Despite precautions, DDoS attacks becoming more dire, damaging

Safeguards should be placed at networks' front gates, but all industries are at risk from persistent hackers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When Don­ald Trump called for a ban on Mus­lims enter­ing the Unit­ed States, the combed-over Repub­li­can pres­i­den­tial can­di­date made him­self a ripe tar­get for hack­ers adept at exe­cut­ing dis­trib­uted denial of ser­vice attacks.

Attack­ers claim­ing affil­i­a­tion to the Anony­mous hack­ing col­lec­tive ral­lied vol­un­teers to help tem­porar­i­ly dis­rupt the web­site for Trump Tow­er New York. They orches­trat­ed this via a Twit­ter cam­paign, hash­tagged # OpTrump. Thus Trump joined the grow­ing ranks of vic­tims of DDoS attacks.

DDoS cam­paigns inun­date a tar­get­ed web­site with nui­sance requests, mak­ing the site inac­ces­si­ble to the intend­ed users.

Relat­ed: Lever­ag­ing Twit­ter to dis­rupt websites

The dai­ly rounds of DDoS assaults launched by ide­o­logues and extor­tion­ists con­tin­ue to rise in mag­ni­tude, while suck­ing up vast amounts of the Internet’s band­width. This is con­tin­u­ing even as com­pa­nies and orga­ni­za­tions are spend­ing mil­lions to defend against such attacks.

The lat­est, great­est attacks are unprece­dent­ed in scale and inten­si­ty. In the ear­ly 2000s, a DDoS attack could knock down a com­mer­cial web­site by send­ing nui­sance traf­fic at the rate of 10 giga­bytes per sec­ond. But web­site defens­es have vast­ly improved.

So the attack­ers have inten­si­fied the attacks. Today sophis­ti­cat­ed DDoS cam­paigns tap into com­pro­mised servers and vast net­works of infect­ed PCs, known as bot­nets. This horse­pow­er is used to launch attacks that rou­tine­ly top hun­dreds of giga­bytes per sec­ond, the equiv­a­lent of thou­sands of HD movies down­loaded simultaneously.

Stephen Gates, NSFOCUS IB chief research analyst
Stephen Gates, NSFOCUS IB chief research analyst

These com­put­ers are in a library, school, senior cen­ter or hotel, and even inside cor­po­ra­tions and uni­ver­si­ties,” says Stephen Gates, chief research ana­lyst at cyber­se­cu­ri­ty firm NSFOCUS Inter­na­tion­al Busi­ness. “These sys­tems can be very powerful.”

The rate of DDoS attacks more than doubled—up 148.9 percent—in the fourth quar­ter of 2015 com­pared to the same peri­od a year ago, accord­ing to a study released last month by Aka­mai Tech­nolo­gies. For com­pa­ny deci­sion-mak­ers, DDoS attacks have come to rep­re­sent an expo­sure on par with mal­ware, virus­es and insid­er attacks.

Just ask the BBC, Nis­san, Base­camp, Vimeo,, Type­Pad, Namecheap, Plen­ty of Fish, Ever­note, Feed­ly and Moz—all have had to endure major DDoS attacks.

DDoS attacks ini­tial­ly stemmed large­ly from hack­ers seek­ing brag­ging rights from one-upman­ship. “If a guy wants to become a mem­ber of a hack­er col­lec­tive, they must prove them­selves,” Gates says. “It’s almost like pledg­ing for a fra­ter­ni­ty. And it made news.”

But oth­er sin­is­ter plots soon emerged, with greedy hack­ers turn­ing to extortion.

Extor­tion a favorite ploy

In a blog post, Meet­Up CEO Scott Heifer­man recalled falling vic­tim to a cyber ran­som note in Feb­ru­ary 2014.

A com­peti­tor asked me to per­form a DDoS attack on your web­site. I can stop the attack for $300 USD. Let me know if you are inter­est­ed in my offer,” an email to Heifer­man read.

The anony­mous sender didn’t both­er wait­ing for Heiferman’s reply. Before his IT staffers could respond, his servers were infil­trat­ed and the site went offline for about 24 hours. Two days lat­er, they returned for anoth­er attack.

The extor­tion dol­lar amount sug­gests this to be the work of ama­teurs, but the attack is sophis­ti­cat­ed,” Heifer­man wrote on a com­pa­ny blog. “We believe this low­ball amount is a trick to see if we are the kind of tar­get who would pay. “

Pay-us-and-we-go-away attacks—in which attack­ers sim­ply hope to extract pay­ment with­out launch­ing a large-scale assault—have pro­lif­er­at­ed. As has hack­tivism to express crit­i­cism of politi­cians, media orga­ni­za­tions and gov­ern­ments, says Tim Matthews, vice pres­i­dent of mar­ket­ing at cyber­se­cu­ri­ty firm Imper­va.

Cyber bul­lies sti­fling oth­ers’ speech­es or online dis­cus­sions joined in on the malfea­sance, and busi­ness­es wish­ing to ham­per com­peti­tors also are pay­ing for the ser­vices of DDoS hackers.

Some tar­gets more attractive

Some indus­tries are seem­ing­ly more vul­ner­a­ble to DDoS attacks. With their peers more like­ly to notice, hack­ers tar­get­ed online gam­ing more than oth­er busi­ness­es, the Aka­mai study found. In the fourth quar­ter, 54 per­cent of all attacks were tar­get­ed at online gam­ing oper­a­tions. Soft­ware and tech­nol­o­gy firms were the next on the list, with 23 percent.

Embold­ened by their suc­cess, hack­ers are increas­ing­ly tar­get­ing deep-pock­et finan­cial ser­vices firms, includ­ing banks and bro­ker­ages, Gates says. In Jan­u­ary, HSBC bank was the sub­ject of a high-pro­file attack, when its sites went offline for hours on a Fri­day, a pay­day for many.

Rough­ly 7 per­cent of DDoS attacks in the fourth quar­ter were aimed at finan­cial ser­vices firms, trail­ing only software/tech and gaming.

The truth is that any­one with a pub­lic Web pres­ence, small or large, is a poten­tial tar­get,” Matthews says.

Like the Meet­Up case, DDoS hack­ers often retreat after the ini­tial attack, only to return. Repeat DDoS attacks have become the norm, with an aver­age of 24 attacks per tar­get­ed cus­tomer in the fourth quar­ter, the Aka­mai study says. Three tar­gets were sub­ject to more than 100 attacks each; one cus­tomer suf­fered 188 attacks.

Mali­cious actors aren’t back­ing down. They’re ham­mer­ing away at the same tar­gets over and over again, look­ing for a moment when defens­es may be down,” says Stu­art Schol­ly, Akamai’s senior vice pres­i­dent and gen­er­al man­ag­er of the secu­ri­ty busi­ness unit.

Hack­ers spread their net

Anoth­er trend is hack­ers’ increased use of unse­cured devices that lack fire­wall pro­tec­tion, such as baby mon­i­tors, cam­corders and home secu­ri­ty video, Gates says.

Hack­ers also have grown to rely more on the Net­work Time Pro­to­col (NTP), a sim­ple pub­lic net­work used by com­put­ers world­wide to syn­chro­nize their clock. The NTP is pop­u­lat­ed by many servers with pub­lic IP address­es, and many are exposed to the Inter­net with­out fire­wall pro­tec­tion. Attacks using NTP rose by 57 per­cent year-over-year in the fourth quar­ter, Aka­mai says.

With the ris­ing fre­quen­cy of attacks, the mean attack size also has declined in the past year. The largest attack in the fourth quar­ter flood­ed 309 giga­bits per second.

ThirdCertainty Editor-in-Chief Byron Acohido (left) interviews Dave Martin, NSFOCUS IB director of product marketing, on March 1 during the recent RSA conference in San Francisco.
Third­Cer­tain­ty Edi­tor-in-Chief Byron Aco­hi­do (left) inter­views Dave Mar­tin, NSFOCUS IB direc­tor of prod­uct mar­ket­ing, on March 1 dur­ing the recent RSA con­fer­ence in San Francisco.

But such large-scale episodes have waned in num­ber. Instead, half of all attacks were between 400 mbps and 5 gpbs in size. It’s “a trend that will fur­ther be sta­bi­lized by the growth in num­ber of attacks,” Akamai’s study notes.

The usu­al caveats of cyber vig­i­lance don’t typ­i­cal­ly work for DDoS attacks. There is no bad link or sus­pi­cious email attach­ment to be avoid­ed. No mal­ware is sent by the attacker.

Adding more serv­er capac­i­ty real­ly isn’t the answer either, par­tic­u­lar­ly for small busi­ness­es, as new ways for hack­ers to enlarge their bot­net emerge rapidly.

But busi­ness own­ers con­sid­er­ing anti-DDoS tech­nol­o­gy should con­sid­er plac­ing it at the front gate of their net­work, NSFOCUS Inter­na­tion­al Business’s Gates says.

A hard­ware anti-DDoS prod­uct made by his firm iden­ti­fies traf­fic type and employs behav­ior analy­sis to admit or deny a client into the net­work. For exam­ple, a zom­bie com­put­er might repeat the same action repeat­ed­ly on a web­site by, say, repeat­ed­ly typ­ing “login” on the login prompt instead of using a nor­mal login name. “Attack­ing machine behav­ior is not the same as human behav­ior,” Gates says. His prod­uct “ignores and blocks those bad machines while try­ing to allow all good traffic.”

Depends on how per­sis­tent the attack­er is; they can keep you offline for days at a time,” Gates says. “It can get very expen­sive. Plan ahead and have your defense in place.”

Relat­ed sto­ries about DDoS attacks:
JPMor­gan breach hints at finan­cial sec­tor bombardment
Plot thick­ens: Sony said to retal­i­ate with DDoS counter strikes