Waiting for DDoS


In football, many offensive plays are designed to trick the defense into thinking something else is about to unfold. In the world of cybersecurity, DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks often serve as a similar smokescreen or decoy to a far more sinister plot with the ulterior motive to mount a computer network breach that results in the loss of data or intellectual property.

It was a DDoS attack that woke up Sony Pictures in Nov. 2014 (watch the video emailed to Sony employees on the morning of the attack), even though attackers had infiltrated the company's networks months before undetected, and eventually obliterated its computer systems. According to Fortune, half of Sony's global network was wiped out, erasing everything stored on 3,262 of the company's 6,797 personal computers and 837 of its 1,555 servers.

Hackers calling themselves “#GOP” (Guardians of Peace) threatened to release publicly Sony Pictures' internal data if their demands, including “monetary compensation,” were not met. They weren't bluffing.

Sobering DDoS Statistics

Recent studies show DDoS attacks growing exponentially in recent years, launched through rentable, relatively inexpensive, anonymous botnets that cost as little as $1,000 and can render an e-commerce website completely inoperable.

  • The average denial of service (DoS) attack costs the victim $1.5 million, according to a separate Ponemon Institute survey sponsored by Akamai and published in March 2015. The 682 responding companies reported four attacks a year.
  • AT&T also reported companies across its network were hit with four times a year with DDoS attacks and 62 percent growth in DDoS attacks over the past two years.
  • Once an organization receives a DDoS attack, the chances of being the object of a data breach are better than 70 percent, reported Neustar Inc., a Sterling, Va.-based provider of cloud-based information services, including conducting research on cloud metrics and managing various top-level internet domains.
  • The second quarter of 2015 set a record for the number of DDoS attacks recorded on Akamai's Prolexic Routed network – more than double what was reported in 2014's second quarter.
  • Corero Networks, a Hudson, Mass.-based security services provider, reported that its clients were getting DDoS attacks an average of three times a day, and in the second quarter of 2015 daily attack volume reached an average of 4.5 attacks, a 32 percent increase from the previous quarter.
  • More than 95 percent of the attacks combated by Corero last 30 minutes or less, and the vast majority of the attacks were less than 1 Gbps.
  • Only 43 percent rate their organizations as highly effective in quickly containing DoS attacks, and only 14 percent claimed to have had the ability to prevent such attacks, according to the Ponemon report. 
  • The worst DDoS attack on the Akamai network peaked at 214 million packets per second (Mpps), a volume capable of taking out tier 1 routers, such as those used by internet service providers (ISPs).

Our Experts:

JJ Cummings, Managing Principal of Security Incident Response Team, Cisco
Ondrej Krehel, Digital Forensics Lead & CEO, LIFARS
Larry Ponemon, Chairman & Founder, Ponemon Institute
Charles Renert, VP of Cybersecurity, ViaSat
Mark Tonnesen, CIO and CSO, Neustar
Mike Weber, VP of Labs, Coalfire

“It's pretty hard to stay one step ahead of these guys,” admits Mark Tonnesen, chief information officer (CIO) and chief security officer (CSO) of Neustar. In a recent survey of 760 security professionals commissioned by Neustar and conducted by Simply Direct of Sudbury, Mass., for the U.S. market and Harris Interactive of London for the Europe, Middle East and Africa (EMEA) markets,  DDoS attacks increased in 2015 six-fold when compared to the previous year.

“Every day there's an announcement of some [DDoS attack] going on with a company caught unprepared, trying to ramp up with people and technology,” Tonnesen says. “Companies are looking for any way they can grab an edge any way in identification, detection and reaction time to eliminate the attack.”

Interruption vs. Outage

Those behind DDoS attacks may have ulterior motives to capture real value from the attack, such as financial gain, brand carnage, or intellectual property resold on the underground market. Any of those scenarios happen nine out of every 10 DDoS attacks, according to Neustar data. The impact on a company's customers and the firm's bottom line “negatively impacts everybody's financials,” Tonnsesen points out.

DDoS attacks, which can take the form of an interruption or the more serious outage, almost always serves as a smokescreen avoiding attention to an outright sinister data breach. Meanwhile, the IT staff is trying to figure out why the website isn't working properly. “Unbeknownst to you, [the malware is] already in your network,” he explains.

A DDoS outage is a complete slaughter of messaging to a network, such as an e-commerce platform. Effectively, the network appears to shut down completely due to the bandwidth overload, making it nearly impossible to get traffic through to the website. In contrast, a DDoS interruption involves attacks targeted such as to a customer service organization or intellectual property or customer records and identity.

“[An interruption] certainly has a major impact, but it wouldn't be an outage,” explains Tonnesen. “It's more of a disruption, not a flat-out attack. The attackers are much more intelligent and organized; they know what they're certainly looking for, such as affecting your brand and or having a financial impact. There's an element of showcasing their capability, and the lack thereof of the company that was attacked.” As a result, IT security and network teams must be vigilant and always be on high alert.

The Hybrid Solution

Some CISOs are moving to a “hybrid” approach to combating a DDoS attack of the of the Open System Interconnection (OSI) Model Application Layer 7 variety. The approach uses an on-ground client security product that links with a cloud-based mitigation tool. One argument for this approach is that attack victims can react more quickly to a specific attack on a business area, such as engineering or customer support, if they have the benefit of cloud-based updates rather than waiting for a network-based device to be updated.

"Based on the customers I talk to, hybrid approaches are becoming mainstream,” says Tonnesen.

Best Practices of a Telecom/Defense Contractor

ViaSat is a Carlsbad, Calif.-based global broadband services and technology company, whose internet services are used by consumers throughout the world.
Click here to read the complete story.

Client and cloud security products work together with one or the other configured as a rules-based defense working on certain types of data attacks that affect key assets and applications.  Typically, underlying attacks involve a DNA-like sequence that lives in a lower level of an organization's technology stack, such as malware sitting on a server some place, and begin to take over key assets. “That's where a DDoS mitigation service can really help a weakness or attack sector,” Tonnesen says. “One approach really isn't good enough anymore.”

Mike Weber, vice president of labs of Coalfire, a cyber risk management and compliance company based in Louisville, Colo., says that “being able to diagnose a denial of service attack does take some time. Generally understanding if it's a problem internally, such as an application malfunction, system problem or faulty hardware, those kinds of diagnostics take a while.”

When Weber was fending off DDoS attacks at a former employer, a web hosting company, he received an insider's view of old-fashioned corporate espionage. The client hosting company had known adversaries but could never pin the frequent attacks on a single entity. “They had a good idea who was behind the attacks,” he remembers. “A lot of times, it was their competition. It was used as a revenge tactic – sometimes it was intended to impact that company from a business perspective for whatever reason. Maybe it's a page rank or advertising issue.”

Attackers leverage those kinds of attacks to consume personnel/intellectual capital being used for diagnosis. While the victim attempts to identify the strategy attempting to thwart it typically sends companies under attack into a state of chaos.

An attack against a website can be set to look like a denial of service interspersed with an attack that achieved the end goal of flooding log servers. Typically the obvious attack needs to be stopped before one can diagnose the other less obvious attack. “Think of that as DNS (Domain Name System) amplification – a DDoS attack where the attacker basically exploits vulnerabilities in the DNS servers to be able to turn small inquiries into large payloads, which are directed back to the victim's server,” Weber says. “Those are a different protocol than those other attacks that are attacking different parts of the infrastructure whether they're operating systems or applications. So typically they would be targeted towards two different parts of the client environment.”

Malicious Traffic

A typical approach to prevent DDoS from inflicting damage is to re-route non-malicious traffic to a cloud-based or third-party provider whose sole purpose is to mitigate denial of service-type attacks at what's known as a “scrubbing” center.

Inside DDoS Forensics

Volumetric Attacks, such as the aforementioned DNS or NTP reflections or UDP (User Datagram Protocol) or SYN/ACK (Synchronize/Acknowledge) floods, consume all available bandwidth targeting the largest Internet carriers.
Click here to read the complete story.

“Only clean traffic gets through,” says J.J. Cummings, managing principal of Cisco's security incident response team.

DDoS traffic then purposely gets diverted to the external provider, which takes the “brunt” of the attack and “roots out all that's evil and bad.” Denial of service attacks are extremely challenging and can be expensive from a mitigation perspective, in terms of pipe size and technology, he admits.

“At the end of the day it comes down to how critical these business applications are,” Cummings says. “How much do you want to spend to withstand an attack and an attack of what size?”

The first questions that need to be addressed before, during or following a DDoS, says Cummings, “are how big is your Internet pipe and how much bandwidth has been thrown at you historically?” The answers determine a network's required level of operational capability as well as what the needs at a bare minimum to resume the business.

Security products are available from multiple vendors to help harden a company's public-facing systems so they're less susceptible to targeted types of attacks. “Those technologies presume you have enough of an Internet pipe to withstand that amount of bandwidth,” says Cummings. Otherwise, it's a moot point.

Detection analytics is another important tool to put DDoS mitigation measures in place. “You don't all the sudden get a terabyte of traffic hitting. It kind of spools up, as that botnet starts to distribute the attack commands,” he adds. ISPs can know in advance to block certain IP addresses or certain traffic streams upstream.

More sophisticated attacks often are focused on a profit motive and target companies with a lot of money or a gambling site that is taking bets on a major sporting event. In online video gaming or gambling, some players go to the extremes of disrupting the network where the opposition is hosted by firing off a DDoS attack. 

Retribution is another scenario with DDoS attacks. A former employee or student gets mad and rents a botnet to conduct the attack.

A significant consequence to a denial of service attack is damage to the victim organization's reputation, in addition to a potential dollar loss for every minute that the network is offline.

Nearly two-thirds (64 percent) of respondents in the Ponemon Institute's denial of service study say reputation damage is the main consequence of a DoS attack, with 35 percent for diminished IT staff productivity and 33 percent for revenue losses.

“We try to come up with metrics on how to measure reputation loss, which is pretty significant,” says Larry Ponemon, chairman of the Ponemon Institute, the cybersecurity think tank based in Traverse City, Mich. “When people hear the bad news, what do they do? The churn can be significant from a revenue point of view. People leave, they find alternatives.”

Citing research from the institute's recent Cost of Data Breach study, Ponemon says the most expensive attack type on a unit cost per attack is DDoS, when compared to other security incidents such as phishing, because it takes a lot of effort to stop it. Meanwhile, he adds, “there's an extraction of data while people are worrying about the website being down.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.