Better bandwidth, bigger DDoS application level risk
Until recently, distributed denial of services (DDoS) attacks were complex to launch and appeared to target mainly high profile organisations and websites. But this has all changed. Now everyone is at risk.
A DDoS attack, in which services of a host connected to the internet are suspended, can be generally classified into two categories: Volumetric attacks: Flood attacks saturate network bandwidth and infrastructure (e.g.: UDP, TCP SYN, ICMP) and Application-layer attacks: These attacks are designed to target specific services and exhaust their resources (HTTP, DNS). Because they use less bandwidth, they are harder to detect. The ideal situation for application-layer DDoS attacks is where all other services remain intact but the webserver itself is completely inaccessible.
According to Stratecast, DDoS attacks are increasing in number by 20% – 45% annually, with application-based DDoS attacks increasing in triple digits levels. DDoS attacks have evolved – along with the proliferation of botnets − into one of the biggest threats on the security landscape. Traditionally, the challenge in SA has been the fact that with limited bandwidth capabilities it is far easier for DDoS attackers to disable infrastructure rather than services. However, with the increase in bandwidth availability as well as services providers’ improved capability to protect against volumetric DDoS attacks, we can now see an increase in DDoS attacks targeting individuals companies’ servers and services at an application level.
Now, anyone connected to the Internet is a possible target. Recent highly visible attacks included many politically-motivated attacks, state-sponsored cyber warfare, social activism and organised cyber crime, often driven by the easy availability of DDoS tools and botnets for hire.
People often assume only ISPs and webservers can be targets, but targets also include other services, such as mail servers, firewalls, VoIP gateways and file-sharing. Victims may include financial institutions, e-tailers, gaming sites, SaaS, government, critical infrastructure, cloud providers and popular sites. For example, Independent Newspapers’ subsidiary IOL recently fell victim to a DDoS attack, for which a group calling itself ‘Anonymous Africa’ claimed responsibility. The group tweeted it had taken the site down over IOL’s alleged support of Robert Mugabe.
The cost of DDoS
The biggest risk to an organisation from DDoS attacks is the potential loss of data and the negative impact from downtime. When online retailers go offline, they lose revenue; when trading systems are attacked and cannot trade, they lose revenue. Companies and organisations that have their websites defaced or taken down can suffer substantial damage to their brand and image.
In addition to lost revenue due to downtime, there are also costs related to IT analysis and recovery, loss of worker output, and possibly also financial penalties from broken service level agreements.
It used to be quite an undertaking to launch a DDoS attack, requiring sophisticated tools and many collaborators. Now, however, with the prevalence on the Internet of ready-mades DDoS tools and botnets-for-hire, effectively executing a DDoS attack is very easy and possible at low cost. Hence we expect to see sharp increase in DDoS attacks coming from many various sources.
Setting up a defence
In this changing environment, it is essential that organisations put the right multi-layer defences and DNS server protection in place, as well as drafting a response plan, to guard against DDoS attacks and their impact on the business and its reputation.
A multi-layer strategy is crucial in DDoS protection. This includes dedicated on-premise solutions to defend and mitigate threats from all angles of the network. These tools should provide anti-spoofing, host authentication techniques, packet level and application-specific thresholds, state and protocol verification, baseline enforcement, idle discovery, blacklists/whitelists and geolocation-based access control lists. Solutions should not only detect application-layer DDoS attacks and efficiently block common, generic or custom DDoS attack techniques and patterns, but should also have the ability to “learn” to recognise both acceptable and anomalous traffic behaviour patterns based on traffic flow.
As part of an overall defensive strategy, organisations must protect their critical assets and infrastructure. Many firms maintain their own DNS servers for Web availability, which are often the first systems to be targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organisation’s Web operations, creating a denial of service situation. DNS protection solutions available on the market today can protect against transaction ID, UDP source port and case randomisation mechanism intrusions.
Organisations also need a way to maintain vigilance and monitor their systems before, during and after an attack. The best defenses will incorporate continuous and automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic be detected.
It’s important to have granular visibility and control across the network. This visibility helps administrators get to the root of the attack’s cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators the ability to conduct real-time and historic attack analysis for in-depth forensics. In addition, advanced source tracking features can help defensive efforts by pinpointing the address of a non-spoofed attack, and can even contact the offender’s domain administrator.
By Perry Hutton, Regional Director – Africa, Fortinet