Despite precautions, DDoS attacks becoming more dire, damaging
Safeguards should be placed at networks' front gates, but all industries are at risk from persistent hackers
By Byron Acohido and Roger Yu, ThirdCertainty
When Donald Trump called for a ban on Muslims entering the United States, the combed-over Republican presidential candidate made himself a ripe target for hackers adept at executing distributed denial of service attacks.
Attackers claiming affiliation to the Anonymous hacking collective rallied volunteers to help temporarily disrupt the website for Trump Tower New York. They orchestrated this via a Twitter campaign, hashtagged # OpTrump. Thus Trump joined the growing ranks of victims of DDoS attacks.
DDoS campaigns inundate a targeted website with nuisance requests, making the site inaccessible to the intended users.
The daily rounds of DDoS assaults launched by ideologues and extortionists continue to rise in magnitude, while sucking up vast amounts of the Internet’s bandwidth. This is continuing even as companies and organizations are spending millions to defend against such attacks.
The latest, greatest attacks are unprecedented in scale and intensity. In the early 2000s, a DDoS attack could knock down a commercial website by sending nuisance traffic at the rate of 10 gigabytes per second. But website defenses have vastly improved.
So the attackers have intensified the attacks. Today sophisticated DDoS campaigns tap into compromised servers and vast networks of infected PCs, known as botnets. This horsepower is used to launch attacks that routinely top hundreds of gigabytes per second, the equivalent of thousands of HD movies downloaded simultaneously.
“These computers are in a library, school, senior center or hotel, and even inside corporations and universities,” says Stephen Gates, chief research analyst at cybersecurity firm NSFOCUS International Business. “These systems can be very powerful.”
The rate of DDoS attacks more than doubled—up 148.9 percent—in the fourth quarter of 2015 compared to the same period a year ago, according to a study released last month by Akamai Technologies. For company decision-makers, DDoS attacks have come to represent an exposure on par with malware, viruses and insider attacks.
Just ask the BBC, Nissan, Basecamp, Vimeo, Bit.ly, TypePad, Namecheap, Plenty of Fish, Evernote, Feedly and Moz—all have had to endure major DDoS attacks.
DDoS attacks initially stemmed largely from hackers seeking bragging rights from one-upmanship. “If a guy wants to become a member of a hacker collective, they must prove themselves,” Gates says. “It’s almost like pledging for a fraternity. And it made news.”
But other sinister plots soon emerged, with greedy hackers turning to extortion.
Extortion a favorite ploy
In a blog post, MeetUp CEO Scott Heiferman recalled falling victim to a cyber ransom note in February 2014.
“A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer,” an email to Heiferman read.
The anonymous sender didn’t bother waiting for Heiferman’s reply. Before his IT staffers could respond, his servers were infiltrated and the site went offline for about 24 hours. Two days later, they returned for another attack.
“The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated,” Heiferman wrote on a company blog. “We believe this lowball amount is a trick to see if we are the kind of target who would pay. “
Pay-us-and-we-go-away attacks—in which attackers simply hope to extract payment without launching a large-scale assault—have proliferated. As has hacktivism to express criticism of politicians, media organizations and governments, says Tim Matthews, vice president of marketing at cybersecurity firm Imperva.
Cyber bullies stifling others’ speeches or online discussions joined in on the malfeasance, and businesses wishing to hamper competitors also are paying for the services of DDoS hackers.
Some targets more attractive
Some industries are seemingly more vulnerable to DDoS attacks. With their peers more likely to notice, hackers targeted online gaming more than other businesses, the Akamai study found. In the fourth quarter, 54 percent of all attacks were targeted at online gaming operations. Software and technology firms were the next on the list, with 23 percent.
Emboldened by their success, hackers are increasingly targeting deep-pocket financial services firms, including banks and brokerages, Gates says. In January, HSBC bank was the subject of a high-profile attack, when its sites went offline for hours on a Friday, a payday for many.
Roughly 7 percent of DDoS attacks in the fourth quarter were aimed at financial services firms, trailing only software/tech and gaming.
“The truth is that anyone with a public Web presence, small or large, is a potential target,” Matthews says.
Like the MeetUp case, DDoS hackers often retreat after the initial attack, only to return. Repeat DDoS attacks have become the norm, with an average of 24 attacks per targeted customer in the fourth quarter, the Akamai study says. Three targets were subject to more than 100 attacks each; one customer suffered 188 attacks.
“Malicious actors aren’t backing down. They’re hammering away at the same targets over and over again, looking for a moment when defenses may be down,” says Stuart Scholly, Akamai’s senior vice president and general manager of the security business unit.
Hackers spread their net
Another trend is hackers’ increased use of unsecured devices that lack firewall protection, such as baby monitors, camcorders and home security video, Gates says.
Hackers also have grown to rely more on the Network Time Protocol (NTP), a simple public network used by computers worldwide to synchronize their clock. The NTP is populated by many servers with public IP addresses, and many are exposed to the Internet without firewall protection. Attacks using NTP rose by 57 percent year-over-year in the fourth quarter, Akamai says.
With the rising frequency of attacks, the mean attack size also has declined in the past year. The largest attack in the fourth quarter flooded 309 gigabits per second.
But such large-scale episodes have waned in number. Instead, half of all attacks were between 400 mbps and 5 gpbs in size. It’s “a trend that will further be stabilized by the growth in number of attacks,” Akamai’s study notes.
The usual caveats of cyber vigilance don’t typically work for DDoS attacks. There is no bad link or suspicious email attachment to be avoided. No malware is sent by the attacker.
Adding more server capacity really isn’t the answer either, particularly for small businesses, as new ways for hackers to enlarge their botnet emerge rapidly.
But business owners considering anti-DDoS technology should consider placing it at the front gate of their network, NSFOCUS International Business’s Gates says.
A hardware anti-DDoS product made by his firm identifies traffic type and employs behavior analysis to admit or deny a client into the network. For example, a zombie computer might repeat the same action repeatedly on a website by, say, repeatedly typing “login” on the login prompt instead of using a normal login name. “Attacking machine behavior is not the same as human behavior,” Gates says. His product “ignores and blocks those bad machines while trying to allow all good traffic.”
“Depends on how persistent the attacker is; they can keep you offline for days at a time,” Gates says. “It can get very expensive. Plan ahead and have your defense in place.”
Related stories about DDoS attacks:
JPMorgan breach hints at financial sector bombardment
Plot thickens: Sony said to retaliate with DDoS counter strikes