack, sometimes only the ISP may be able to fend it off by setting up rules and routes to forward that traffic somewhere else.
Scanning and filtering this traffic is not possible, simply because the sheer intent of the attack is to overwhelm the devices that are scanning it. So even if every single packet is blocked, the number of packets is such that the device defending the network will not be able to keep up. So, a defense by scan and drop in this case does not work – it can make things worse.
Service providers that depend on the Internet for their livelihood (and who doesn’t anymore?) should at least keep such possibilities in mind in their risk assessment.
There is no material gain for a hacker to pursue a DDoS. Hackers try to remain anonymous; extortion implies a contact of some kind with the victim. The likelihood of this happening is low because it wastes resources that the hackers can dedicate to direct attacks aimed at stealing information, which have a more immediate ROI – yes, hackers do seem to think in terms of ROI as businesses do.
Nevertheless, someone could have a reason to carry such an attack; hence the reason to assess the risk and be prepared with countermeasures.
Such measures can go from a possible increase in bandwidth to simply absorb the attack; to an agreement with the ISP to forward the traffic somewhere else; to secondary connections to be used during the attack, like a backdoor to maintain access to the internet. This should be likened to a disaster situation, and a disaster recovery plan should be considered to be able to maintain Internet connectivity and be able to conduct business even under such conditions.
There are a few important security trends that merit watching next year.
The use of DDoS as a tool of political activity and extortion will loom large again and there is no indication that this is a trend that will diminish. As an example, witness the growth of the “Darkness” botnet which has been specifically hired out as a platform for DDoS attacks. This botnet is taking over from BlackEnergy which was previously the leader in this type of attack. It is pretty cheap with prices of $50 per 24 hours being quoted.
A second security trend, social engineering, is going to continue through increasingly sophisticated phishing emails and better websites. The Apr. 29, 2011 marriage of Prince William will be exploited ruthlessly and increasingly SEO will be used to ensure infected websites are high in search results.
And there’s yet another important security trend – financial applications. These will continue to be targeted. Viruses like Zeus and, more critically, URLzone have been used to gain login details for bank accounts. URLzone provides a significant departure, where it acts as a ‘man in the middle,’ able to circumvent two factor authentication (also known as TFA; in brief, the use of two independent mechanisms for authentication; for example, requiring a smartcard and a password. The combination is less likely to allow abuse than either component) by relaying false information back to users). While only able to target a number of banks at present, it is likely that this Trojan or something similar will be developed to encompass more banks in the coming year.
Any other security trends you think we should mention? Call me at (832) 242-5757 or send an email to email@example.com.