Denial of service is on the rise. What can you do to respond?
Business in the West runs on the Internet, a fact your reporter is acutely aware of as he writes offline, the office having been plunged into the 1950s for reasons best known to the IT department.
That in mind, it is no surprise that web disruption has acquired a status formerly reserved for mass traffic jams or tree-wrenching storms, a fact illustrated by the speculation that followed Facebook going offline for a mere sixty minutes in January.
Though the social network eventually claimed the shutdown was planned maintenance, many took seriously the claim that Lizard Squad, a group of hackers known for shutting down video game networks, had brought one of Silicon Valley’s giants to a halt through a distributed-denial-of-service (DDoS) attack.
Whilst Lizard Squad’s prowess likely does not extend to such feats, the idea that a business could be paralysed by DDoS attacks is not so strange. The attack method, which involves flooding servers with traffic, is one of the easiest hacks to pull off – so much so that some purists do not even consider it to qualify as hacking.
Launching such an attack can be as simple as downloading a tool for your computer that effectively automates a page refresh on a website at high speed. More advanced versions require roping in other machines to create botnets (robot networks), with such services also available to rent for as little as a few pounds. So what can be done about them?
"The primary purpose of a denial-of-service attack is to interfere with an organisation’s Internet activity," says Chris Richter, SVP of managed security services at Level 3, a telecoms firm. "We see a lot of that happening with companies dependent on high speed transactions such as gaming or finance."
According to Richter as much as three-quarters of these attacks fall into the realm of "hacktivism", a form of political protest in which hackers disrupt a company or government’s operations to register their opposition to a given policy or practice – a common tactic among groups such as Anonymous.
More problematic are the "mixed" or "blended" attacks, which used DDoS as a distraction. Mike Langley, EMEA VP of Palo Alto Networks, a security vendor, says DDoS attacks can be just the start of a broader assault, which may leave firms open to devastating damage.
"DDoS attacks are how you cripple a company, then you utilise malware to break the perimeter and get where you want to go," he says. "We’re certainly defending against DDoS attacks, but the reality of all these threats is it’s sophisticated malware and that’s getting past people’s perimeters."
Blocking the threat
Langley adds that the CISOs he talks to tend not worry so much about the hacktivism, but rather how they can beat the cybercriminals before they have a chance to steal data or intellectual property.
It is in this vein Richter’s company Level 3 runs a "scrubbing" service, so called because it can wash traffic clean before the bad stuff has a chance to disrupt a website. It works by redirecting traffic away from the website for assessment, only passing on the legitimate visitors to the main site.
"We decided to build a DDoS mitigation service because wee scan so much of the world’s traffic," he says. "We see about 70% of the world’s IP headers flowing across our routers. That gives us the ability to detect all of the malicious activity, including DDoS attacks."
By analysing the NetFlow packets, which contain data on router traffic, Level 3 is able to tell which traffic is good or bad based on its origin, destination, volume and protocol. It has even devised an analytics program that can be taught what to look for.
This approach differs from Palo Alto’s solution, which relies on staple defences that most companies would be considering as part of a broader security programme. These include segmenting data, implementing systems that beat unpatched "zero day" flaws, blocking command and control (C&C) servers which send instructions to viruses, and limiting user privileges across a system.
"The nature of any malware is that it’s going to do something that’s not acceptable use," Langley explains. Both firms plans are part of a broader initiative to detect strange behaviour, which is an increasing focus among security vendors.
Denial of future
Yet even as the defenders become smarter, the hackers are expanding their efforts to carry out DDoS attacks. Richter reports that his company has seen a rise in volumetric attacks, which launch thousands of bots at a given website, and also strikes levelled against web apps as opposed to websites.
"These [application attacks] are low and slow," he says, adding that they involved crafted packets that target specific vulnerabilities and are primed to go off at a specific time. Such strikes will be harder to his firm to detect than the current batch, but no less damaging. Troubling times await.