Biztech Aug 23, 2012
It is an all-too-common headline: Prominent website brought down by attackers. The backstory to this growing threat to business is a Distributed Denial-of-Service (DDoS). It is important that businesses are aware and take proactive steps to prevent becoming the next victim and headline of a DDoS attack.
The Risk Is Real And Increasingly Dangerous
If you think you’re too small, too irrelevant or don’t have enough money to be an interesting victim for an attacker, think again. Any organisation is a possible victim and most of us are vulnerable to a DDoS attack. Whether it’s a Fortune 500 global enterprise, a governmental agency or a small- to mid-sized enterprise (SME) – they are all on the target list of today’s cyber-thugs. Even security-savvy businesses with plenty of financial resources and experts to protect themselves have fallen victim to this threat, including Amazon, Visa, Sony, and lately the websites of Indian government-run communications company Mahanagar Telephone Nigam Limited (MTNL) and the Internet Service Providers Association of India.
Not only have the attacks significantly increased in number, they have also grown in scale, well exceeding traffic volumes of 100 Gbps. One prolonged attack on an ecommerce site in Asia involved a botnet of over a quarter million zombie computers, many reportedly based in China.
DDoS Comes In Assorted Flavours
At the most basic level, a DDoS attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Typically, this is done through the coordinated efforts of distributed botnets, employing up to hundreds of thousands of zombie computers, machines which have been previously infected and are remotely controlled, just awaiting their commands. DDoS attacks work either by initiating floods of traffic to overwhelm server resources by brute force, or by exploiting inherent vulnerabilities to crash the target server.
Criminals use DDoS because it is cheap, hard to detect, and highly effective. DDoS attacks are cheap because they can leverage distributed networks of thousands of zombie computers taken over by worms or other automated methods. For instance, the DDoS attack MyDoom used a worm to distribute the launching of flood attacks. Because these botnets are globally sold and available in the black market, an attacker might buy the use of a botnet for less than $100 for a flood attack, or contract specific attacks for as little as $5 an hour.
DDoS is hard to detect because they often use normal connections and mimic normal authorised traffic. As a result, it is also highly effective because, typically, the targeted servers mistakenly trust the traffic, and so facilitate the attacks by executing the requests that ultimately overwhelm them.
Driven By Money Or Ideology
Financially driven DDoS attacks are typically based on either extortion or competition. Extortion schemes often profit by demanding significant ransoms from victim organisations in order to prevent denial of service. For instance, one UK e-gambling site was reportedly brought down by a DDoS attack after refusing ransom demands.
Attacks by unscrupulous business competitors are more prevalent than might be expected. One industry survey found that more than half of all DDoS attacks on U.S. enterprises were driven by competitors seeking an unfair business advantage.
Ideological attacks can be launched by governmental entities or grassroots “hacktivists.” Hacktivists tend to seek publicity by obstructing high-profile organisations or sites symbolising conflicting political views or practices. Perhaps one of today’s most notorious examples for hacktivists is the loosely affiliated group Anonymous, who have claimed the responsibility (and publicity) for bringing down sites of such high-profile organisations as the FBI and the CIA, and have targeted websites in over 25 countries across 6 continents.
Who Is Next?
Since hacktivist agendas can be volatile and unpredictable, any business might be targeted as a symbol of the latest cause du jour. Sites for high-profile organisations (e.g., Facebook) or events (e.g., the Olympics, Euro Cup or U.S. Elections) are particularly likely targets.
In the case of government-launched cyber-war DDoS attacks, .gov targets are not the only ones vulnerable. Such attacks can also target affiliated vendors who supply key infrastructure, communications or transportation services, or seek to cripple key business or financial transaction servers.
Cloud-based services may now also be especially vulnerable to targeted attack. Because sites that require excessive amounts of computations or transactions (e.g., comprehensive search engines or data mining sites) are already pressed for resources, they are also preferred targets for DDoS attacks.
What IT Can Do
Clearly IT needs be vigilant and take preemptive steps against DDoS attacks. Industry analyst firm Gartner states that DDoS mitigation should be “a standard part of business continuity/disaster recovery planning and be included in all Internet service procurements when the business depends on the availability of Internet connectivity.” To do so effectively, a business must be forewarned, prepared and resilient against DDoS attack.
Simply speaking, IT should know its ISP. IT should collaborate on having an effective response plan in place with its service providers. In many instances, the ISP can be the first line of defence for DDoS.
IT needs to be forewarned: IT should know its bottlenecks. A well-prepared IT organisation should identify the parts of the network that are most likely to be overwhelmed by a DDoS attack, such as Internet pipe, firewall, intrusion prevention (IPS), load balancer or servers. Further, IT needs to closely monitor these potential points of failure under attack, and evaluate whether to upgrade or optimise their performance and resiliency.
Finally, the IT staff should know its traffic. IT cannot control what it cannot see. Therefore, IT should scan and monitor both inbound and outbound traffic to gain visibility into unusual volumes or patterns that might identify targeted sites or disclose botnets within the network.
IT needs to be prepared: The IT organisation should invest in evaluating and implementing appropriate countermeasure products and services. For instance, some next-generation firewalls feature integrated intrusion detection and prevention countermeasures against known DDoS attacks, which can be updated automatically with continuous up-to-the-moment signatures.
Going forward, IT leaders should keep appraised of emerging technologies to add to the arsenal, such as IP geolocation, which could help identify suspicious geographic sources of inbound packets.
IT needs to be resilient: As described, denial of service attacks are built upon overwhelming and bottlenecking systems. Wherever possible, IT should enhance the network’s resiliency with highly redundant, high-performance components, and policy-based bandwidth management.
If an organisation does business anywhere on the Internet, it is likely not a question of if, but when it will be targeted by a DDoS attack. Yet there is much IT can do to minimise and deflect the impact. The IT organisation should closely collaborate with company leadership to be forewarned of where their vulnerabilities lie, be prepared with appropriate countermeasures, and be resilient with high performance, high redundancy network security components.
The author is VP, Asia Pacific, SonicWALL Inc.