It is an all-too-common headline: Prominent website brought down by attackers. The backstory to this growing threat to business is a distributed denial-of-service (DDoS). It is important that businesses are aware and take proactive steps to prevent becoming the next victim and headline of a DDoS attack.
This article explains DDoS attacks and offers steps to minimise their impact or ideally completely prevent them from happening to you.
The risk is real and increasingly dangerous
If you think you’re too small, too irrelevant or don’t have enough money to be an interesting victim for an attacker, think again. Any organisation is a possible victim and most of us are vulnerable to a DDoS attack. Whether you’re a Fortune 500 global enterprise, a governmental agency or a small- to mid-sized businesses (SMB) – we’re all on the target list of today’s cyber-thugs. Even security-savvy businesses with plenty of financial resources and experts to protect themselves have fallen victim to this threat, including Amazon, Visa, Sony, Monsanto, PostFinance, PayPal and Bank of America.
Recently, the number of DDoS incidents has increased significantly. Attacks have also grown in scale, well exceeding traffic volumes of 100 Gbps. One prolonged attack on an ecommerce site in Asia involved a botnet of over a quarter million zombie computers, many reportedly based in China.
DDoS comes in assorted flavors
At the most basic level, a DDoS attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Typically, this is done through the coordinated efforts of distributed botnets, employing up to hundreds of thousands of zombie computers, machines which have been previously infected and are remotely controlled, just awaiting their commands. DDoS attacks work either by initiating floods of traffic to overwhelm server resources by brute force, or by exploiting inherent vulnerabilities to crash the target server.
Flood attacks include ICMP floods (e.g., smurf and Ping flood attacks), SYN floods (using bogus TCP/SYN packets), and other application-level floods. Flood DDoS attacks often leverage the asymmetric power of large distributed botnets. These can create multiple threads to send overwhelming amounts of requests to disable web servers.
Crash attacks often send malformed packets that take advantage of operating system bugs. Application-level DDoS attacks attempt to crash systems by leveraging exploits on server applications (e.g., buffer overflows or fork bombs). Malware-borne DDoS attacks can compromise potential botnet systems with a Trojan, which in turn triggers the download of a zombie agent.
Moreover, attacks have become more sophisticated. For example, botnets might not only flood broadcasted packets at a targeted server, but also intrusively establish connections with servers to initiate overwhelming volumes of bogus application transactions from within.
Criminals use DDoS because it is cheap, hard to detect, and highly effective. DDoS attacks are cheap because they can leverage distributed networks of thousands of zombie computers taken over by worms or other automated methods. For instance, the DDoS attack MyDoom used a worm to distribute the launching of flood attacks. Because these botnets are globally sold and available on the black market, an attacker might buy the use of a botnet for less than $100 for a flood attack, or contract specific attacks for as little as $5 an hour.
DDoS is hard to detect because they often use normal connections and mimic normal authorised traffic. As a result, it is also highly effective because, typically, the targeted servers mistakenly trust the traffic, and so facilitate the attacks by executing the requests that ultimately overwhelm them. For example, in HTTP-GET flood attacks (e.g., MyDoom), the requests are sent over normal TCP connections and are recognised by the web server as legitimate content.
Driven by money or ideology
Financially driven DDoS attacks are typically based on either extortion or competition. Extortion schemes often profit by demanding significant ransoms from victim organisations in order to prevent denial of service. For instance, one UK e-gambling site was reportedly brought down by a DDoS attack after refusing ransom demands.
Attacks by unscrupulous business competitors are more prevalent than might be expected. One industry survey found that more than half of all DDoS attacks on U.S. enterprises were driven by competitors seeking an unfair business advantage.
Ideological attacks can be launched by governmental entities or grassroots “hacktivists.” Hacktivists tend to seek publicity by obstructing high-profile organisations or sites symbolising conflicting political views or practices. Perhaps one of today’s most notorious examples for hacktivists is the loosely affiliated group Anonymous, who have claimed the responsibility (and publicity) for bringing down sites of such high-profile organisations as the FBI and the CIA, and have targeted websites in over 25 countries across 6 continents.
Who is next?
Since hacktivist agendas can be volatile and unpredictable, any business might be targeted as a symbol of the latest cause du jour. Sites for high-profile organisations (e.g., Facebook) or events (e.g., the Olympics, Euro Cup or U.S. Elections) are particularly likely targets.
In the case of government-launched cyber-war DDoS attacks, not only .gov targets are vulnerable. Such attacks can also target affiliated vendors who supply key infrastructure, communications or transportation services, or seek to cripple key business or financial transaction servers.
Cloud-based services may now also be especially vulnerable to targeted attack. Because sites that require excessive amounts of computations or transactions (e.g., comprehensive search engines or data mining sites) are already pressed for resources, they are also preferred targets for DDoS attacks.
What IT can do
Clearly IT needs be vigilant and take preemptive steps against DDoS attacks. Industry analyst firm Gartner states that DDoS mitigation should be “a standard part of business continuity/disaster recovery planning and be included in all Internet service procurements when the business depends on the availability of Internet connectivity.”
To do so effectively, a business must be forewarned, prepared and resilient against DDoS attack.
IT needs to be forewarned
Simply speaking, IT should know its ISP. IT should collaborate on having an effective response plan in place with its service providers. In many instances, the ISP can be the first line of defense for DDoS.
IT should know its bottlenecks. A well-prepared IT organisation should identify the parts of the network that are most likely to be overwhelmed by a DDoS attack, such as Internet pipe, firewall, intrusion prevention (IPS), load balancer or servers. Further, IT needs to closely monitor these potential points of failure under attack, and evaluate whether to upgrade or optimise their performance and resiliency.
Finally, the IT staff should know its traffic. IT cannot control what it cannot see. Therefore, IT should scan and monitor both inbound and outbound traffic to gain visibility into unusual volumes or patterns that might identify targeted sites or disclose botnets within the network. For full preparedness, IT also needs visibility into Layer 7 traffic in order to identify and control blended and application-layer DDoS attacks.
IT needs to be prepared
The IT organisation should invest in evaluating and implementing appropriate countermeasure products and services. For instance, some next-generation firewalls feature integrated intrusion detection and prevention countermeasures against known DDoS attacks, which can be updated automatically with continuous up-to-the-moment signatures.
Ideally, IT will want a firewall to deeply scan both inbound and outbound traffic—including visibility into applications—and monitor and alert management on suspect patterns. IT should make sure that the firewall solution enables remediation of DDoS attacks by blocking, filtering or redirecting traffic based upon identified patterns, volumes or characteristics.
For comprehensive traffic intelligence, IT may also consider implementing traffic flow analytics software that can examine usage data by application or user, look at data over different time periods and correlate traffic data from multiple sources, such as NetFlow and IPFIX.
Going forward, IT leaders should keep appraised of emerging technologies to add to the arsenal, such as IP geolocation, which could help identify suspicious geographic sources of inbound packets.
IT needs to be resilient
As described, denial of service attacks are built upon overwhelming and bottlenecking systems. Wherever possible, IT should enhance the network’s resiliency with highly redundant, high-performance components, and policy-based bandwidth management.
For example, certain next-generation firewalls can combine massively scalable multi-core design with near-wire-speed deep-packet scanning technology to enable simultaneous, multi-threat and application scanning and analysis of unlimited files sizes and connections at multi-gigabit speeds. Such firewalls can be configured for optimal performance and flexibility under attack, with active/active high availability (HA) failover, application intelligence and control, and bandwidth prioritisation.
If an organisation does business anywhere on the Internet, it is likely not a question of if, but when it will be targeted by a DDoS attack. Yet there is much IT can do to minimise and deflect the impact. The IT organisation should closely collaborate with company leadership to be forewarned of where their vulnerabilities lie, be prepared with appropriate countermeasures, and be resilient with high performance, high redundancy network security components.
This story was contributed by Florian Malecki, senior product marketing manager at Dell SonicWALL EMEA.