With DDoS attacks reportedly increasing in size and complexity in 2014, Phil Muncaster canvasses the industry on where the problems lie and how we can respond
The distributed denial of service (DDoS) attack has been on the CISO’s radar for years now. But 2014 saw a huge surge in attack size and volume, causing misery for organizations across the globe. In the third quarter of the year alone, DDoS prevention firm Akamai said it dealt with 17 attacks greater than 100Gb/s, with the biggest standing at a whopping 321Gb/s. With cyber-criminals constantly adapting new techniques to improve their effectiveness, what can organizations do in response? And what does 2015 hold in store?
What’s a DDoS?
At its most basic, a DDoS is an attempt by an attacker to overwhelm a targeted computer resource with a flood of traffic from multiple compromised computer systems – usually part of a bot. The distributed nature of the attack makes it difficult to stop those botnet machines without blocking legitimate traffic, resulting in a service outage for the victim and its customers, albeit usually temporary.
There are numerous different types of DDoS, but two of the most common are application layer attacks and infrastructure (or network) layer attacks. The former typically inundates a service with application calls, while the latter overloads a service by using up all of its bandwidth. Akamai’s stats reveal that the total number of attacks increased 22% from Q3 2013 to Q3 2014, with a 389% increase in attack bandwidth. However, while infrastructure layer attacks jumped by 43% over the period, app layer efforts decreased 44%.
Hitting Firms Where it Hurts
Before working out what level of response is needed, organizations need to understand why they’ve become a target, according to Quocirca director and analyst Bob Tarzey. “Launching a DDoS will not in itself make you any money as a cyber-criminal. There’s not an obvious way to monetize these attacks, apart from extortion,” he tells Infosecurity, adding that this is a relatively unfavored option compared to other illicit money-making schemes, given the time, effort and cost involved for cyber-criminals.
Arbor Networks’ Worldwide Infrastructure Security Report, released in 2014, has some interesting insights. It reveals that instead of criminal extortion (15%), DDoS attacks are most likely to be motivated by political or ideological disputes (40%). The rise of Anonymous has certainly had a major part to play here, and 2014 once again saw the online collective cause its fair share of outages – most notably in the #OpWorldCup blitz against FIFA World Cup sponsors.
It also emerged recently that potentially state-sponsored actors have been DDoS-ing pro-democracy Hong Kong sites such as that of the anti-Beijing paper Apple Daily.
Hong Kong saw a 111% rise in attacks from September to October 2014 as a result, according to Arbor Networks. Interestingly, 26% of attacks spotted were put down to criminals simply demonstrating their DDoS capabilities to potential customers. A further 18% were due to competitive rivalry between organizations, while 16% were launched merely as a diversion to enable a more serious data exfiltration attack.
The impact on organizations, of course, depends upon a variety of factors. A fleeting attack from Anonymous is not likely to have the same impact as a major, well-resourced campaign from a state-sponsored entity, for example.
However, for those organizations which make their livelihood from the internet – including online gaming, e-commerce sites, or even cloud service providers – it could lead to a worrying drop in earnings, negative publicity, and loss of customers to rival firms.
More Sophisticated?
Just as with the rest of the ever-evolving threat landscape, DDoS attackers are constantly changing their modus operandi to circumvent existing threat mitigation systems. To this end, 2014 first saw an explosion in NTP amplification attacks. This was signalled by a US-CERT warning in January which claimed attackers were exploiting a vulnerability in older versions of NTP servers to overwhelm victim systems with UDP traffic.
Incapsula research in March claimed to reveal a major shift towards this strategy, with attacks as big as 180Gb/s spotted. However, thanks to a concerted effort by organizations to patch and update their NTP servers, the attack methodology began to lose favor. In fact, NTP attacks dropped from 14% of all DDoS in Q1 to just 5% in Q3, according to Arbor Networks.
Yet as this strategy began to wane, so the cat-and-mouse game evolved again and so-called SSDP attacks grew, from just three known events in the whole of Q2 to a substantial 29,506 the following quarter. These attacks use source port 1900 and may be harder to stop with patching as they exploit a vulnerability in home CPE devices, which users typically do not get around to upgrading with newer firmware. Some 42% of all attacks greater than 10Gb/s used SSDP reflection during Q3 2014, according to Arbor.
"There’s not an obvious way to monetize these attacks, apart from extortion"Bob Tarzey, Quocirca
Attackers have now also begun to use public cloud infrastructure to launch DDoS campaigns. In July, researchers revealed that hackers were exploiting a vulnerability (CVE-2014-3120) in open source search engine Elasticsearch to break into Amazon EC2 virtual machines and launch their attacks using a new variant of the Linux DDoS trojan Mayday. In fact, new DDoS malware is a constant thorn in the side of those tasked with mitigating these attacks, especially as easy-to-use toolkits are becoming increasingly widely available.
Discovered in September, the Spike toolkit is the latest of these and is said to be able to build even bigger DDoS botnets by targeting a wider range of internet-enabled kit, such as routers and internet of things (IoT) devices.
Response Strategies
So how do we respond to the growth in DDoS attacks? Two main strategies are open to organizations, according to Bloor senior analyst Fran Howarth.
“One of the easiest ways to try to prevent a DDoS attack is to overprovision your infrastructure, especially those parts that are internet-facing. Organizations should also look to ensure that infrastructure is geographically widespread and that anycast, a technique that allows multiple servers to share the same IP address, is deployed,” she explains. “This, however, can be an expensive option and is not for everyone. An alternative is to subscribe to cloud-based services that will handle the traffic overload in the cloud before it even reaches your network.”
However, while there are certainly firms out there that can help, the industry as a whole has been slow to address the threat. “I still believe there is a long way to go,” argues Howarth. “There are many vendors and service providers with their own offerings, but I see little evidence of any co-ordinated, concerted effort to develop and standardize. We are, though, starting to see a greater emphasis placed on regulation.”
KPMG cyber security director, Jim Fox, believes all industry stakeholders can do their bit: “More can be done by sharing information in near real time on the nature of the attacks and a more co-ordinated response between target firms, internet service providers, security vendors and government,” he tells Infosecurity. “Ultimately, governments need to work to disrupt the organized crime groups undertaking those attacks, and that will require difficult and painstaking international action.”
What Lies in Store
So what of the future? More regulation is likely, according to Howarth. She says that under amendments to FFIEC rules, US financial institutions must now have DDoS mitigation technologies in place, although no individual tech was specified.
“With DDoS attacks on the rise, and increasing in complexity, size and sophistication, more organizations will be hit and more regulation is likely,” she says. “We are also seeing more co-ordinated attacks against specific industries, which is likely to continue.”
DDoS attackers will continue to evolve their methods to outwit the security vendors into 2015 and beyond, for example with SYN floods and application layer attacks. A report by DDoS mitigation firm Black Lotus also recently claimed that more countries, like Vietnam, India and Indonesia, would emerge as major sources of attack traffic thanks to their sheer number of infected endpoints, especially mobile phones.
According to KPMG’s Fox, cyber-criminals will “continue to find more and more obscure protocols and vulnerabilities to amplify the effect of their attacks. We may also see more aggressive or disruptive attacks which aim to take down target systems by directly exploiting security vulnerabilities – or target the routing infrastructure of the internet itself.”
It’s not all doom and gloom, though. For Quocirca’s Tarzey, there could come a time when all but the most sophisticated DDoS efforts can be dealt with by the majority of organizations: “I’d argue that anyone with a good spam filter never really sees any spam, but ten years ago it was a real problem. They’re still sending the spam out but we’ve got the problem under control. [In time] we’ll have the network locked down well enough to defend against the obvious DDoS attacks.”
Tarzey adds that, “There’s more at stake from being online today. It’s the reason why the industry is more focused on the issue. This is a good thing because it means the industry is responding. So watch this space.”
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users