On June 28th, MasterCard’s website went offline following a Distributed Denial of Service attack that seemed to be WikiLeaks-inspired. A Twitter user called ibomhacktivist took responsibility for the attack, and linked the action to the WikiLeaks-inspired attack on MasterCard by the Anonymous group last year.

Earlier in April, South Korea’s National Agricultural Cooperative Federation better known as Nonghyup’s computer network was brought down by suspected North Korean hackers through a DDoS attack, keeping the bank’s almost 20 million clients from using automated teller machines and online banking services.

Nonghyup later announced that it’ll spend 510 billion won ($477.2 million) by 2015 to boost network security. The company received 1,385 claims for compensations related to the network disruption.

And I think we all know about the series of DDoS attacks that shook Sony Corporation and how it brought down the company’s stocks by more than $10 per share, a close to 30 percent downfall which to a large extent could be attributed to these attacks.

Examples are plenty to show that there has been a marked increase in size and volume of DDoS attacks over the past 12 months and at the same time, we have seen a significant increase in more sophisticated Application Layer attacks. According to network security firm, Arbor Network’s 2010 Worldwide Infrastructure Security Report Volume 6, there is 102% increase in the DDoS attack size compared to what was observed last year having a single attack top 100Gbps for the first time in the survey’s history. That is 1000 percent increase in attack volume as compared to the largest DDoS attack reported in the first edition of the survey in 2005.

Under the DDoS tactic, malicious codes infect computers to trigger mass attacks against targeted websites. The infected computers work as zombie bots that are controlled by a C&C server, which could be located anywhere in the world.

Despite the amount of damage such attacks can wreck on an organisation’s infrastructure, public image, and overall balance sheets, DDoS attacks aren’t often considered a big threat by many CISOs. The reason? They feel there is no financial motivation for the attack and it is extremely complicated to execute, leaving less probability for occurrence. True
and false.

First, most DDoS attacks do not have a financial motivation but that doesn’t mean there is any lack of motivation. Second, while it is true that DDoS attacks were extremely complex to execute till some time back, with open source attack toolkits available in the wild, such attacks can be executed even by someone with very limited knowledge of the complexities in the network.

Motivation behind the attacks

One thing that is quite evident is that DDoS attacks do not occur without motivation. Unlike viruses and malware, they do not spread in the wild and are always targeted towards an organisation / government / entity. There are a number of primary motives that are driving DDoS attacks today including:

Economic– Threats and extortion. This is common in cash heavy operators like gambling and elicit content providers but also extends to financials, ecommerce and other traditional enterprises. Many attackers may keep websites disabled for ransom and demand payment in exchange for stopping their onslaught.

Ideological– Cyber terrorism and fanaticism use DDoS as a means of causing disruption and economic loss. These attacks usually target government and military targets but also target well known businesses.

Competitive– Attacks from one competitor to another to create an advantage. This is very common in the gaming community and in ecommerce.

Social– Attacks as a means of protest. These attacks can target any company based on real or perceived insult to the attacker or just as a challenge that the attacker can overcome. The Anonymous group has become very famous for attacking companies based on this with a wide variety of victims across a number of vertical markets.

Political– Attacks against particular government services plus key economic services for a country have become more mainstream as a means of obtaining political advantage. Examples of this type of attack include the widespread DDoS attacks on Estonia, Georgia and Egypt over the past few years.

“It is dangerous to assume that Indian Organisations are shielded or that no one is interested in knocking off their network. Recent history shows many examples of companies that suffered significant monetary and reputation loss because they did not prepare against DDoS,” opines Samuel Sathyajith, Country Manager - India & SAARC, Arbor Networks.

Attack Toolkits

Over the past two years, the tools available to deliver a DDoS attack have become increasingly easier to access and use.  A number of very popular tools such as Low Orbit Ion Canon (LOIC) or High Orbit Ion Cannon (HOIC) with rich user interfaces make it possible for almost any Internet user to download and run a tool capable of compromising an Internet operator’s network or service. The botnet community has also significantly improved their capability making it easier and less expensive for users to contract their networks to create havoc.
Given the fact that there are over 100 million devices worldwide with high speed internet access, this creates a very large community capable of executing DDoS. Reports have shown the many of the participants in the Anonymous group that have wreaked havoc on the Internet over the past year are normal people with no particular computer expertise but have used the tools very effectively.

Shantanu Ghosh, Vice President, India Product Operations, Symantec explained, “Many kits are considerably robust and include a number of tools with multiple exploits that target a range of applications across various operating systems.”

Symantec has found that the relative simplicity and effectiveness of using attack toolkits has contributed to the upward trends observed in cybercrime and that these kits are being used in a majority of malicious attacks online including DDoS. In fact, some kits also combine modular components and exploits from other packages to create platforms tailored for attacking a wider range of targets.

Toolkit development has advanced to the point that there is even an open-source project, the Hybrid Botnet System. The Hybrid Botnet System is composed of a command-and-control server Web application as well as a bot client. Users can compile the bot script into an executable to be distributed and installed on victim computers. “The kit includes all of the source code necessary to modify, build, and execute the C&C server and bot client. The application included in the kit can create stand-alone executables for multiple operating system platforms,” Ghosh elucidated.
With attack toolkits automatically exploiting up to 25 different vulnerabilities at one time, it only takes one vulnerability to be successfully exploited to compromise your system.

Mitigation Strategies

There tends to be a general perception that existing Firewalls or Intrusion Prevention Systems that are in place on their network borders provide sufficient protection against Distributed Denial of Service attacks. Unfortunately, these types of devices have not only been proven as ineffective against DDoS but the nature of these devices has made them susceptible to attacks themselves and has thus become part of the DDoS attack surface. In Arbor’s 2010 infrastructure security report, over half of the respondents stated that their firewall and IPS equipment have failed due to DDoS attacks within the last 12 months.

DDoS attacks can take many forms from brute force traffic floods to highly sophisticated application layer attacks. Attack vectors also constantly change as attackers try to develop new methods to evade defenses. As a result, it is necessary to employee multiple methods for defense that will be suitable for different types of threats. In general, these methods can be broken out into distinct categories:

Anti-spoofing– Utilising a means of authenticating hosts to ensure that a legitimate host is generating the traffic.
Rate based blocking– Block hosts that generate higher than normal traffic volumes.

TCP manipulation– Detect and block hosts that use TCP in a non-standard way representing a threat.

Malformed applications– Block traffic that doesn’t conform to application standards.

Application specific rate based blocking– Block hosts that generate higher than normal application operations.

Application header manipulation– Block bad traffic that demonstrates specific characteristics in the application header. This includes URL based blocking.

Payload blocking– Block bad traffic that has specific characteristics in the payload.

A layered defense approach is necessary when trying to counteract DDoS attacks because attackers generally have the ability to shift attacks on demand. Relying on a single method for defense may block certain attacks but leave you vulnerable to others.

You also need to implement the following somewhat basic measures to protect against such attacks:

Keep software up to date:
Administrators should keep corporate images updated with the latest software versions. Many breach investigations show that DDoS occurred because of older, unpatched versions of software applications. Keeping software up to date helps reduce the attack surface and limits exposure to malware infections and information leakage. For example, Symantec solutions use standardisation, workflow and automation for inventory, asset, and patch management.

Deploy comprehensive end-point security:
A traditional signature-based antivirus product will only examine files as they sit on your system and this type of product on its own is insufficient for protection in today’s threat landscape. Due to the polymorphic nature of the threats in attack toolkits for DDoS, a new approach to secure your desktops and endpoints is required. Deploy a comprehensive end-point security that includes additional layers of protection, uses reputation based security and is optimised fir virtual environments.

Keep your security product subscription current:
A security product is only as good as the underlying security intelligence and content that drives it. This includes virus definitions and IPS signatures, which are typically updated over the network many times a day. Ensure your security product has the latest active protection. Any lapse in updates will quickly start to erode the protection capabilities of the product.. It is important to keep your product subscription active to proactively keep malicious code off your system and protect you from the latest threats out there.

“Many of the previous steps in protecting systems may seem like common sense, but in our analysis of enterprises and consumers that have been infected or had their security breached, many of these simple steps were not followed,” Ghosh opines. Protection against some of the latest Web-based threats can be easy by being proactive. Precaution is better than care. It is advisable for businesses to a few additional steps to mitigate infections proactively than to clean up systems after an infection.

-varun.aggarwal@9dot9.in