DDoS Attacks: Bigger, Stronger, Scarier

What Is a DDoS Attack and Why Worry?

Distributed Denial-of-Service (DDoS) attacks overwhelm a target with activity so that websites can’t be accessed by legitimate traffic. In other words, your bank, entertainment company, newspaper, e-commerce portal—even your Internet connection where you’re killing it on Xbox Live—slows to a crawl or crashes.

DDoS attacks have been widely reported since 2000, and increase year-over-year in size, number, and intensity. They are time-tested, nearly impossible to prevent, very cheap to rent, and can have devastating, lasting consequences.

In Wrist Grabs and DDoS Attacks, Gino Grieco gives this description:

“Modern DDoS attacks generate such huge amounts of network traffic by utilizing something called a botnet…a network of computers that have been infected with malicious software that allows a hacker to hijack them remotely. These infected computers behave completely normally most of the time, except when they are given the command to spam a target. Once a command is received, each computer in the botnet starts sending out a specified type of Internet traffic at a specified target. After a hacker group builds a botnet, DDoSing services becomes much easier and defending against it becomes nearly impossible.”

While there’s no way to prevent attacks completely, strategic planning will mitigate the impact. It’s essential to have an action plan in place and to prepare for the inevitable.

If you think that DDoS is irrelevant to your company, or you’re in the middle of a DDoS attack and overwhelmed, or you want to make the best-informed choices to enact a DDoS game plan, this article is for you.

Who Is at Risk of a DDoS Attack?

Governments, organizations, and even individuals are targeted with the intention of disrupting business as usual. Motives include hactivism (political protest), blackmail, harassment, attention seeking/bragging rights, and competitive advantage (especially in online gaming).

According to the Neustar 2015 DDoS Attacks and Protection Report, the respondents reported:

Different Kinds of DDoS

Top 5 DDoS attack traffic seen by Symantec’s Global Intelligence Network

The majority of DDoS attacks are ICMP flood attacks, where a large volume of (typically) ‘ping’ requests from multiple sources attack one target at the same time until it overloads and can no longer handle legitimate traffic. These attacks are often conducted through botnets.

2015 attacks by type

Source: 2016 Internet Security Threat Report

Common DDoS attacks
The most common DDoS attacks fall under three categories:

• Volume-based attacks - A variety of methods are used to saturate bandwidth so that traffic slows to a standstill, which can eventually crash servers. ICMP floods dominated in 2015. Other types include UDP and other spoofed-packet floods.
• Protocol attacks - Protocol attacks target resources over bandwidth and can overload firewalls and load balancers. Tools of the trade are SYN floods, Ping of Death, Smurf DDoS, and fragmented packet attacks. Protocol attacks accounted for roughly 8.5 percent of attacks in 2015.
• Application layer attacks - Application layer attacks send ‘legitimate’ requests to crash servers. They use fewer resources than other exploits. Common types include DDoS attacks, Slowloris, and attacks targeting known vulnerabilities in Apache, OpenBSD, and Windows. 

Botnets-for-hire
Botnets-for-hire were used in roughly 40 percent of all DDoS network layer attacks in the second quarter of 2015, according to Incapsula, a Symantec partner. While criminals can go to the effort of infecting multiple vulnerable devices and creating their own botnet to carry out DDoS attacks, it’s often much easier to hire pre-made botnets for a set amount of time.

Simple, but affective
According to the ISTR 21 Report, DDoS attacks are, “simple to set up, difficult to stop, and very effective.” DDoS attacks often cause collateral damage to companies close to the real target. Once the bandwidth fills up, any site hosted by the same provider may not be accessible through the Internet. As a result, these sites might face downtime even if they were not targeted directly.

What Are Some of the High-Profile Recent DDoS Targets?

• Sony Playstation has been targeted so often, Shuhei Yoshida, President of Worldwide Studios, said: “Actually, an attack happens every day. Literally every day. Some days are bigger and some days smaller. Some days they devise new means, new ways—it's like cat and mouse.
• Microsoft Xbox has been taken down many times since Christmas, 2014. A small band of hackers calling themselves Lizard Squad took responsibility for the 2014 DDoS attack, which affected up to 160 million Xbox and PSN users. Another group, New World Hacking, took responsibility for a February 2016 attack, stating: “We attacked Xbox as once again a test of our power. We plan on taking down a few major ISIS channels next month. And it just seemed like the perfect time to test.”
• BBC On New Year’s Eve, 2015, a hacktivist took down all digital services at the bbc.co.uk, including the news website, apps, and live streaming. New World Hacking claimed responsibility for this biggest DDoS attack yet. They are an anti-ISIS group and launched the attack to test their capabilities, without any particular maliciousness against the BBC. The DDoS reportedly reached a peak of 602 Gbps and ‘unintentionally’ lasted nearly four hours. This DDoS was particularly malicious. Not only was a leading DDoS mitigator taken down, but they also experienced a prodigious data breach. During the outage, information appearing to be Staminus’ customer credentials, support tickets, credit card numbers, and other sensitive data were posted online. A group claimed to have seized control over most or all of Staminus’s Internet routers and reset the devices to their factory settings.
• HSBC suffered a huge DDoS attack on January 29, 2016. "Source explains there's been a wave of DDoS attacks on HSBC & other UK banks this week using 'crude but disruptive' tools bought on dark web,” BBC Technology Correspondent Rory Cellan-Jones tweeted. HSBC Turkey had already been hit with a DDoS attack earlier in November 2015.

What Are the Motivations Behind DDoS Attacks?

Hactivism
Anonymous is perhaps the most sophisticated—and most publicized—hactivist group. They even petitioned the White House: “Make, Distributed Denial-Of-Service (DDoS), a Legal Form of Protesting," characterizing DDoS as, “the equivalent of repeatedly hitting the refresh button on a webpage…Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.”

Anonymous wages many high-profile attacks, with Donald Trump as their most recent target. In his article, “The Anonymous Hack of Donald Trump,” Adam G. Klein says: “Most hacktivist ‘operations’ are backed by a clear mission statement…Their tactics reflect this drive for social change. Journalist Andres Jauregui likened one Anonymous method, DDoS, to a civil disobedience strategy employed by student activists in the 1960s: ‘Clog the hallway of a government office with enough people, and it effectively ceases to function; direct enough traffic to a website, and the same thing happens.’”

Anonymous has launched crippling DDoS attacks against governments, groups, enterprises, and organizations, including:

• Turkey in December 2015 for supporting ISIS
• Saudi Arabia since 2013 in #OpSaudi
• ISIS in November 2015: “Expect massive cyber attacks. War is declared.”
• PayPal in 2010, supporting Jullian Assange (Wikileaks)
• KKK in 2015: Operation KKK exposed the identities of 1,000 members

Extortion
DDoS attacks and holding a site hostage are big money makers. With the ability to rent a booter or stresser for mere dollars a day, enterprising criminals run highly-profitable attacks with threats of repeated shutdowns.

Considering that Joseph Bonavolonta, of the FBI’s Cyber and Counterintelligence Program has encouraged victims of cyber attacks to pay up, bad actors are encouraged, even citing his advice in their ransom demand emails.

Diversion
According to Gary Sockrider, Principal Security Technologist at Arbor Networks, “Historically, ‘ideological hacktivism’ has commonly been the top motivation (of DDoS attacks), only displaced last year by ‘nihilism/vandalism’. This year, however, things have changed. A growing number of respondents are seeing DDoS attacks being used as a distraction for either malware infiltration or data exfiltration.”

In Sony’s infamous data breach, DDoS attacks were used up to three years in advance of the actual exfiltration to gain intelligence into the network, while diverting resources away from detecting and stopping the infiltration. 

Competitive advantage/bragging rights
DDoS attacks are prominent in online gaming. According to Symantec’s Candid Wueest, a DDoS attack rented for just a few minutes can create an insurmountable advantage during an online gaming contest.

Igal Zeifman of Incapsula highlights both bragging rights and ROI as strong motivators: “Take Lizard Squad’s attack this past Christmas on the PlayStation and Xbox networks: In that 24-hour period, the group was mentioned more than 100,000 times on Twitter alone. As viral impact goes, these attacks reach the level of ‘Gangnam Style’ notoriety—the best return on investment any attention-seeking perpetrator can hope for with a single DDoS burst.”

How Expensive Is a DDoS Attack?

DDoS attacks are very cheap to mount but very costly to endure.

According to the Incapsula Survey: What DDoS Attacks Really Cost Businesses, the estimated cost is $40,000 per hour.
Many companies also experience non-financial, intangible costs, such as:

• Loss of customer trust
• Loss of intellectual property
• Virus/malware infection
• Hardware replacement
• Data breaches and theft of customer information that occur under the cover of a DDoS attack             

How Cheap Is a DDoS Attack to Mount?

Very cheap—in the range of $10 to $1,000 a day. Pricing is based on duration and sometimes bandwidth and can easily be purchased online. You can shop online bazaars and buy seemingly legal ‘stressers,' which are intended to test your own website’s tolerance.

A Russian crime group called Forceful rents their DDoS services for:

• Daily – $60
• Weekly – $400
• 10% discount on orders of $500
• 15% discount on orders of $1000

Considering the amount of damage you can cause for next to nothing, there is no barrier to entry for attackers and ROI is huge. According to Arbor Network’s Worldwide Infrastructure Security Report (WISR), the average cost to the victim is around $500 per minute, but the mean cost to the attacker is only $66 per attack.

How Do You Plan for a DDoS Attack?

Symantec researcher, Candid Wueest, contends that companies—and people—think that DDoS attacks are for somebody else: “Sony, Xbox, BBC News, Donald Trump—those attacks that grab headlines make sense, but it’s not going to happen to my company.”

But the truth is, if you have a public-facing company of any size, or you're an online game enthusiast, or even if you anger the wrong person, or you espouse an idea that’s controversial to somebody anywhere in the world, you’re a natural target.

Be Prepared: It Might Happen to You

1. Don’t expect it’s not going to happen to you. There's an excellent chance that it will.

2. Prepare a thorough game plan in anticipation of DDoS attacks.

• Consider your infrastructure, assess your vulnerabilities, and plan accordingly. For instance, if you have ISP-hosted servers, you’ll probably endure a shorter attack than if you maintain your own servers.
• Having an agreement in place with a mitigation service is ideal. If not, you should at least do your legwork in advance and know whom you’ll turn to in case of attack.
• Ensure your website security software offers DDoS mitigation. Symantec Complete Website Security, for example, has added Imperva Incapsula service, which offers enterprise-grade web application security, DDoS mitigation, performance optimization, and load balancing.

3. Create a DDoS Playbook, which should include:

• Contact names and numbers for your ISP and mitigation service.
• Know what questions to ask your ISP and what protocols they have in place for DDoS attacks.
• Communication strategy on how to inform your customers, as attacks can last from several hours to a few days. Good communication can lessen the tarnish on your reputation.

4. Cover yourself with Cyber Insurance.

• Make sure your coverage mitigates and transfers the risk of exposure from cyber events.
• Ensure your coverage complements the efforts of your information security protections.

What’s on the Horizon for DDoS?

Candid Wueest’s white paper, “The Continued Rise of DDoS Attacks," offers a comprehensive view of the landscape and what can be done to shield yourself from DDoS attacks. When asked what we should anticipate in the future, he cites:

• The Internet of Things (IoT) will be the next growth area in exploits, as there will be an estimated 20 billion connected devices by 2020.
• CCTV surveillance cameras running Linux on BusyBox were hijacked and turned into botnets in a global DDoS—which is a new trend. Many of these devices use default passwords and are fully exposed.
• Routers are routinely hijacked and zombified. Your Linux-based home router is a target for a new worm called KTN-Remastered, which infects embedded systems by taking advantage of weak Telnet passwords.

Bottom line, cybercrime is the new normal. The sheer magnitude of reported attacks, vulnerabilities and costs in dollars, exposure, and harm done is overwhelming. It is a near certainty that you’ll be breached. Being prepared for the inevitable and mitigating the impact of a DDoS attack is the best strategy.

Candid Wueest sums it up like this: “You’re not adding speed to your arsenal if you’re not prepared.”