Enterprises and governments connected to the Internet today must treat distributed denial-of-service (DDoS) attacks as an everyday occurrence. DDoS technology is not new, but unlike the old days of "low and slow," the current toolsets widely available to attackers allow even inexperienced users to execute sophisticated attacks with ease.
As hacker tools become easier to get in an active underground market, we will likely see the number of smash-and-grab attacks increase. Enterprises must do more to protect themselves, and be on alert for the use of DDoS attacks coupled with denial-of-service (DoS) attacks.
Attackers use DDoS as a smoke screen. This method allows them to tie up available resources, personnel, equipment, or bandwidth, in order to perpetrate a greater crime against an organization. These events cost organizations large sums of money in the form of service level agreements, service interruptions, and credit protection for clients affected by an attack against the enterprise.
The Internet loses massive amounts of bandwidth to these events daily. The financial industry estimates the cost of a DDoS attack at $100,000, and the costs add up per hour even before a mitigation effort begins. The additional cost of remediation and forensics for a DoS or DDoS attack could almost double the initial number by the time the process is completed.
As the current threatscape continues to evolve, we will witness more and more complex blended attacks. Some popular approaches use peer-to-peer (P2P) networks as ways to mount attacks. There are increasing numbers of attacks against social media sites using backend technologies such as WordPress and Joomla to target government agencies and other organizations, especially those in the oil and gas, manufacturing, healthcare and higher education sectors. These industries are often pursued for their intellectual property or research information.
The Prolexic Quarterly Global DDoS Attack Report Q3 reported that application attack vectors increased by almost 6%, from 17 to 23%, from the third quarter of 2012 to 2013. Infrastructure attacks, which totaled 77% in Q3 2013, continued to represent the majority of attacks observed and mitigated.
Worth noting was the increase of reflection-based DDoS attacks using the old but re-emerging character generator (CHARGEN) protocol, which has been seen in several recent campaigns as a primary attack vector. A significant shift to reflection-based attack vectors was observed across the board, rising 69% compared to the previous quarter and 265% when compared to the same quarter a year ago.
Increased DDoS attacks show the ongoing changes to the threatscape, and how easily businesses can be compromised. Enterprises must be more vigilant in their security programs and continue to evolve to combat this threat. Most importantly, they should have remediation plans in place.
Craig Treubig is managing principal consultant at Accuvant, with more than 17 years of information security and infrastructure security experience in consulting and enterprise environments.