DDoS Attacks Affect More Than Intended Target
Distributed denial of service (DDoS) attacks are increasing in both number and size, and most companies are vulnerable to attack. However, unlike other cyber attacks, DDoS attacks can cause significant collateral damage to companies that were not an intended target. We spoke to RANE Expert Andrew Shoemaker of DDoS preparedness solution company NimbusDDOS about how companies can be affected and what they can do to protect themselves.
The growth of the Internet has caused DDoS attacks to increase in size and frequency for the last 20 years. Companies have begun to put DDoS mitigation measures in place to protect against the most common types of attacks, but many are lagging behind and some attackers have adapted to mitigation measures by shifting to more sophisticated attacks.
- One report notes that the frequency of DDoS attacks over 100Gbps increased 967 percent in Q1 2019 compared to Q1 2018.
- The proliferation of unsecure Internet of Things devices has given DDoS attackers more devices to hijack. In 2016, hackers used a network of 1.5 million hijacked webcams to take down the website of cybersecurity journalist Brian Krebs. A webcam-based attack that occurred a few weeks later took down Twitter, Spotify, Amazon, Reddit, Yelp, Netflix, and The New York Times.
- Attackers have also begun renting or hijacking cloud computing servers to magnify their attacks.
- Typical DDoS attacks target the infrastructure layer of a network by overwhelming it with traffic from a network of hijacked devices, but are easily mitigated by security countermeasures designed to filter out high-traffic network requests. Attacks targeting specific parts of an application are becoming more popular because they mimic normal user behavior and are not easily identified or blocked.
- Shoemaker believes that private sector cybersecurity efforts have not matched the proliferation of DDoS attacks. He attributes this shortcoming to the fact that cybersecurity efforts tend to address attacks that make the headlines, but the news has not focused on DDoS attacks recently.
A DDoS attack is typically carried out either for a personal reason or with the intent to extort the target. Financial services and online gaming are the top targets for extortion and personal vendettas, respectively.
- Botnet operators rent out their networks, meaning that a potential attacker with a motive does not need to have sophisticated capabilities. An FBI crackdown at the end of 2018 led to a decrease in such services, but one report found that interested parties could still hire DDoS networks for US$10 per hour.
- Companies should be aware that botnet operators have access to the data on devices that they have hijacked, but typically do not target that data for theft because they hijack devices automatically and would have to manually check thousands or hundreds of thousands of devices to determine if any valuable data is available.
Companies should be aware that businesses that might not be typical targets of DDoS attacks are nevertheless vulnerable to collateral damage from them. The possibility that a major attack against one company takes down the local internet service provider (ISP) is a low probability but high impact risk. A more significant risk is that an attack could disable critical services like banking and online payment systems.
- In 2016, what became known as the Mirai attack occurred when three college students orchestrated a DDoS attack to gain a competitive advantage in an online computer game and brought down a major portion of the internet in doing so.
- An attack against a company could overwhelm the network that it uses and disable nearby companies that share the same ISP network, but ISPs tend to be resilient to DDoS attacks because of how much bandwidth they have available.
- Companies that outsource portions of their business to software-as-a-service vendors risk being taken down along with those vendors if the vendor is targeted. For example, a successful attack against an online bill pay system will disable all of the local banks across the country that depend on that system to function, which will in turn affect the businesses that rely on those banks.
Companies should implement cybersecurity solutions to proactively protect themselves from the most common DDoS attacks, but be aware that more sophisticated attacks require more sophisticated mitigation. Untested solutions frequently fail, giving companies a false sense of security. Shoemaker also recommends that companies perform due diligence on vendors in order to protect themselves from collateral damage from a DDoS attack.
- According to Shoemaker, 85 percent of companies’ DDoS mitigation systems fail the first test attack. Many companies mistakenly believe that a traditional or next-gen firewall will also protect them against DDoS attacks, when in fact such a firewall is often the device that is most heavily impacted by an attack. Even when companies adopt the appropriate specialized hardware and services, they are often configured incorrectly or lack correct incident response procedures. Proactive testing can identify these problems.
- When performing diligence on vendors, companies should ask questions about how those vendors are protecting their customers’ data, how they plan to make sure that data is accessible in the event of an attack, and what they do to ensure their services are always online.
- Companies can consider using redundant providers for network connectivity and other critical always-online services, though this option is more expensive and often unworkable for smaller businesses.
Andrew Shoemaker recommends that companies ask the following questions of their vendors to ensure that they have a plan in place to protect customers’ data and keep their services online in the event of a DDoS.
- Have you experienced a DDoS attack in the last year? How many attacks? What was the customer impact?
- What defenses do you have in place to protect the services that you offer?
- Have your DDoS defenses been tested by a third-party? Please provide the report of the most recent test.
- Have your DDoS defenses achieved any level of third-party certification?
- Do you perform red-team exercises to test incident response procedures for DDoS attacks? How frequently?