Bangkok--23 Aug--Sir (Thailand)
By Eryin Halmen
The cat-and-mouse game between IT administrators, criminals and hactivists has intensified in 2012 as the number of application-layer Distributed Denial of Service (DDoS) attacks has exploded. Coupled with an increase in political and ideological hactivism, companies have to be extremely diligent in identifying and combating attempts to disable their websites, steal proprietary information and to deface their web applications. Organized crime is now enlisting the aid and incorporating the techniques of hackers for criminal intent such as identity theft, online fraud and extortion. One such attack that is raising alarm bells as the emerging threat to the bastion of network security is none other than DDoS.
A (DDoS) attack occurs when overwhelming floods of Internet traffic coming from numerous sources are aimed at a website with the intention of consuming the site’s available resources, such as bandwidth, CPU or even disk space. DDoS attacks pose many risks to companies, and can result in a significant loss of time, customers, money, and compliance violations. Security experts report it takes as little as six seconds for a launched attack to find and infiltrate an unsuspecting system. The level of skill needed to launch attacks is also decreasing with sophisticated automated software.
To make matters worse, DDoS attacks now are being used as a diversion or smoke screen to cover other cyber attacks, such as data theft. DDoS is now an on-demand criminal commodity that does not require any special expertise on the part of the attacker. Any malcontent, hactivist or competitor can rent a botnet or hire a DDoS “hit team” for a few dollars.
The motivations for today’s DDoS attacks fall into three broad categories:
Competitive Advantage
Unfair competitive practices are a form of cyber crime, as companies in a particular enterprise market engage in online sabotage to gain an unfair competitive advantage. These unscrupulous competitors use DDoS against other online businesses to discourage the victim company’s customers and drive business to their own sites.
Ideological or Political
Ideologically and/or politically based DDoS attacks are also increasing. So-called hacktivists strike at enterprises, industry and government groups over policies and business practices. Foremost among current hacktivists is a group called Anonymous, a loose confederation of staunch opponents of legislation, such as the SOPA (Stop Online Piracy Act), aimed at blocking pirated content on the Internet. Hacktivists also attack prominent commercial entities and government agencies in support of national and international conflict.
Financial Gain
DDoS for profit usually comes in the form of extortion against victim enterprises. Typically, online companies will receive an email or call threatening a crippling DDoS attack unless a sum of money is transferred to an account designated by the attackers before their deadline. Often, the criminals will launch a limited DDoS attack to prove they mean business. This scenario is a cyber variation on the protection racket, in which thugs demand payment from merchants in exchange for not harming them or vandalizing their business. Online gaming sites, as well as online retailers and other commercial sites are popular targets.
For all the pain and suffering DDoS attacks have caused, there are a number of best practices that companies can implement to reduce their risk. The most effective defense against DDoS attacks requires expert preparation of defensive resources, ongoing vigilance and a rapid, organized response.
Here are Top 5 recommendations for mitigating the effects of DDoS attacks:
1. Create a DDoS Response Plan As with all incident response plans, advance preparation is key to rapid and effective action, avoiding an "all-hands-on-deck" scramble in the face of a DDoS attack. A DDoS response plan lists and describes the steps organizations should take if its IT infrastructure is subjected to a DDoS attack. Increasingly, Corero is seeing that DDoS attacks against high-profile targets are intelligent, determined and persistent. This new breed of highly capable attackers will switch to different attack sources and alternative attack methods as each new attempt is countered or fails. It is therefore essential the DDoS response plan defines when and how additional mitigation resources are engaged and surveillance tightened.
2. On-Premises DDoS Defenses are Imperative Clean pipe Internet connections provided by ISPs offer a false sense of security. On-premises DDoS defense solutions installed immediately in front of application and database servers are required to provide a granular response to flooding type attacks, as well as to detect and deflect the increasingly frequent application-layer DDoS attacks. For optimal defense, on-premises DDoS protection solutions should be deployed in concert with automated monitoring services to rapidly identify and react to evasive, sustained attacks.
3. Protect Your DNS Servers The Internet Domain Name System (DNS) is a distributed naming system that enables us to access the Internet by using recognizable and easy to remember names such as www.google.com rather than numeric IP addresses (e.g. 192.168.0.1) on which network infrastructure relies to route messages from one computer to another. Since DNS is distributed, many organizations use and maintain their own DNS servers to make their systems visible on the Internet. These servers are often targeted by DDoS attacks; if the attacker can disrupt DNS operations, all of the victims' services may disappear from the Internet, causing the desired Denial of Service effect.
4. Know Your Real Customers A brute-force or flooding type of DDoS attack is relatively easy to identify, though it requires high performance and sophisticated real-time analysis to recognize and block attack traffic while simultaneously allowing legitimate traffic to pass.Detection of the more insidious application layer attacks requires a thorough understanding of the typical behaviors and actions of bona fide customers or employees accessing the applications being protected. In much the same way that credit card fraud detection may be automated, on-premises DDoS defense systems establish legitimate usage profiles in order to identify suspicious traffic and respond accordingly.
5. Maintain Continuous Vigilance DDoS attacks are becoming increasingly smart and stealth in their methods. Waiting for an application to become unresponsive before taking action is already too late.
For optimal defense, a DDoS early warning system should be part of a company's solution. Continuous and automated monitoring is required in order to recognize an attack, sound the alarm and initiate the response plan.
DDoS attacks are a significant threat that every organization doing business on the Internet needs to take seriously. In today’s struggling economy, the financial stability and public trust and confidence of each company are imperative. Therefore, it is crucial that an organization’s systems and operations are resilient and the effects from unexpected disruptions are minimal.
Eryin Halmen is Regional Manager for Corero Network Security South East Asia. Corero Network Security’s mission is to be a leading network security systems company delivering solutions to address the challenges organizations face in protecting their by IT systems and networks and on-line assets from the threats of cyber crime.