Distributed denial of service (DDoS) attacks have been around a long time. Typically, the attacker generates vast numbers of requests to a targeted system using packets from different source addresses.
The target, trying to process and respond to this “internet hug of death” is overwhelmed and ends up ignoring legitimate requests.
Because packets come from many sources, it’s almost impossible to block only malicious traffic, which looks just like benign traffic. (The recently identified XML vulnerability in WordPress had to do with a type of Denial of Service attack called the “XML Quadratic Blowup Attack.”)
Because of the distributed nature of DDoS attacks, traffic may appear perfectly normal at first.
A Neustar survey of 450 companies on DDoS attack trends found that 60% of respondents reported receiving a DDoS attack in 2013, a sharp increase from 2012. Both massive attacks and small attacks dropped in frequency, but midsize DDoS attacks increased. These attacks are able to overwhelm small and medium sized enterprises (SMEs), which typically have between 1 and 5 Gbps in bandwidth. The US and China are the biggest sources of DDoS traffic, but South Korea has jumped into third place, possibly because of the prevalence of fiber connections to homes there. More attacks are also originating in South America, possibly because of an increase in internet infrastructure on that continent.
Common Types of Attacks
DDoS attacks commonly target credential systems by sending continuous streams of nonsense username and password requests. Each login attempt has to hit the database, and the application doesn’t know these are false requests, eventually failing so legitimate users can’t log in.
Layer 3 and Layer 4 attacks focus on a system’s transport and network layers, overwhelming target machines’ servers with malicious traffic until they go offline under the strain. While disruptive during the actual attack, there is generally no lasting damage once the attack ceases.
Layer 7 DDoS attacks interact with user interfaces, mimicking human behavior. This type of DDoS traffic is very difficult to separate from normal traffic. Because this type of attack is a low-bandwidth, high-concurrent connection attack, network bandwidth isn’t affected much.
Why SMEs Are Targeted
DDoS attacks have typically been associated with “hacktivists,” but that’s changing. Today, more attackers are financially motivated, and use DDoS attacks to disguise actions like stealing customer data, financial information, or intellectual property. This may account for the increase in DDoS attacks against SMEs.
Here’s how it might go down: attackers overwhelm an SME’s website, knocking it offline. This causes problems with customer service phone lines too (since many SMEs use VoIP telecommunications). The target organizations are unable to communicate with banks temporarily, giving attackers a chance to target the bank’s corporate customers without being noticed right away.
Sometimes DDoS attacks hide more sinister attacks.
SMEs should continually monitor for unusual network behavior when banking websites go down. Should this happen, they should contact their bank ASAP to ensure no unauthorized transfers happened. Another key to recognizing a financially-motivated DDoS attack is whether someone claims responsibility. Old style “hacktivist” attacks often made their motives clear, but unexplained DDoS incidents are more likely to be cloaking a simultaneous attack on valuable financial or intellectual data.
Some organizations rely on third-party providers for DDoS mitigation, which specialize in prevention of trending malicious traffic. But not all SMEs can afford this, and must take protective measures of their own.
The first step is knowing the size of the organization’s internet connection and ensuring that available throughput actually matches what’s expected. Installing “fatter pipes” can help prevent bandwidth from being overwhelmed. Placing more infrastructure in the cloud can help too, because top cloud providers can dilute the effects of a DDoS attack. They have dispersed data centers that announce customers’ IP addresses, the result being DDoS traffic that’s dispersed across numerous locations, diluting the attack.
Choosing a web host that will attempt to stop attacks before they get to your site is another countermeasure. So is two-factor authentication. One hacking technique starts with tricking an end-user into downloading a keystroke tracker and capturing passwords, but two-factor authentication can protect against this.
DDoS tools are more widely available to attackers than ever, so it’s easier to launch attacks. While large attacks may require use of botnets, smaller attacks can be very damaging without requiring a botnet. Therefore it’s critical that every organization take steps to protect against DDoS attacks and have a response plan ready. A DDoS attack can not only cause a customer-infuriating crash of your system, it can put valuable data in peril as well.
IT asset management is a critical component of your network protection strategy. Samanage offers a true cloud solution to IT asset management and IT service desk management with a unified interface and tools that can help you ensure your IT infrastructure is accounted for at all times and kept safe from outside attacks.
About Kyle Shepard
Kyle is a Senior Manager of the Customer Success team at Samanage. His team provides ongoing support in service management strategy for evolving customer goals. He speaks on webinars and other educational resources in ITSM. He also played college lacrosse.
Read more articles by Kyle