Distributed Denial of Service (DDoS) attacks are getting bigger, faster and more sophisticated. Capable of overthrowing traditional security and reactive defenses, DDoS is a destructive force to be reckoned with. How do you mitigate these attacks and stop your organization from being overwhelmed without warning?
DDoS attacks, once the flamethrowers of amateur hackers, have grown in such scale and sophistication that they are bringing down the infrastructure of governments and global organizations. In DDoS strikes, cybercriminals deluge their targets with fictitious data, flooding websites, bringing down networks and making websites unavailable to legitimate traffic.
The motivation behind DDoS attacks are varied. They can be ethical, political or a form of industrial espionage. But often it is a simple case of cybercriminals trying to extort money out of undefended businesses. In addition, DDoS are used as smokescreen actions to keep IT defense busy while attackers leverage other attack vectors to breach enterprise defenses.
DDoS attacks are getting bigger and bolder
DDoS attacks are widespread and high profile. A recent attack on domain name system (DNS) host Dyn rendered numerous household name websites unavailable, including Amazon, Twitter and PayPal. African nation Liberia suffered continued DDoS attacks over seven days bringing its entire internet infrastructure to a halt, while the government of Luxembourg saw its key websites crash in a 24-hour attack recently.
Hosting provider OVH is still the victim of the largest DDoS attack too date, shot down by the Mirai virus. Two simultaneous DDoS attacks peaked traffic at nearly 1 Tbps over a week. Cybercriminals compromised 152,000 IoT devices, including CCTV cameras and video recorders to mount the attack. To put this in perspective, a 1 Gbps DDoS attack is enough to knock out most of an organization’s networks.
“The damage from a 1 Tbps attack could be huge,” explains Sébastien Roncin, Security product manager at Orange Business Services. “It could remove operators and countries from the internet map.”
Mirai works by turning IoT devices into a remote-controlled army of malevolent bots. The program finds its prey by continually scanning the internet for IoT devices which use factory default usernames and passwords that users never change and takes them over.
Analyst firm Forrester believes we will see IoT compromises escalate still further in 2017. It predicts that 500,000 IoT devices will be compromised for attacks, dwarfing the Heartbleed bug of 2014. Attacks are also getting bigger. A recent Akamai report found there was a 140 per cent increase in attacks greater than 100Gbps between the final quarter 2015 and 2016. Of the recent 100Gbps attacks, the majority were down to the Mirai malware.
The plague of DDoS attacks
DDoS attacks are also using multiple attack tactics requiring different mitigation strategies. A staggering 45 per cent of enterprises report they are experiencing more than 10 attacks per month. This is a 38 per cent year-on-year increase, according to figures from Arbor Networks, and 43 per cent of these attacks used multiple attack vectors.
“Multi-vector attacks show a high level of sophistication from hackers and they are capable of causing serious damage,” explains Massimiliano Brugnoli, business development, cybersecurity, at Orange Business Services. “Multi-vector attacks quickly transition from one form of DDoS attack to another and are designed to confuse organizations working to defend one corner, and finding they are being attacked on another.”
The upsurge in DDoS attacks is down to three key factors. Firstly, cheap DDoS-for-hire and off-the-shelf DDoS-as-a-Service tools are now available on the dark web (listen to the recent dark web webinar to find out more). Second, we’ve seen the emergence of malware like Mirai and malicious bots who can send fake information faster thanks to increasing data speeds. Finally, a wave of common public internet services that lend themselves to amplification and reflection attacks, such as Network Time Protocol (NTP) servers and Domain Name Server (DNS) The latter uses publicly accessible open DNS servers to overwhelm targets with DNS response traffic to crash networks.
Hackers are openly advertising their skills, sometimes claiming to be legitimately stress-testing websites. Individuals with DDoS expertise, botnets and access to high-bandwidth servers have set up web-based applications, dubbed ‘booters’, which can be hired to trigger DDoS attacks. ‘Booters’ are popular with DDoS hackers because they make tracking difficult and protect their anonymity.
What DDoS attacks really cost business
DDoS attacks are making a serious dent in the bottom line of organizations that have fallen victim. As well as financial loss, many organizations suffer a downturn in customer trust and reputation, which for online retailers can damage sales. It doesn’t stop there. There is also a new trend for cybercriminals to use DDoS attacks to throw organizations off guard whilst they build back doors into networks to steal IP and critical data later.
“DDoS strikes are having a serious impact on organizations in downtime and lost business,” explains Brugnoli. “They cost businesses over $100,000 in 25% of cases according to a survey of enterprises who have been hit.” Research group the Ponemon Institute has put the figure as high as $22,000 a minute. While average DDoS attacks last less than 24 hours, there is no predictable pattern and sometimes cybercriminals pursue an onslaught of attacks for days.
Defeating DDoS attacks
DDoS attacks can wreak havoc on your business very quickly, without warning. To defend yourself you need to understand the types of DDoS attacks cybercriminals are using and put together an action plan protecting the availability of your digital services.
New techniques used by cybercriminals means that traditional security tools such as firewalls can’t shield you from DDoS attacks because they aren’t designed to do so. Firewalls and intrusion prevention systems (IPS) can themselves be a victim of resource exhaustion attacks.
Your organization needs to be proactive – incorporating technologies, intelligence gathering and human analysis focused on safeguarding key assets that are critical to your business, and you need an incident response process that can go into action immediately.
“If an attack is detected you do not want to be running around for authorization to turn on a scrubbing center to cleanse traffic, as every minute wasted costs money,” explains Brugnoli. When under attack, traffic needs to be re-directed to a scrubbing center where DDoS traffic is removed and clean traffic is sent back to the network to be delivered.
“Don’t underestimate the impact DDoS can have on your network,” says Brugnoli. “DDoS attacks are quick, unpredictable and sometimes intermittent. Today it is not a question of if a company will be hit, but when.”
DDoS attacks are escalating. Is your organization next in line? Find out about the three-pronged solution offering Orange Business Services has to make it harder for cybercriminals to close down your infrastructure. Listen to the recording of our webinar now.
Jan has been writing about technology for over 22 years for magazines and web sites including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.