Home / Resources / ISACA Journal / Past Issues / 2013 / DDoS Attacks A Cyberthreat and Possible Solutions

Please enjoy reading this archived article; it may not include all images.

DDoS Attacks—A Cyberthreat and Possible Solutions

Author: Ajay Kumar, CISM, CCSK, ISO 27001 LA
Date Published: 1 July 2013

Distributed denial of service (DDoS) is one of the most diffused types of cyberattacks that represent a great concern for governments and institutions today. These attacks are an insidious foe to online service providers as their businesses depend on the availability of their web sites for critical business functions and productivity. This article is focused on the types of DDoS attacks, the trend and changing frequency, the business impact and countermeasures that organizations can take to prevent successful DDoS attacks, and building a strategic approach to defend from this growing cyberthreat.

Cyberattacks on various banks worldwide reflect a frightening new era in cyberwarfare. For example, since September 2012, US banks have been battling, with mixed success, DDoS attacks from a self-proclaimed hacktivist group called lzz ad-Din al-Qassam Cyberfighters.1 Due to a shortage of experts skilled in building effective defenses, many corporations are not prepared to battle such attacks.

The growing concern of HTTPS-based attacks adds a new dimension to the security landscape. Though conventionally associated with security on the web, hackers have managed to weaponize the encryption layer, using it to launch application-level and SSL attacks that can escape detection and remain hidden until it is too late. This has become an especially troubling phenomenon for financial services and e-commerce web sites that rely heavily on HTTPS.2

DDoS and How it Works

Denial of service is a form of cybercrime in which attackers overload computing or network resources with so much traffic that legitimate users are prevented access to network resources. Attacks are called “distributed” when the attack traffic originates from multiple hosts.

Historically, DDoS attacks originate from Internet-connected PCs that are compromised by malware. These PCs are called “bots” and are typically under the control of a command-and-control (C&C) server operated by the attacker or “botmaster” (see figure 1).

Botnets

The word “bot”3 (from robot) refers to automated software programs that perform specific tasks on a network of computers with some degree of autonomy. “Botnets” are a set of computers controlled by a C&C computer to execute commands as directed. Typically, computers become bots when attackers illicitly install malware that secretly connects the computer to a botnet; attackers then perform tasks such as sending spam, hosting or distributing malware, or attacking other computers. The C&C computer can issue commands directly, often through Internet Relay Chat (IRC) or by using a decentralized mechanism, such as peer-to-peer (P2P) networking. Computers in a botnet are often called nodes or zombies.

The DDoS attacks work in phases. In the first phase, the attacker compromises the weak machines in the network from around the world. In the second phase, a set of tools (also called malware) is installed on the compromised systems to attack the victims by controlling them from a C&C server.

Types of DDoS Attacks

While there are hundreds of types, DDoS attacks can be broadly classified into the following three major categories:

  • Flood or volumetric attacks—This type of attack seeks to consume all the available bandwidth of or to a data center or a network, such as User Datagram Protocol (UDP) floods, Internet Control Message Protocol (ICMP) floods and Domain Name System (DNS) reflection. As a result, the legitimate user is no longer able to connect or access the desired servers or applications.
  • Connection state attacks—All network devices or systems (such as firewalls, webservers and application servers) have internal tables with some limited resource/capacity that are used to track the active connections or disconnected connections. With this type of attack, the table is filled with many connections, so the new user cannot make a connection. Sometimes these attacks cause device failures that result in all active users losing connection.
  • Application-layer attacks—In these types of attacks, application servers are overloaded with so many requests for resources that all available resources are consumed. Examples of these types of attacks include memory, processors, malformed HTTP, HTTP get/post floods and DNS cache poisoning.

The Trends in DDoS Attacks

The volume, duration and frequency of DDoS attacks used to flood web sites and other systems with junk traffic have significantly increased over the years. According to a report released by a DDoS mitigation service provider security firm, an 88 percent increase in the total number of DDoS attacks was seen in the third quarter of 2012 compared to the same period in 2011. The packet-per-second (pps) rate in attacks has also increased apart from the increase in the bandwidth.4 The size of a high-profile attack against a spam-fighting organization called Spamhaus was reported to have peaked at more than 300 Gbps, making it the largest in history.5

DDoS attacks are evolving in the following ways:

  • The attack paradigm is rapidly shifting from the realm of network security into the application layer.
  • Consumerization of IT is broadening the DDoS attack platform.
  • DDoS attacks are increasing in frequency and impact.
  • Inherent limitations in today’s infrastructure make DDoS a very realizable risk.
  • Complex and advanced DDoS attacks can be difficult to mitigate.

The DDoS Threat Landscape

The first step in defending against today’s complex DDoS threat is to understand the threat landscape. According to recent attack data, DDoS attacks are being used in combination with other forms of cybercrime to facilitate information theft by degrading perimeter defenses with DDoS attackers and then gaining access to resources inside the network.6 Sony estimated that US $170 million in losses were enabled by DDoS attacks.

In September 2012, the US Federal Bureau of Investigation issued a warning to financial institutions that some DDoS attacks are actually being used as a distraction.7 These attacks are launched before or after cybercriminals engage in an unauthorized transaction and are an attempt to avoid discovery of the fraud and prevent attempts to stop it. In these scenarios, attackers target a company’s web site with a DDoS attack. They may or may not bring the web site down, but that is not the main focus of the attack; the real goal is to divert the attention of the company’s IT staff toward the DDoS attack. Meanwhile, the hackers attempt to break into the company’s network using any number of other methods that may go unnoticed as the DDoS attack continues in the background.

Furthermore, the availability of DDoS tool kits has turned DDoS attacks into a commodity that is readily available to anyone. It is safe to assume that DDoS tool kits will continue to evolve and offer new capabilities—forcing the defending or victim organizations to adjust their defense strategies. Furthermore, cloud computing, which has proven to be one of the most transformative changes in IT, has also been successfully applied by the cybercriminal in DDoS attacks.

Motivation Behind DDoS Attacks

The number one motivation behind DDoS attacks is believed to be ideological hacktivism,8 followed by other motivational factors such as financial fraud, extortion and competitive rivalry.

Hacktivists often utilize DDoS attacks to advance political and social objectives, disabling the legitimate usage of web sites and targeting IT resources to express a message of dislike or disapproval. Hacktivism is not a new concept, but recent advances in malicious software have made point-and-click malware tools available to anyone wanting to join a hacktivist’s cause. These tools include the Low Orbit Ion Cannon (LOIC) or the slightly newer High Orbit Ion Cannon (HOIC), which can target up to 256 web address simultaneously.

Business Impact of DDoS Threats

The impact of a DDoS incident can be devastating to the organization from a financial and brand perspective. A few-hour network outage can cost millions of dollars and anger thousands of customers who rely on online services. Direct revenue losses can be high for organizations that rely heavily on public-facing services. DDoS attacks are even more impactful when they are used in conjunction with other types of offenses.

The consequences of a DDoS-related attack can include:

  • Brand and reputation damage
  • Breach of contract and violations of service level agreements
  • Loss of shareholder confidence
  • Service interruption leading to, for example, issuance of customer credits, nonrenewal of business and lost sales
  • Marketing and advertising costs associated with damage control

In 2012, a large telecommunications organization experienced a DDoS attack that flooded its DNS servers, lasted about eight hours and took down its business web site. The intermittent disruptions affected Internet services for its business customers due to DNS outages resulting from the DDoS attack.9

The Challenges

Virtually any resource that is connected to the Internet is vulnerable to DDoS attacks, and contrary to popular belief, many existing controls do not protect against these attacks. Typically DDoS attacks attempt to bring down the critical services by targeting the organization’s web servers, application servers, routers or firewalls. In most enterprises and government organizations today, these resources either perform or provide access to business functions that are essential to the enterprise’s operations, services delivery, productivity, revenue generation and other core activities.

Today, most enterprises rely on traditional perimeter security tools, such as firewalls, secure web gateway and Internet service providers (ISP) devices, to protect the networks. Although these essential devices serve as a first layer of defense and should remain part of a layered security defense, they are not designed to handle network availability or protection from advanced threats and can fail to actually protect from sophisticated attacks.

Possible Solutions to DDoS Attacks

Given the extraordinary and rapid changes in DDoS attack techniques, traditional DDoS mitigation solutions (e.g., bandwidth provisioning, firewall, intrusion prevention systems) are no longer sufficient to detect and protect an organization’s network or applications from sophisticated DDoS attacks.

External Solutions
The most cost-effective approach to mitigate DDoS attacks is to pay the ISP to detect and mitigate attacks before they reach the organization’s Internet-facing resources (e.g., web servers, email servers). The key here lies with the ISP, in terms of its maturity of service offerings that address most forms of DDoS attacks.

In addition, there are many organizations that provide services for DDoS mitigation and play a middleman role. Their offerings include such things as DNS redirection to Border Gateway Protocol (BGP) route changes in which inbound Internet traffic flows through them and they detect the attacks and perform scrubbing/filtering in their Internet data centers. As a result, their customers get filtered and clean Internet traffic.

Internal Solutions
Various security vendors provide appliance-based solutions to defend against DDoS attacks. They detect and provide protection from a broad array of DDoS attacks. Many vendors claim solutions with different appliance models and offer throughput ranging from 12 Mbps to enterprise-class solutions. Further, these appliances are integrated with the central management suite, giving users a single point of control and a full view of security events. As DDoS threats evolve every day, these specialized vendors are likely to respond faster with innovative solutions than vendors that offer basic DDoS protection embedded in the firewall and ISP offerings.

DDoS Attack Mitigation Guidelines and Best Practices

Successful DDoS attack mitigation involves having 24/7 continuous monitoring technology capabilities and capacity to identify and detect attacks while allowing legitimate traffic to reach its destination. Furthermore, to address issues appropriately in real time, a solid and tested incident response plan and procedures need to be in place. Key technologies, best practices and processes include:

  • Centralized data gathering and analysis—Organizations need to build centralized monitoring dashboards that allow them to see the entire network, systems and traffic patterns in one place and have a team of experts keeping watch consistently and continually over them.
  • Layered defense approach—The goal should be to allow only legitimate traffic to the network and exclude all unwanted traffic.
  • Scalable and flexible infrastructure—To make sure systems function properly even under attack, organizations must have a highly scalable and flexible infrastructure in place with on-demand capacity.
  • Regularly addressing application and configuration issues—DDoS attacks have evolved to be more sophisticated and difficult to detect at the application layer. One needs to know and understand what each application does, its uses and usage pattern, what a normal application request looks like, and the normal transaction level for each application component.

Conclusion

DDoS attacks have left their mark. As time goes by, these types of attacks against private organizations and governments for the purpose of distraction are expected to continue to unfold with even more complexity and sophistication. DDoS attacks are also largely adopted in cyberwarfare to hit a country’s critical infrastructures. Enterprises must pay attention to this threat and properly assess their environment and monitoring capability to protect and defend against these aggressive attacks. As DDoS attacks continue to evolve, it is critical not to underestimate the threat.

Endnotes

1 Gonsalves, Antone; “U.S. Bank Cyberattacks Reflect ‘Frightening’ New Era,” CSO, 10 January 2013, www.csoonline.com/article/726131/u.s.-bank-cyberattacks-reflect-frightening-new-era
2 Radware, “Server-based Botnets and HTTPS Layer Attacks Among the Tactics Leveraged by Hackers in Some of 2012’s Most Notorious Attacks,” 22 January 2013, www.radware.com/newsevents/pressrelease.aspx?id=1630879
3 Microsoft, “What is a Botnet?”
4 Prolexic Report, “Increasing Size of Individual DDoS Attacks Define Third Quarter,” 16 October 2012
5 Vijayan, Jaikumar; “Spamhaus Hit by Biggest-ever DDoS Attacks,” CIO, 27 March 2013, www.cio.com/article/730849/Spamhaus_Hit_by_Biggest_ever_DDoS_Attacks?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+cio%2Ffeed%2Fdrilldowntopic%2F3089+%28CIO.com+-+Security%2
6 Arbor Networks, “A Focus on Distributed Denial of Service,” p. 3
7 Symantec, “Internet Security Threat Report 2013: Volume 18,” April 2013, www.symantec.com/security_response/publications/threatreport.jsp
8 Arbor Special Report, Worldwide Infrastructure Security Report 2012 Volume VIII, “Motivation, Scale, Targeting and Frequency of DDoS Attacks,” p. 18
9 Ragan, Steve; “DDoS Attack Caused AT&T DNS Outage on Wednesday,” Security Week, 17 August 2012, www.securityweek.com/ddos-attack-caused-att-dns-outage-wednesday

Ajay Kumar, CISM, CCSK, ISO 27001 LA, is an information security manager who has been working for a decade in the information security and risk management domain and has expertise in infrastructure security, identity and access management, data protection and privacy, cloud security, and cybersecurity.