Three common reasons for DDoS attacks
The main goal of a Distributed Denial of Service (DDoS) attack is to flood the target with so much traffic that their servers cannot cope with it. The result is that the target is forced off of the Internet. There are several reasons why a DDoS attack might take place among them are:
- Hacktivism and annoyance – The goal here is simply to disrupt the business of the target. Those carrying out the attack may have a political or other grievances with the target. For those just looking to cause annoyance, the low cost of a botnet makes a DDoS attack fairly cheap to orchestrate.
- Ransom – This is a step beyond the previous attack and the target is given an opportunity to pay up or face being forced offline. This approach is not new but in 2015 we have seen a significant increase in this across the globe with some companies reportedly paying up.
- Smokescreen – The DDoS attack is used to occupy the IT security team while the hackers look for a way into the company. It is not necessarily the same groups involved in both attacks. Experienced hackers will be monitoring for DDoS attacks and will take advantage of them to gain access to systems. As a result, it is becoming harder to detect who is attacking the network when a DDoS attack is in full force.
Spotting the difference
Drawing on the results of its latest Trends and Analysis report, Corero believes that we are likely to see an increase in the latter group of attacks. What is interesting about this group is not just that those launching the DDoS attack and those attempting to penetrate the network could be separate group but that the attacks are deemed sub-saturating.
Sub-saturating means that although a company is under attack the strength of the attack is insufficient to take the network down. This is important. It needs to allow just enough bandwidth for the penetration team to attack the target. To defeat this type of attack it is important that IT Security teams can identify where the attack is limited and treat it as if it were a smokescreen. It doesn’t matter if it is a false alarm, better to react than be hacked.
Another indicator of this type of attack highlighted by Corero is that it will last a short time but there will be several attacks over that period. The reason for this is to assess the response time of an IT security team to the attack. This will provide the penetration team with the best opportunity to find a flaw in the security and attack the network.
Dave Larson, COO at Corero Network Security, explains: “The highly sophisticated, adaptive and powerful Dark DDoS attack will grow exponentially next year as criminals build on their previous successes of using DDoS attacks as a distraction technique. The Carphone Warehouse attack in August was interesting because it was one of the first publicly reported cases of ‘Dark DDoS’ in the public domain. This is a new frontier for DDoS attacks and a growing threat for any Internet-connected business that is housing sensitive data, such as credit card details or other personally identifiable information.
“Traditional approaches to DDoS defence simply cannot catch these sophisticated attacks – only by using an always-on, inline DDoS mitigation solution that automatically removes the threat and provides real-time visibility will IT teams be able to harden their security perimeter to deal with this emerging security threat.”
Corero believes Ransom threats will increase
2015 has already seen a rise in ransomware where data is locked until a ransom is paid. With DDoS the attackers often don’t even hit their target. Instead they point to other successful disruptions and warn their target that unless they pay up they will be the next to be hit. The size of the Ransom will differ but what doesn’t differ is the use of virtual currencies such as bitcoins that are anonymous and easy for criminals to convert back to hard cash.
To emphasise just how real this threat is, Corero has said: “During October 2015, 10% of Corero’s customer base was faced with extortion attempts, which threatened to take down or to continue an attack on their websites unless a ransom demand was paid.” This means that any company who fails to take this type of attack seriously is putting its entire business at risk.
This raises a serious problem for most corporate boards. If they pay up they could find themselves in trouble with the legal system in some countries who believe that paying a ransom is a crime. This could also be seen as being weak by the attackers and subsequently expose themselves to an increased threat of attack. By not paying up the business could be forced off the Internet and with companies increasingly reliant on that medium, failure to pay could have a catastrophic impact on the survival of the business.
According to Larson: “Just one highly publicised participant will further fuel the epidemic by causing these demands to spread like wildfire. By deploying in-line, real-time DDoS mitigation tools, properly prepared organisations can stem this tide by refusing the ransom requests, secure in the knowledge that they are protected and can withstand the storm.”
There may be some who will take Larson’s statement as being little more than a threat laden sales pitch. Such a view would be seriously misplaced as Larson goes on to say:
“Lizard Squad is already selling DDoS attacks-as-a-service for as little as $6 a month. To expedite the process, opportunistic cyber criminals may already be developing ransom kits to allow ransom demands to be automated even further. These attack tools know when they’re successful and they react in real-time. This level of automation works faster than humans and requires in-line, always-on, DDoS mitigation tools to provide a robust defence.
“The Internet of Things further exacerbates this problem by providing a proliferation of rarely secured end points which are vulnerable to attack. This provides a growing domain of potential botnets and means that there is no limit to the scale of future attacks.”
Can cloud and ISPs do anything?
The answer is yes. Cloud service providers (CSPs) and ISP’s have the skills and ability to mitigate a DDoS attack by using filtering systems that are capable of withstanding attacks in excess of 1Tb/s. At CeBIT this year, Huawei announced a deal to work with Black Lotus and launch a DDoS mitigation appliance capable of handling over 1.4Tb/s of DDoS traffic.
Since then, several other security companies have released their own high performance appliances to help mitigate the impact of DDoS. This doesn’t mean that the battle is won. Far from it. The fact that Lizard Squad are charging as little as $6 per month shows how easy it is to commercial this type of attack.
Not all attacks can be mitigated by an ISP. Last week Protonmail, a secure-email company based in Switzerland gave in to a ransom demand and pay 15 bitcoins after suffering a series of DDoS attacks. This didn’t stop the attacks with a bigger attack overwhelming not just Protonmail but also its ISP. As a result the ISP took the view that it had no option but to remove Protonmail from the net to protect its other customers. This shows that it is not just companies who have a problem but also their ISP who has to weigh the service it delivers to all customers not just one.
It will be interesting to see how many of these providers now add DDoS mitigation to their list of services that they provide to customers in 2016. So far few companies publically offer this type of service in order to avoid becoming a target for a concerted attack by groups of hackers. However, there is a clear need for this and where there is a need, there is often money to be made. It would be very surprising if we don’t begin to see DDoS mitigation being offered as a core part of the cloud-based security services that are beginning to emerge.
DDoS attacks are becoming a way of life. Only last week Moonfruit was hit by a DDoS attack after which the attackers threatened to repeat it if they failed to pay a ransom. Moonfruit decided that rather than risk another serious outage they would take their servers offline. While such an action prevented its customers from accessing data it did mean that Moonfruit was protecting that data albeit through drastic steps.
Not everyone will be able to or even willing to follow the Moonfruit example. That means that companies must prepared for a DDoS attack and implement their own DDoS mitigation solutions now. That might be on-premises, in the cloud or through their ISP.