The Rising Threat of DDoS Attacks: Is Your Business at Risk?

The Rising Threat of DDoS AttacksIs Your Business At Risk?

NetStandard.com | 2000 Merriam Lane | Kansas City, KS 66106 | 913.262.3888 |

Daniel Fluke, Ph.DNetStandard Inc.

http://www.netstandard.com/

What Is A DoS or DDoS Attack?A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack is an attempt by a malicious party to make a machine or network resource (like a website) unavailable to its intended users (your customers).

Targets: • Financial Institutions• Small/Midsized Businesses• Retail



DoS or DDoS: What’s the Difference?

DoS – Denial of ServiceA Denial of Service attack is an attempt by a single machine to prevent others from utilizing your website resources.



DoS or DDoS: What’s the Difference?


DDoS – Distributed Denial of ServiceA Distributed Denial of Service attack is an attempt by multiple machines to prevent others from utilizing your website resources.



Types of DDoS AttacksThere are multiple types of attacks that can effectively make your systems inaccessible or unresponsive to users.

Three general types of attacks:

1. Volume-Based Attacks

2. Protocol Attacks

3. Application Layer Attacks



Types of DDoS AttacksVolume-Based Attacks

Goal: To saturate the bandwidth of the attacked site. The magnitude of this type of attack is typically measured in bits per second.

Attack Includes:• UDP Floods• ICMP Floods• Spoofed Packet Floods



Types of DDoS AttacksProtocol Attacks

Goal: To consume the resources of either the servers or the intermediate communication equipment, such as routers, load balancers and/or firewalls. Protocol attacks are usually measured in packets per second.

Attack Includes:• SYN Floods• Fragmented Packet Attacks• The Ping of Death• Smurf DDoS



Types of DDoS AttacksApplication Layer Attacks

Goal: To crash web servers. Arguably the most dangerous form of DDoS attack, these attacks are often comprised of seemingly legitimate and innocent requests. Application layer attacks are often measured in requests per second.

Attack Includes:• Slowloris• Zero-day DDoS attacks• DDoS attacks on Apache, Windows or OpenBSD vulnerabilities



Types of DDoS AttacksIn Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown of the types of attacks being carried out:


http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html


Types of DDoS AttacksIn Q1 of 2013, the Prolexic Global DDoS Attack Report gives the following breakdown of the types of attacks being carried out:

• Syn Flood – Spoofed Syn packets fill the connection tables of your servers

• ICMP Flood – ICMP packets overload servers and inbound bandwidth

• Non-Service Port Flood – TCP/UDP packets overload servers and inbound bandwidth on ports not being used for services (i.e., Port 81)

• Service Port Flood – Packets overload servers and inbound bandwidth on ports being used for services (i.e., Port 80)

• Fragmented Flood – Fragmented packets are sent to servers, causing them to overload as they process those packets

• HTTP Get Flood – HTTP Get requests flood servers and incoming bandwidth on in-use service ports, mimicking valid traffic



How Is An Attack Launched?• In order to launch a DDoS attack, attackers need between several hundred and

several thousand compromised hosts.Hosts are usually Linux and SUN computers, but tools can be ported to other platforms

• Compromising a host and installing tools is automated. The process can be divided into four steps:

1. Attackers initiate scan phase

2. Identified vulnerable hosts are compromised

3. Tools installed on each host

4. Compromised hosts are used for further scanning and compromising



How Is An Attack Controlled?Using a command and control system, attackers create subordinate systems that can control the attacking machines.

• Attackers can compromise and install tools on a single host in under 5 seconds

• Several thousand hosts can be compromised in less than an hour

• Large attacks may have multiple subordinate control systems and thousands of Bots

• Commands can be passed on to initiate and control attacking machines



The Origins of AttacksTop 10 Attack Source Countries:

*Prolexic Global DDoS Attack Report, Q1 2013


http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html


What Motivates Attackers?

• Revenge against a company’s policies or

practices

• Revenge against a company for something

posted on social media

• Eliciting ransom money to stop the attack

• Ransoming bandwidth and availability

• Because they can



Are You A Target?

• Banks and financial institutions• Consumer goods retailers• Manufacturers• Companies in the news• Companies engaging in political,

cultural or social hot-button issues, whether through comments in social media or day-to-day practices.

EVERY BUSINESS IS A TARGET. Some, however, are more popular targets than others:



Know When You’re Under Attack

• Abnormally high or unexpected loads on websites

• “Service Unavailable” messages

• Abnormalities or unusual activity in website statistics

• Suspicious activity in log files

• Abnormally high bandwidth utilization

Key signs your business is under attack:

If your company is in the cloud, you could be affected when another company hosted by your provider is attacked. Selecting a provider with plenty of additional bandwidth can help absorb the bandwidth of the demands and mitigate the impact to your business.



Prepare Before An Attack

• Know Your Vulnerabilities – What is happening internally that might make attackers aware of your presence?

• Increase Resiliency and Availability – Implement industry best practices for network infrastructure, applications, critical support services and DNS.

• Secure Potential Bottlenecks – Ensure systems are configured correctly.• Watch Your Systems and Network – Use automated tools to monitor and alert on

suspicious activity.• Small Attacks Happen, Too – Nearly 50% of attacks are less than 5GB, and 25% are

1GB or less.• Beware of Application Attacks – These are much harder to recognize than network

layer attacks.

Create a plan before an attack:



Prepare Before An Attack

• Beware Blended Attacks – Attackers are increasingly combining network and application layer attacks.

• Look for Suspicious Activity – Be aware of the possibilities of suspicious activity, like social engineering, during an attack. Sometimes DDoS is used as a distraction.

• Make Friends Upstream – Your ISP can help identify and mitigate attacks. Work with them to implement various strategies that can help before an attack and after.

• Sign Up For DoS/DDoS Mitigation Services – Consider signing up for a DoS/DDoS mitigation service, like those provided by AT&T, Verisign, Arbor Networks and Prolexic.

Create a plan before an attack, cont.:



What If I’m Attacked?

• Block the attack with packet filters on your routers. If possible, do this at the border of your network or through your ISP.

• Null route, or blackhole, the IP address being attacked on your border routers or on your ISP’s border routers. This will effectively shut down the service running attached to that IP address, but it could keep other systems online and available.

• Use Anycast and Multicast Source Discovery Protocol (MSDP) if your company has websites co-hosted at several locations.

Your response to an attack is dependent upon what type of attack is being waged. Initial steps should include:



DDoS In The News

Independent Newspapers – Received attack following the publishing of an article in support of Zimbabwean President Robert Mugabe.

The Spamhaus Project – Spam crusaders have been battling massive DDoS attacks that have reportedly resulted in a slowdown of the entire Web.

Attacks on U.S. Banks – An Islamic group launched a third wave of high-powered DDoS attacks against U.S. banks in March 2013 and is reportedly targeting other financial institutions.



Questions?

Contact us!


mailto:[email protected]

The Rising Threat of DDoS Attacks: Is Your Business at Risk?

Technology

Transcript of The Rising Threat of DDoS Attacks: Is Your Business at Risk?