The DDoS attacks can easily upend an organisation. Faster threat detection systems are required to prevent such attacks from causing serious damage
In recent years, the instances of Distributed Denial of Service (DDoS) attacks have risen by leaps and bounds. Such attacks pose as an insidious threat to online banking and e-commerce. In a DDoS attack the malicious elements exhaust the telecom pipes through which the end users reach the online banking or e-commerce website. Basically the attacker is trying to saturate the bandwidth of the target’s website by flooding it with a huge quantity of data. The objective of the attack is to make the website or the online service unavailable to the genuine user.
Even government websites are not safe from DDoS type of attacks. There have been instances when the decisions taken by certain governments have led to some groups launching massive DDoS attacks on the websites owned by that government. In October, several Thai government websites were hit by a DDoS attack, making them impossible to access. According to sources, the DDoS attack appeared to be a protest against the Thai government’s plan to limit access to sites deemed inappropriate.
Evolution of DDoS attacks
A study of the DDoS launched in the last few years reveals that there has been a significant evolution in the nature of the attacks. “The intent earlier was to bring down the system. However, now the aim is to keep the IT department busy and occupied with an initial attack and then take advantage of their distraction to sneak into the system for inflicting an actual and more harmful blow to the overall information infrastructure,” says Samuel Sathyajith, Country Manager – India & SAARC, Arbor Networks.
The intent earlier was to bring down the system. Now the aim is to sneak into the system for inflicting an actual and more harmful blow.
Samuel Sathyajith, Country Manager – India & SAARC, Arbor Networks
Usually, the DDoS attacks are launched by a program or a bot, but other strategies, including those that involve mass mobilisation of computer users, can also be used. For instance, when the Thai government websites were targeted, the attackers had used social media in Thailand to encourage people to visit the websites and repeatedly refresh them. The vast array of strategies, being used by the attackers, makes it very difficult to detect the point of origin of the attacks.
“DDoS attacks are designed in such a way that they cannot be traced to any specific IP address. The jumping IP address makes it very difficult to spot the the source. There are separate companies which specialise in providing this service. Russia and Czechoslovakia have emerged as specialised centres for providing these services,” explains Prashant Mali, President – Cyber Law Consulting (Advocates and Attorneys).
Following the new strategy, the attacker does not directly get involved. He pays money to an agent, who co-ordinates with botnet owners, malware writers.
Prashant Mali, President – Cyber Law Consulting
“Moreover, in the recent past the modus operandi has changed. Following the new strategy, the attacker does not directly get involved. He pays money to an agent, who co-ordinates with botnet owners, malware writers, etc. A combination of these factors makes it nearly impossible to nab the kingpin,” he adds. In a scenario where the online vandals are using tens, hundreds or even thousands of compromised servers to automate the flood of data, DDoS attacks are quite hard to predict and stop.
Matt Larson, CTO, Dyn, says, “In the absence of a pattern in the attack and it can’t be easily filtered because the traffic looks just like regular traffic, the only defence is to have sufficient capacity to ride out the attack while still answering legitimate requests.” Dyn, an internet performance company, provides services to companies like Twitter and TripAdvisor.
In the absence of a pattern in the attack, the only defence is to have sufficient capacity to ride out the attack while still answering legitimate requests.
Matt Larson, CTO, Dyn
DDoS: Weak links and remediation
Because of the range of strategies, the DDoS attackers can use, it is difficult to completely stop such attacks from happening. However, with advance planning, such attacks can be mitigated and neutralised to a large extent. There are a number of steps that organisations can take to at least mitigate the effect that DDoS attacks have on their websites, servers, databases, and other essential infrastructure. “We may never be able to stop determined attackers from launching an attack. Safeguards have to be enhanced in all the systems and processes,” says Sandeep Godbole, Member, ISACA India Growth Task Force.
We may never be able to stop determined attackers from launching an attack. Safeguards have to be enhanced in all the systems and processes.
Sandeep Godbole, Member, ISACA India Growth Task Force
A DDoS attack is primarily launched by taking advantage of the network, so a good method of prevention should be such that it allows the security teams to gain insight into what is going on in the network. One of the more popular approaches is flow sampling as virtually all routers support some form of Flow technology, such as NetFlow, IPFIX, or sFlow. In this process, the router samples packets and exports a datagram that contains information about that packet. This kind of technology is easily available, it can scale well and is fully capable of indicating the trends in network traffic.
Ramandeep Singh Walia, Head – Sales and Operations, QOS Technology, says, “In my view the biggest weakness of the Indian information security infrastructure, one which leaves ample scope for DDoS to be launched, is that most of our network connecting devices are kept open. To be specific, open Network Time Protocol (NTP) servers, DNS proxies have default configurations. Routers are also not configured appropriately. In most Indian organisations that we have worked with, 8 out of 10 DNS resolvers are open.”
Open DNS resolvers (computers that translate domain names into IP addresses) can be compromised and used as tools to launch a DDoS attack. Open DNS means the server has not been configured to reply to select IP addresses. Thus, by default, it responds to every IP address that sends a communication request. Such flaws in the network continue to exist, even though the biggest DDoS attack, ‘Spamhaus’, was launched in 2013 by using the vulnerability out of an open DNS resolver. After that recommendations were issued for thwarting DDoS. One of the recommendations was to harden the DNS resolver.
Open DNS resolvers can be compromised and used as tools to launch a DDoS
Ramandeep Singh Walia, Head – Sales and Operations, QOS Technology
Watch Your Log Analysis
In addition to setting the right DNS configuration, it is also important to enable log analysis in the respective devices. “Many Indian organisations do not keep ‘log analysis’ in an enabled state in their firewall or other relevant devices,” says Devendra Parulekar, Practice Leader, India – Information Security and Privacy, E&Y. “As a result, even if the firewall is detecting the traffic, it will not be able to give an early warning or alert because the device is simply not logging.”
“If the traffic is left unlogged, how will the organisation know that it is under a DDoS attack. The advanced Security Incident and Event Management (SIEM) tool will have no data to develop the trends, patterns,” adds Devendra Parulekar. Enterprises disable log analysis because it affects application performance. In addition to following these standard practices, enterprises also need to manage the service providers, which includes telcos, cloud hosting providers, ISPs and anti-DDoS solution providers.
If the traffic is left unlogged, how will the organisation know that it is under a DDoS attack.
Devendra Parulekar, Practice Leader, India – Information Security and Privacy, E&Y
Common DDoS protection deployments include flow analytics devices, which react to the discovered incident by redirecting the victim’s traffic to a mitigation device and telling it what action to take. This method scales well for gathering traffic to be analysed, and the reactive model only redirects potentially bad traffic, which allows for some bandwidth oversubscription.