Partners in Mayhem: DoS and DDoS Attacks
DoS and DDoS—aren’t they just two more acronyms designed to make non-techies crazy? Not at all. Far from being two more ingredients of high-tech alphabet soup, they represent much more than jargon.
Denial of service (DoS) and distributed denial of service (DDoS) are cyber-attacks. For more than 20 years, they have assaulted and sometimes harmed IT operations worldwide. From the business operations and IT security point of view, they have become a very big deal. That’s because these attacks have become:
- Opportunities to make a political point, take vengeance on a rival, or commit digital vandalism.
- Sources of increasing technology and business risk to organizations of all sizes.
- An ongoing challenge to mitigation technology and strategies.
The goal of DoS and DDoS attack exploits is to prevent users from getting access to IT infrastructure resources. These attacks differ by how they work and how they do harm.
In a denial of service attack, cyber-attackers use a single computer and a single internet connection to take advantage of software vulnerability or flood network resources. The goal of DoS attacks is to prevent legitimate users from getting full use of network resources. Usually, the attack is meant to overwhelm server resources such as RAM.
Although DoS attacks don’t usually result in information theft or a security breach, network downtime can be costly. Just think of post-attack recovery tasks. The many costs of IT labor and service time—not to mention repair to a damaged brand—quickly add up.
The murky beginnings of DoS attacks
The simple denial of service attack has been with us for at least 20 years. In March 1998, NASA, the U.S. Navy, and university campuses across the United States became targets of DoS attacks. The object of the exploit: computers that ran Microsoft Windows NT and Windows 95. (This brings back many memories to analysts of a certain age.)
Until 2007, cyber-attackers used DoS exploits for pranks and old-fashioned digital vandalism. After that, things got complicated. Governments actors started blasting websites of other governments, social activists, and individuals they just didn’t like. Everyone with a political ax to grind made their point with hacktivist attacks. And, DoS attacks became the perfect sleight of hand, a way to distract defenders from data breaches and theft.
DoS Mitigation tech and strategies
Single-origin attacks can be useful if their target is undefended. However, IT security pros have plenty of ways to reduce the risk and potential damage of single-source DoS attacks. They can:
- Block the originating IP address, either at the firewall or network level of a system.
- Use security tools to detect and prevent attacks that overwhelm a computer with communications requests.
- Configure Web servers to detect and block protocol request attacks.
- Use network monitoring tools to identify and block single-origin attacks when they begin.
In terms of operations and resources at risk, DDoS attacks provide a different picture than single-origin exploits.
Fewer DoS attacks occur today. Now, their sophisticated cousins, DDoS attacks, dominate the scene. DDoS attackers launch exploits from groups of connected devices (botnets) distributed across the internet. These multi-device barrages are generally harder to stop, mostly because the collective firepower of connected devices can be enormous.
Profile of a DDoS botnet
DDoS attacks aim their destructive power on a network infrastructure by saturating it with vast volumes of junk traffic. These large clusters of connected devices (cell phones, PCs, routers) are infected with malware. The malware that infects each device is known as a bot.
Bots usually don’t start the assault on their own. Humans guide the bot attack by remote control. Recently, however, botnet malware has become more complex. During an attack, bots can now alter their tactics in response to changes in defense methods—without human assistance.
DDoS attacks in the news
DDoS exploits are not new. They have been around for decades. Here are three attack scenarios ripped from IT security headlines. They show the variety of different attack volumes and exploit methods.
- A record-setting attack on a programmer community site
In February 2018, Github, a popular code development platform, was blasted with an assault that peaked at 1.35 Tbps. The hair-raising attack firepower would have been enough to make it a memorable event. However, it was also complicated.
Github security pros traced the malicious traffic to more than a thousand autonomous botnets. The botnet controllers—automation software, not humans—guided a total of tens of thousands of infected machines and devices. The attackers also hijacked memcaching devices, distributed memory tools that amplified the malicious traffic.
- Multi-botnet assault on a social activist group
In Hong Kong, a 2014 attack on Occupy Central delivered 500-Gbps peak traffic to three of the group’s web hosting services and two independent websites. Five different botnets barraged the group’s servers with traffic disguised as legitimate user requests. Unconfirmed reports suggested that the Chinese central government was responsible.
- Major banks in the crosshairs
In 2012, A DDoS attack hammered global banks such as Bank of America, JP Morgan Chase, and Citigroup. A low-to-medium volume attack (60 Gbps), the exploit was carried out by hundreds of hijacked servers. The notable characteristic of this attack was persistence. Each bot barraged its targets with several infection methods until it found one that worked.
It’s not all doom and gloom, though. There are ways that IT organizations can defend themselves.
Mitigation technology enters the stage
The ever-growing number and capabilities of bots in DDoS exploits make it very difficult to block malicious traffic. Instead, organizations are focusing on attack mitigation—the process of identifying and neutralizing DDoS malware before it does harm. You can group mitigation methods by the type of DDoS attack they prevent:
- Protocol attack mitigation involves blocking traffic of infected devices before it even reaches a target website. The essential tool is site visitor identification technology. It can tell the difference between legitimate website visitors such as humans and search engines and automated or infected clients.
- Volume-based attack mitigation routes infected software to a global network of scrubbing centers. This is where the malware is absorbed and neutralized, usually in seconds. This scalable, cloud-based approach counters multi-gigabyte attacks.
- Application-layer attack mitigation monitors website visitor behavior, blocks known bots, and challenges suspicious or unrecognized entities with the JS test, the Cookie challenge, or even CAPTCHAs.
These mitigation methods are becoming mainstream best practices, which organizations should add to their standard DDoS defense methods. Anything less would make IT operations a risky business indeed.