DDoS: Deceptive Denial Attacks

Distributed Denial of Service (DDoS) attacks are often quite unsophisticated, brute force attempts to disable a website or network by barraging it with traffic, but the damage they can do to victims can be considerable.

When it comes to DDoS attacks, it’s easy to get distracted by the record-breaking size of the latest attacks.  Like a strength tester fairground game, we are all mesmerised by the gigantic numbers involved as new DDoS attacks break previous records, such as the huge 470GBps attack on a Chinese gambling site earlier this year, or the reported 602GBps attack against the BBC last year.

But what do these numbers really mean? In truth, the increasingly sophisticated techniques that bad actors deploy are making the reported sizes of attacks increasingly redundant.

For example, amplification techniques can intensify the size of attacks and simultaneously mask the source of attack traffic. This means that a 100GBps attack with a small upscale of 10x could actually harness the same power as a terabit-sized attack, while a sub-saturating 2GBps attack which might not even be detected by your DDoS mitigation system could knock all your firewalls offline.

The vast majority of these attacks are less than five minutes in duration and under 1GBps in size. So why do they pose such a threat?

The truth is that hackers are using these small attacks to experiment with new techniques without being spotted by security teams. This is due to the fact that the majority of legacy DDoS mitigation tools can only be deployed out-of-band and are therefore limited to only inspecting events that cross certain bandwidth thresholds.

Additionally, since they rely on coarse sampling followed by traffic redirection, which takes time, these DDoS scrubbing solutions are only capable of investigating events of more than five minutes in duration, meaning that hackers can use short-lived and low-bandwidth attacks to trial the success of new techniques under the radar.

Once attackers have perfected their new methods in private, they can then wield enormous power by deploying these tactics at wide range. When executed, these strategies catch organisations on the back foot, because the techniques haven’t been seen before, security teams have not set up any firewall or DDoS protection rules to defend against them, and they are therefore left scrambling around trying to find a solution when an attack is already in place.

This is particularly concerning in light of the increased use of amplification techniques, which allow bad actors to intensify the size of their attacks, and to simultaneously mask the source of attack traffic.  Using this method, attackers typically spoof look-up requests to domain name system (DNS) servers to hide the source of an attack, and re-direct the response to their target.

By relaying the original request through a botnet, and utilising a high percentage of large packet fragments, an attacker can amplify the size of their attack to up to 100 times larger than its original size.

So how can organisations protect themselves?  

The first step to greater security is to familiarise yourself with the trends in the DDoS landscape and to start looking more closely at lower level activity within your environment.

Small-scale, sub-saturating DDoS attacks are truly the calm before the storm, and observing them in real-time is the best way to prepare your organisation from the plethora of new techniques that attackers are experimenting with.

Second, the most effective way to protect your organisation’s entire security infrastructure in the event of an attack is to have DDoS protection installed in-line, at the Internet edge.

This eliminates the need to manually analyze events and re-route traffic for cleaning, and ensures that the time from detection to mitigation of an attack shrinks to almost nothing. This type of protection can usually be purchased as-a-service through your Internet Service Provider, which allows customers to take advantage of the increased visibility of their entire network infrastructure.

Because it is always on, this type of automatic attack mitigation provides continuous visibility and forensics, and means that there is no need to resign ourselves to the ever-changing threat of DDoS attacks.

Information Age

 

« Internet of Insecure Things
Work Traveling - You’re a Prime Hacker Target »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Tiro Security

Tiro Security

Tiro Security is a boutique company specializing in information security and IT audit recruitment and solutions.

NetMotion Software

NetMotion Software

NetMotion Software specializes in mobile performance management solutions to manage, secure and support the mobile enterprise.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

Protection Group International (PGI)

Protection Group International (PGI)

PGI helps organisations and governments to manage digital risk. From cyber security services to business intelligence, we help reduce the risks to your finances, reputation, assets and people.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Information and Communication Technology Authority (ICT Authority) - Kenya

Information and Communication Technology Authority (ICT Authority) - Kenya

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

Celerium

Celerium

Celerium transforms cyber defense for both companies and industry sectors by leveraging cyber threat intelligence to defend against cyber threats and attacks.

Enterprise Ethereum Alliance (EEA)

Enterprise Ethereum Alliance (EEA)

EEA is a member-led industry organization whose objective is to drive the use of Ethereum blockchain technology as an open-standard to empower ALL enterprises.

CounterFind

CounterFind

CounterFind is turnkey technology that allows brands to find and remove counterfeit and infringing merchandise from online marketplaces and social media sites.

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance combines insurance expertise with cybersecurity and data talent to deliver clear, effective solutions to protect you for the cyberrisks of today—and tomorrow.

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

MTS-ISAC promotes and facilitates maritime cybersecurity information sharing, awareness, training, and collaboration efforts between private and public sector stakeholders.

SOC Prime

SOC Prime

SOC Prime is the only Threat Detection Marketplace where researchers monetize their content to help security teams defend against attacks easier, faster and more efficiently than ever.

ArmorCode

ArmorCode

ArmorCode's intelligent application security platform gives us unified visibility into AppSec postures and automates complex DevSecOps workflows.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.

RapidFort

RapidFort

RapidFort’s Software Attack Surface Optimization Platform remediates 95% of software vulnerabilities in minutes without code changes.