DDoS: Defense or Devastation

Your money or your data. Cybercriminals are forcing some companies to make the choice: Either send money or risk a distributed denial of service (DDoS) attack, which can take down company IT systems, disrupting infrastructure or services and resulting in significant losses across the organization. Corero research has shown that DDoS attacks increased by 35 percent in 2017 from the previous year and are becoming more sophisticated, with tools and techniques evolving alongside the explosion of vulnerable internet of things (IoT) devices hitting the market.

DDoS-for-Hire services are a significant factor in the increase in attack activity. For the right price, anyone can make a payment and name a target and a crippling attack is launched. It has become that easy. While DDoS attacks can be attributed to someone wanting to send a big message or with an ideologic view, organized crime has now discovered its uses and the profitability that comes with it. The big shift has been toward financially motivated attacks, with significant increases in extortion and ransom threats.

The Art of the DDoS

Greater awareness of this evolving plague started with the Mirai code, which was used to search and identify IoT devices that could be recruited into a giant botnet used to launch huge DDoS attacks. Just over a year ago, the market was forced to acknowledge this threat vector, when domain name service (DNS) provider DYN was attacked by a complex DDoS attack that impacted dozens of internet platforms and services such as Twitter, Spotify, Reddit, Netflix and others.

Once Mirai’s author made the code public, the DDoS landscape was changed forever. Mirai has spawned myriad variants including Okiru, Satori and now Matsuta. This new dawn of opportunities for the cybercriminal community demonstrates how hackers typically start with the path of least resistance and, when that becomes blocked, look for the next easiest path. Early reports of a new botnet variant named “Masuta” show how the initial Mirai simple password brute-force methods, which are still employed, are now being supplemented with more sophisticated vulnerability exploits. Satori targeted Huawei routers, and now the Okiru code has opened up a whole new group of devices which can be recruited into botnets—from cars to phones to TV cameras and more—by targeting ARC processors, which are embedded in more than a billion products per year. This progression is enabling a broader range of devices, from a wider range of more well-known vendors, to be recruited into botnets, ready to be exploited for various nefarious purposes, including DDoS attacks.

Transforming the Attacks

Once a botnet has been herded, cybercriminals select from the myriad of delivery mechanisms, such as pulse-waves, floods, reflection, amplification or any other of the many DDoS attack vectors. Pulse-wave attacks are gaining favor, as they enable perpetrators to attack multiple targets, one after each other, with short high-volume bursts in a rapidly repeating cycle. They can ramp the attack traffic faster and increase the chances of evading legacy protection on a network. Short Duration attacks are often combined with more calculated, sub-saturating traffic volumes, rather than using massive brute-force attacks. These short duration, surgical attacks are often crafted specifically to fly under the radar of conventional DDoS protection, as they can blend in with regular traffic volumes.

DDoS attacks are being used for a variety of purposes, but now, more than ever, they are leveraged in conjunction with other attacks. Similar to a slight of hand, while the target organization focuses on the ramifications of the DDoS attack, other attacks are launched to infiltrate the network and carry out activities, such as exfiltrating valuable data.

Next Generation Internet Gateways

The increase in DDoS attacks, combined with their possibly devastating impact, has been the driver for many companies to redefine and standardize the way they manage their connections to the internet.  These so called next-generation internet gateways include next-generation firewalls and the latest always-on DDoS mitigation, with corporate policies designed to enable access to the internet that is designed, managed and monitored in a repeatable manner.

So many organizations now rely on their Internet presence to do business and the only safe approach to ensuring continuous online availability is to include real-time, automatic, DDoS protection as part of a next generation defense.

Sean Newman

Avatar photo

Sean Newman

Sean Newman is Director of Product Management for Corero Network Security. Sean has worked in the security and networking industry for over twenty years, with previous roles including global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.

sean-newman has 1 posts and counting.See all posts by sean-newman