Distributed denial-of-service (DDoS) attacks have been weapons of choice for hacktivists for over a decade, with the first well-known tools to orchestrate these threats being developed in the 1990s.
A denial-of-service attack is any attempt to interrupt or inflict downtime upon IT systems, but a basic DoS threat is smaller in scale than its DDoS counterpart. With the former, the influx of traffic may come from a single source, while in a DDoS attack, traffic comes from numerous sources – making it more difficult to deal with.
The first widely publicized attack targeted the University of Minnesota, using a botnet that consisted of thousands of compromised machines.
The sophistication and risk posed by DDoS attacks have evolved considerably from the strategy’s humble beginnings. For one thing, more people and businesses are now connected to the Internet, giving attackers a larger pool of resources to draw from. In addition, the malware black market has made it easy for non-technical attackers to start their own malicious campaigns or simply rent botnets rather than go through the trouble of creating their own.
But how prevalent is the risk? Can it be stopped? And should you go through the effort?
DDoS & Hacktivists: From Grassroots to Greedy Crooks
Awareness surrounding DDoS attacks has been heightened over the past several months, with the financial services sector being hit particularly hard in the second half of 2012.
As Gartner analyst Avivah Litan noted, this campaign was notable for both the motivations behind it and the amount of traffic generated. Whereas traditional DDoS mitigation software is designed for traffic volumes less than 60 or 70 gigabytes per second, the banks and financial services organizations were hit by attacks that exceeded 100 Gbps.
A hacktivist group known as the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for the campaign, suggesting that the threats were orchestrated in response to a perceived wrong on the part of the financial industry.
However, experts also speculated that the attacks may have been a distraction. While IT teams were busy getting their systems running smoothly again, the cybercriminals may have tried to steal sensitive data for profit.
The campaign against the financial services industry was notable, but even more recent history shows that the trend of bigger, scarier DDoS attacks is likely to continue. Earlier this year, cybercriminals targeted security vendor Spamhaus with the largest attack in history. The most recent incident, achieving peak traffic of 300 Gbps, was able to put the 2012 incidents to shame.
Traditionally, DDoS attacks served as an annoyance and were designed to cause service disruptions. Downtime can be costly to a business on its own, but cybercriminals have expanded their use of DDoS to include financial gain. While it is true that banks and other organizations storing highly valuable data are common targets, every sector is potentially at risk due to the expanding threat landscape.
Should You Be Worried?
As an example of the expanding cybercriminal target profile, online video game publisher, SG Interactive, experienced a series of DDoS attacks that flooded its systems with traffic on a daily basis throughout much of May.
While smaller in scale than the campaigns against Spamhaus and the finance industry, this demonstrates a need for greater awareness and the value in taking proactive measures against DDoS attacks in every industry.
Fortunately, there are a few readily available tools that can help detect and reduce the impact of these attacks. However, implementing them effectively requires IT teams to be proactive and regularly evaluate their configurations. For example, InformationWeek highlighted several strategies for mitigating the DDoS threat, including:
- Implementing network monitoring tools
- Adding scalability to handle traffic spikes
- Adopting DDoS mitigation software
While these solutions are beneficial when implemented properly, it still takes a little human insight to ensure that some malicious traffic does not slip through the cracks.
As a result, IT should have a comprehensive understanding of what constitutes normal network activity, which can be done by drawing on historical data from traditional networking monitoring solutions.
This will lead to better-informed choices about how to respond to a DDoS attack if one is detected. For example, a common strategy is to place temporary limits on router traffic in the event of an attack to prevent downtime. While this may hinder performance to some degree, it is better than a complete outage.
A closer look at the source of the traffic itself may also help to reduce the threat. Network administrators should identify obvious attack sources and add router filters that block packets from those them.
A comprehensive strategy should include provisions for proactive measures, as well as reactive ones to reduce the overall impact of any attack.
DDoS Detection and Prevention Tools
It is true that attackers have more sophisticated tools powering their activities, but organizations also benefit from an increase in technological sophistication.
From software that sends the administrator an alert when it detects abnormal traffic to tools that automatically throttle traffic in the event of a large-scale attack, companies are not coming to the battle empty-handed.
By supplementing IT solutions with proper planning, clear policies, and a little awareness, business leaders can build a reliable defense against even the next generation of DDoS campaigns.
These next-gen attacks suggest that DDoS may be an attempt to disguise ulterior motives. IT professionals need to ensure that traditional intrusion detection systems are properly configured and that technology employees have the tools they need to monitor and record access to fully investigate the scale of the threat after an incident occurs.
Organizations that want instant event notification can use Interact, a powerful and efficient real-time agent. NIDS and HIDS events are converted into an industry-standard syslog format before being escalated to any external Security Information Event Management (SIEM) solution or message manager.