Why Would they DoS Us?

Written by

As various pundits have reeled off their security advice for 2014, many have listed the growing threat of denial-of-service (DoS) attacks as something to look out for. They are probably right to do so; two recent publications, the Arbor Worldwide Infrastructure Security Report (WISR) and the Prolexic Global DDoS Attack Report, both show that the number, size, sophistication and impact of DoS attacks continue to increase. Another December 2013 Ponemon Institute report suggests that distributed denial-of-service (DDoS) attacks are now the third most common cause of data center outage after power failure and human error, causing 18% of all outages; three years ago it was just 2%.

There are a number of different ways of denying service. The various methods of attack are well documented elsewhere; the Wikipedia entry Denial-of-service attack is a good start. However, it is worth pointing out that while most will be familiar with the idea of volumetric DDoS attacks (the flooding of network, server and/or application resources) there are other types of attack that are more insidious. These include state exhaustion of load balancers and firewalls (blocking all possible connections to a given resource), attacks on domain name server (DNS) infrastructure and low rate/slow attacks that will not be detected by looking out for high volumes of traffic and/or resource requests.

To decide how seriously to take the threat and what level of investment should be made in the necessary countermeasures, those responsible for IT security should first consider why their organization may be a target for such an attack? ‘Why would they DoS us?’ After all, launching any sort of DoS takes some effort and it needs to be targeted.  Furthermore, it is not immediately obvious how DoS attacks can be monetized. Indeed, for cybercriminals it is a relatively risky way to make money, principally by extortion; ‘we are going to render your service ineffective until you pay a ransom’. Obvious candidate targets are those businesses that rely heavily on their e-services, such as online casinos and retailers. Off web to them means no money coming in.

Data in Arbor’s WISR report sheds some light on the actual motives reported by victims of attacks. Criminal extortion comes near the bottom of the list (16%). The most common motive (40%) is down to political and/or ideological disputes, so not cybercrime at all but hacktivism. Many may say, well that is alright then, they would take no interest our dull everyday business; that is until you realize you are a supplier to someone that is of interest and an easier attack target due to your complacency.

Other interesting motives are criminals demoing of their DoS capability to prospects (26%), pre-sales activity if you like – who cares what the target is, as long as it can be shown to be rendered non-functional! Competitive rivalry (18%), that is organizations with similar interests attacking each other, mainly seen in emerging markets (imagine the scandal a major EU-based brand was exposed to for behaving in this way!) Flash crowds (19%), for example a rush to watch a video or secure coupons, not a DDoS attack per se, but an unexpected legitimate rush on resources. Diversionary attacks (16%), this is where DDoS in particular is used to send an IT department in to array while a more targeted attack is launched elsewhere on its infrastructure.

One area not listed by Arbor is collateral damage. This is where your organization is not the target, but you share resources with an organization that is. This is increasingly likely to be the case as the use of cloud-based services continues to increase. As with all DoS, this danger can be mitigated against.

It should be pointed out that cloud-based services are also part of the solution to DoS. First, if you are hit by volume due to a flash crowd, a cloud service provider should be able to add additional resource for as long as it is needed. Second, DoS defense is increasingly offered as an on-demand data-scrubbing service from vendors such as Akamai (via its Prolexic acquisition), Neustar, Black Lotus and DOSarrest. They will divert infected traffic streams to their servers and clean them up once an attack is detected.

However, this is often after the event. Many organizations detect their resources from DoS attacks using on-premise protection from vendors such as Arbor with its Prevail APS product aimed at enterprises or Peak Flow SP aimed at service providers, many of whom tote their own DoS mitigation services, and Corero with its DDoS Defence System. Corero is now going after the SP market too with a new offering called the Smart Wall Threat Defence System, the premise being that cloud service providers should offer to protect their customers, for a premium, and mitigate both direct attacks and collateral damage; its message is ‘always on’ protection, rather than just during an emergency. Arbor also offers cloud based protection with it Arbor Cloud, which supplements on-premise protection. Radware is another vendor with such hybrid capability.

So, the DoS threat is real. Your organization does not need to be an obvious target to be a victim; it may be seen as the easy target to disrupt a better protected partner or customer, impacted by collateral damage in the cloud, the hapless target of a pre-sales demo or even the beneficiary of unexpected popularity. Whatever the cause, all organizations need the ability to see attacks coming and respond accordingly. The cost of putting in place some level of protection will likely be a lot less than the cost incurred during an all-out attack.

What’s hot on Infosecurity Magazine?