Ajay Kumar, CISM, CCSK, ISO 27001 LA
Distributed denial of service (DDoS) is one of the most diffused types of cyberattacks that represent a great concern for governments and institutions today. These attacks are an insidious foe to online service providers as their businesses depend on the availability of their web sites for critical business functions and productivity. This article is focused on the types of DDoS attacks, the trend and changing frequency, the business impact and countermeasures that organizations can take to prevent successful DDoS attacks, and building a strategic approach to defend from this growing cyberthreat.
Cyberattacks on various banks worldwide reflect a frightening new era in cyberwarfare. For example, since September 2012, US banks have been battling, with mixed success, DDoS attacks from a self-proclaimed hacktivist group called lzz ad-Din al-Qassam Cyberfighters.1 Due to a shortage of experts skilled in building effective defenses, many corporations are not prepared to battle such attacks.
The growing concern of HTTPS-based attacks adds a new dimension to the security landscape. Though conventionally associated with security on the web, hackers have managed to weaponize the encryption layer, using it to launch application-level and SSL attacks that can escape detection and remain hidden until it is too late. This has become an especially troubling phenomenon for financial services and e-commerce web sites that rely heavily on HTTPS.2
Denial of service is a form of cybercrime in which attackers overload computing or network resources with so much traffic that legitimate users are prevented access to network resources. Attacks are called “distributed” when the attack traffic originates from multiple hosts.
Historically, DDoS attacks originate from Internet-connected PCs that are compromised by malware. These PCs are called “bots” and are typically under the control of a command-and-control (C&C) server operated by the attacker or “botmaster” (see figure 1).
The word “bot”3 (from robot) refers to automated software programs that perform specific tasks on a network of computers with some degree of autonomy. “Botnets” are a set of computers controlled by a C&C computer to execute commands as directed. Typically, computers become bots when attackers illicitly install malware that secretly connects the computer to a botnet; attackers then perform tasks such as sending spam, hosting or distributing malware, or attacking other computers. The C&C computer can issue commands directly, often through Internet Relay Chat (IRC) or by using a decentralized mechanism, such as peer-to-peer (P2P) networking. Computers in a botnet are often called nodes or zombies.
The DDoS attacks work in phases. In the first phase, the attacker compromises the weak machines in the network from around the world. In the second phase, a set of tools (also called malware) is installed on the compromised systems to attack the victims by controlling them from a C&C server.
While there are hundreds of types, DDoS attacks can be broadly classified into the following three major categories:
The volume, duration and frequency of DDoS attacks used to flood web sites and other systems with junk traffic have significantly increased over the years. According to a report released by a DDoS mitigation service provider security firm, an 88 percent increase in the total number of DDoS attacks was seen in the third quarter of 2012 compared to the same period in 2011. The packet-per-second (pps) rate in attacks has also increased apart from the increase in the bandwidth.4 The size of a high-profile attack against a spam-fighting organization called Spamhaus was reported to have peaked at more than 300 Gbps, making it the largest in history.5
DDoS attacks are evolving in the following ways:
The first step in defending against today’s complex DDoS threat is to understand the threat landscape. According to recent attack data, DDoS attacks are being used in combination with other forms of cybercrime to facilitate information theft by degrading perimeter defenses with DDoS attackers and then gaining access to resources inside the network.6 Sony estimated that US $170 million in losses were enabled by DDoS attacks.
In September 2012, the US Federal Bureau of Investigation issued a warning to financial institutions that some DDoS attacks are actually being used as a distraction.7 These attacks are launched before or after cybercriminals engage in an unauthorized transaction and are an attempt to avoid discovery of the fraud and prevent attempts to stop it. In these scenarios, attackers target a company’s web site with a DDoS attack. They may or may not bring the web site down, but that is not the main focus of the attack; the real goal is to divert the attention of the company’s IT staff toward the DDoS attack. Meanwhile, the hackers attempt to break into the company’s network using any number of other methods that may go unnoticed as the DDoS attack continues in the background.
Furthermore, the availability of DDoS tool kits has turned DDoS attacks into a commodity that is readily available to anyone. It is safe to assume that DDoS tool kits will continue to evolve and offer new capabilities—forcing the defending or victim organizations to adjust their defense strategies. Furthermore, cloud computing, which has proven to be one of the most transformative changes in IT, has also been successfully applied by the cybercriminal in DDoS attacks.
The number one motivation behind DDoS attacks is believed to be ideological hacktivism,8 followed by other motivational factors such as financial fraud, extortion and competitive rivalry.
Hacktivists often utilize DDoS attacks to advance political and social objectives, disabling the legitimate usage of web sites and targeting IT resources to express a message of dislike or disapproval. Hacktivism is not a new concept, but recent advances in malicious software have made point-and-click malware tools available to anyone wanting to join a hacktivist’s cause. These tools include the Low Orbit Ion Cannon (LOIC) or the slightly newer High Orbit Ion Cannon (HOIC), which can target up to 256 web address simultaneously.
The impact of a DDoS incident can be devastating to the organization from a financial and brand perspective. A few-hour network outage can cost millions of dollars and anger thousands of customers who rely on online services. Direct revenue losses can be high for organizations that rely heavily on public-facing services. DDoS attacks are even more impactful when they are used in conjunction with other types of offenses.
The consequences of a DDoS-related attack can include:
In 2012, a large telecommunications organization experienced a DDoS attack that flooded its DNS servers, lasted about eight hours and took down its business web site. The intermittent disruptions affected Internet services for its business customers due to DNS outages resulting from the DDoS attack.9
Virtually any resource that is connected to the Internet is vulnerable to DDoS attacks, and contrary to popular belief, many existing controls do not protect against these attacks. Typically DDoS attacks attempt to bring down the critical services by targeting the organization’s web servers, application servers, routers or firewalls. In most enterprises and government organizations today, these resources either perform or provide access to business functions that are essential to the enterprise’s operations, services delivery, productivity, revenue generation and other core activities.
Today, most enterprises rely on traditional perimeter security tools, such as firewalls, secure web gateway and Internet service providers (ISP) devices, to protect the networks. Although these essential devices serve as a first layer of defense and should remain part of a layered security defense, they are not designed to handle network availability or protection from advanced threats and can fail to actually protect from sophisticated attacks.
Given the extraordinary and rapid changes in DDoS attack techniques, traditional DDoS mitigation solutions (e.g., bandwidth provisioning, firewall, intrusion prevention systems) are no longer sufficient to detect and protect an organization’s network or applications from sophisticated DDoS attacks.
External SolutionsThe most cost-effective approach to mitigate DDoS attacks is to pay the ISP to detect and mitigate attacks before they reach the organization’s Internet-facing resources (e.g., web servers, email servers). The key here lies with the ISP, in terms of its maturity of service offerings that address most forms of DDoS attacks.
In addition, there are many organizations that provide services for DDoS mitigation and play a middleman role. Their offerings include such things as DNS redirection to Border Gateway Protocol (BGP) route changes in which inbound Internet traffic flows through them and they detect the attacks and perform scrubbing/filtering in their Internet data centers. As a result, their customers get filtered and clean Internet traffic.
Internal SolutionsVarious security vendors provide appliance-based solutions to defend against DDoS attacks. They detect and provide protection from a broad array of DDoS attacks. Many vendors claim solutions with different appliance models and offer throughput ranging from 12 Mbps to enterprise-class solutions. Further, these appliances are integrated with the central management suite, giving users a single point of control and a full view of security events. As DDoS threats evolve every day, these specialized vendors are likely to respond faster with innovative solutions than vendors that offer basic DDoS protection embedded in the firewall and ISP offerings.
Successful DDoS attack mitigation involves having 24/7 continuous monitoring technology capabilities and capacity to identify and detect attacks while allowing legitimate traffic to reach its destination. Furthermore, to address issues appropriately in real time, a solid and tested incident response plan and procedures need to be in place. Key technologies, best practices and processes include:
DDoS attacks have left their mark. As time goes by, these types of attacks against private organizations and governments for the purpose of distraction are expected to continue to unfold with even more complexity and sophistication. DDoS attacks are also largely adopted in cyberwarfare to hit a country’s critical infrastructures. Enterprises must pay attention to this threat and properly assess their environment and monitoring capability to protect and defend against these aggressive attacks. As DDoS attacks continue to evolve, it is critical not to underestimate the threat.
1 Gonsalves, Antone; “U.S. Bank Cyberattacks Reflect ‘Frightening’ New Era,” CSO, 10 January 2013, www.csoonline.com/article/726131/u.s.-bank-cyberattacks-reflect-frightening-new-era2 Radware, “Server-based Botnets and HTTPS Layer Attacks Among the Tactics Leveraged by Hackers in Some of 2012’s Most Notorious Attacks,” 22 January 2013, www.radware.com/newsevents/pressrelease.aspx?id=16308793 Microsoft, “What is a Botnet?” www.microsoft.com/security/sir/story/default.aspx#!botnetsection4 Prolexic Report, “Increasing Size of Individual DDoS Attacks Define Third Quarter,” 16 October 2012, www.prolexic.com/news-events-pr-increasing-size-of-individual-ddos-attacks-20-gbps-is-the-new-norm-2012-q3.html5 Vijayan, Jaikumar; “Spamhaus Hit by Biggest-ever DDoS Attacks,” CIO, 27 March 2013, www.cio.com/article/730849/Spamhaus_Hit_by_Biggest_ever_DDoS_Attacks?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+cio%2Ffeed%2Fdrilldowntopic%2F3089+%28CIO.com+-+Security%26 Arbor Networks, “A Focus on Distributed Denial of Service,” p. 37 Symantec, “Internet Security Threat Report 2013: Volume 18,” April 2013, www.symantec.com/security_response/publications/threatreport.jsp8 Arbor Special Report, Worldwide Infrastructure Security Report 2012 Volume VIII, “Motivation, Scale, Targeting and Frequency of DDoS Attacks,” p. 189 Ragan, Steve; “DDoS Attack Caused AT&T DNS Outage on Wednesday,” Security Week, 17 August 2012, www.securityweek.com/ddos-attack-caused-att-dns-outage-wednesday
Ajay Kumar, CISM, CCSK, ISO 27001 LA, is an information security manager who has been working for a decade in the information security and risk management domain and has expertise in infrastructure security, identity and access management, data protection and privacy, cloud security, and cybersecurity.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.