We explain why and how you should guard against distributed-denial-of-service incidents.
The distributed-denial-of-service (DDoS) attack landscape is constantly evolving, and is now routinely populated by hacktivists, trolls, extortioners and even used as a distraction from data exfiltration elsewhere on your network.
According to A10 Networks’ DDoS: A Clear and Present Danger report, the average organisation suffers more than 250 hours of DDoS business disruption each year.
Rather than asking if you can afford the cost of dedicated DDoS mitigation, maybe you should be asking if you can afford not to.
And while DDoS attacks still mainly target large or high-profile organisations, small businesses are increasingly being affected. An Akamai study reported a 180% annual increase in the number of DDoS attacks against small organisations.
We explain how to protect against a DDoS attack on the next page, but first, let’s take a look at why you should.
What is a DDoS?
According to the Oxford Dictionary, a Distributed Denial of Service (DDoS) attack is the the “intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers”.
While technically true, it is a very basic description of a tactic that has evolved to become one of most complex and efficient threats facing a digital economy. To understand how far it has come, you need to first look back at the roots of DDoS attacks.
A very brief history of DDoS
The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater group.
Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the ‘Low Orbit Ion Cannon’, the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point-and-click interface.
DDoS has since evolved further, with two recent attacks demonstrating the ease at which criminals are able to take down targeted servers.
In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff’s Office were inundated with fake calls as a result.
Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a “large volume of these repeated 911 hang up calls”, which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa county.
More details of how the attack was actually carried out can be found here.
The second notable incident it the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It's thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet.
Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.
Who's doing it and what do they use?
Don't think that DDoS is a legitimate form of political protest. Impairing the operation of any computer is a crime.
It’s is also used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.
DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don't get changed by owners, leaving hackers an easy route to infection and control.
A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.
How do they work again?
DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity.
The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.
What about cost?
That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is US$106,000 if you take everything from detection through to mitigation and customer churn into account. For small businesses, that figure is still a significant US$52,000.
For the attacker it's less expensive, with DDoS-for-hire services ranging from US$5 for a few minutes to US$500 for a working day.
The bottom line is if you can't afford your network, website or other digital channels to go down for any significant period of time, you need to prepare for a DDoS attack.
Next: How to protect against a DDoS attack