We all know the story – a distributed denial-of-service (DDoS) attack occurs every two minutes, costs up to $27 million a day in losses, and anyone can order a DDoS attack online for a couple hundred dollars a month. In 2014, this will continue to be the norm. Corporations need to brace themselves to effectively identify and mitigate the risk of DDoS attacks so that the organization's overall mission is sustained. As we approach the new year, preparing for the following techniques, tools, and tactics is critical:
Covert reconnaissance
Attackers learn and adapt on the fly, much more dynamically than those playing defense - they are not always going to use volumetric attacks. Covert reconnaissance is often utilized prior to an attack to gather as much information about the target as possible. Attackers will be especially interested in discovering existing DDoS defenses that are in play so they can subvert them when the real payload is delivered.
Hybrid attacks
More sophisticated application layer/network layer hybrid attacks will be executed and high-level targets, like top-level domains, will be targeted in 2014. Attackers will increasingly learn to bypass simple DDoS defenses, like browser fingerprinting techniques, that typically attempt to differentiate between requests from legitimate users versus attackers. The hackers will initiate more "multi-prong" attacks, and the defenses need to improve to keep up.
Adaptive attacks
If history is any indication, attackers will continue to innovate and capitalize on the weaknesses of historical DDoS defense techniques, such as rerouting attack traffic to scrubbing centers that lead to delays in mitigation – while routing and domain name changes propagate. Adaptive attacks are perfect for this scenario because by the time the defense comes into play, attackers will have moved on to a different kind of attack. Additionally, DDoS attacks have been utilized as a smokescreen for attempts using other attack vectors, such as a data breach.
Increased efficiency
Attackers are always interested in getting the job done as efficiently and effectively as possible. Even short DDoS attacks can be very damaging. Reflection brings efficiency via amplification attacks (and of course IP spoofing). Hence we will expect to see more of those attacks as well.
No industry is safe from attacks
Attackers will continue to target the usual industries – financial services, utility providers, energy, online gaming and gambling, healthcare, etc. However, they will also take aim at new targets like the mining industry.
Proliferation of booters and tools
There is likely to be more proliferation of booter websites – essentially DDoS as a service. These "test your own website" - type pages will allow anyone to launch an attack at a relatively affordable price. However, these aren't expected be very sophisticated attacks, just yet. Additionally, inexpensive do-it-yourself kits that make it easier for anyone to create a relatively sophisticated army of bots to DDoS a target may become more readily available. Of course, more standalone DDoS testing tools will be released in 2014 as well.
While hackers will continue to find creative ways to infiltrate their victims' networks, the security industry is also innovating to provide new defense techniques. Actively mitigating the DDoS attacks turns the tables and potentially exposes the attacker's covert mission, which could cause them to give up if they are repeatably unsuccessful.
In 2014 organizations must take notice of these threats, and understand the repercussions. It is not a matter of if you will come under attack; it's more a matter of when. Protection must begin before the attack has been successful; waiting until an attack has occurred to implement security measures defeats the purpose. Without always-on protection against these evolving cyber threats, companies are a sitting duck for denial-of-service attacks and potentially subsequent data breaches.
